From: Mary Thompson (mrthompson@lbl.gov)
Date: Wed Apr 17 2002 - 11:08:39 PDT
I think the basic answer to this is that the GRAM protocol does not
support this. That protocol relies on end-to-end identity verification
which NAT breaks. The only way to make it work is what you have done.
Direct the stdout and stderr to a file on the server machine and then
use GSIFTP in passive mode to pull it back.
The one thing we can do about this it to be sure that the Globus folks
have our input that this is important to deal with in the OGSA design
which is now in progress. Clients that are behind NAT firewalls would
seem to be a problem that is here to stay as exemplfied in hotels and
personal machines at home. Do any of the server site firewalls do
NATing?
Mary
Qian Peng wrote:
>
> When a globus client uses globusrun to submit a job to a server, the
> server tries to write back to client's stdout using client's
> hostname:port. An error code of 73 will be given if the server cannot
> find a route to the client or the port is blocked. For our demo case,
> the ports specified by GLOBUS_TCP_PORT_RANGE are opened through the
> firewall.
>
> When the client is on a local network with a IP number like 10.x.x.x,
> but can connect to the outside through a switch or the like, the server
> cannot find the route to the client host. This can happen in at least
> two scenarios for the demo,
>
> 1. When the hotel at the demo site (TTF) gave us a T1 line, we plugged
> it in and were directed to a web site to make the connection. The IP
> assigned to the host was 10.1.x.x. If we go outside of this local
> network, the host is being seen as coming from a fixed real IP of that
> internet service company.
>
> 2. If we only get one cable modem connection (one IP) for the next demo
> (Sherwood), but we need to put two computers on the network, we need to
> use a router and use DHCP to give out the IPs. Both computers will end
> up with a private IP like 10.x.x.x. Again the internet see them as from
> that one IP given from the cable service company.
>
> Is there a work around for the client? This is a question to the Globus
> people, but if anyone has any suggestions?
>
> -Qian
-- --------------------------------------------------------------------- Mary R. Thompson <MRThompson@lbl.gov> Distributed Security Research Group (510) 486-7408 Lawrence Berkeley National Lab http://www-itg.lbl.gov/~mrt ----------------------------------------------------------------------
This archive was generated by hypermail 2.1.4 : Thu Apr 18 2002 - 12:58:19 PDT