How To Use Pool Passwords And Ccb

How to Use Pool Passwords and CCB

In the following scenario, you're running a submit node (collector, negotiator, schedd) on a local machine you control, and starting virtual machines on a cloud to provide cycles to your pool. We assume those VMs are behind a NAT -- that is, they have outbound but not inbound connectivity. We will configure these startds to use CCB (to allow full communications) and a pool password (for security).

In this scenario, a pool password is useful because it allows nodes to participate in secure communications without establishing any particular individual identity. Since you'll be creating many identical instances of your VM, this can very much simplify management. Conversely, you will be storing the (encrypted) pool password on the VM's disk, so anyone who can access your VM can simply run it in order to join your pool.

You may need to enable UDP in your firewall to make this configuration work, even if you have USE_TCP_UPDATES set.

You should not enable CCB (that is, set CCB_ADDRESS) on the submit node. This will cause file transfer to fail.

Further Assumptions

We will assume that your submit node is 'cloudtest.example', and it permits inbound connections on TCP and UDP ports 20,000 to 30,000.

Execute Node

CONDOR_HOST = cloudtest.example
# Daemons using the pool password authenticate as the 'condor_pool' user.
ALLOW_WRITE = condor_pool@*
SEC_DEFAULT_AUTHENTICATION = REQUIRED
SEC_DEFAULT_AUTHENTICATION_METHODS = PASSWORD, FS
# Generate this file w/ 'condor_store_cred -f /path/to/password/file'.
# It should be owned by root and mode 0400.
SEC_PASSWORD_FILE = /etc/condor/password_file
SEC_DEFAULT_ENCRYPTION = REQUIRED
SEC_DEFAULT_INTEGRITY = REQUIRED
HIGHPORT = 30000
LOWPORT = 20000
COLLECTOR_HOST=$(CONDOR_HOST):29660
CCB_ADDRESS = $(COLLECTOR_HOST)

Submit Node

CONDOR_HOST = $(FULL_HOSTNAME)
ALLOW_WRITE = condor_pool@*/*
SEC_DEFAULT_AUTHENTICATION = REQUIRED
SEC_DEFAULT_AUTHENTICATION_METHODS = PASSWORD, FS
SEC_PASSWORD_FILE = /etc/condor/password_file
# Ensures that you can submit jobs.
QUEUE_SUPER_USERS = condor, condor_pool
SEC_DEFAULT_ENCRYPTION = REQUIRED
SEC_DEFAULT_INTEGRITY = REQUIRED
HIGHPORT = 30000
LOWPORT = 20000
COLLECTOR_HOST=$(CONDOR_HOST):29660