Steve White wrote:
Charles,
Your diagnosis is abundantly confirmed.
I removed my iptables rule, and ran Art's job
time globusrun-ws -submit -s -F <<servername>> -c /bin/true
I observed that job submissions from remote clients experienced a 30
second timeout, in addition to an 8 sec normal completion time.
Clients inside our local network, saw no timeout.
Then I looked in our (AstroGrid-D standard) /etc/init.d/gsiftp file, and saw
log_on_success += DURATION USERID
log_on_failure += USERID
So I commented these out, and re-started the xinted daemon.
The timeout disappeared.
Thank you for resolving this messy old problem for us!
The questions remain:
* Why does a simple job submission like the above use gsiftp?
To move the output of the executable back to the client (-s).
Remove the -s and no gsiftp will be used. But then no output of the
executable will be transferred back to the client (which is not
needed anyway if you run /bin/true)
I described it a bit earlier in this thread:
http://www.globus.org/mail_archive/gt-user/2008/07/msg00196.html
I'll add some documentation about that to our docs later.
Martin
* What was the original intent of these log lines?
* Can the desired effect of the log lines be had some other way?
Cheers!
On 22.07.08, Charles Bacon wrote:
On Jul 22, 2008, at 10:55 AM, Steve White wrote:
Charles,
On 21.07.08, Charles Bacon wrote:
Interesting - I remember some discussion like that on this list, I
think, but what does that rule achieve?
This is part of the AstroGrid-D documentation (I think I added it)
http://www.gac-grid.org/project-products/grid-support/grid-installation.html#gsiftp
As to where it came from, I haven't yet heard from Thomas, but I found
a discussion in which he took part (in German) on the internal GACG
WG1
mailing list, dated 3 Sep. 2007
Thomas says there, that he was able to watch the TCP traffic during
some
grid exchanges, and that (in particular) GridFTP tries to connect
with an
'identd' server, which in case of a firewall, results in a dropped
packet
and usually a 30-second timeout.
He then goes on to say that he thinks he saw the iptables rule in a
firewall
document, probably on the Globus website. I haven't located that
document.
Anyway, the iptables rule solved Art's problem, as well as ours.
Okay - I think the iptables might be fixing a problem which is self-
created by the xinetd entries installed. GridFTP doesn't do ident
lookups/callbacks by itself. It is only if you have lines like:
on_success = HOST, USERID
in the xinetd configuration file - that tells xinetd to make the ident
request so it can put the result in syslog. Removing those lines is
probably an easier solution than putting them in the xinetd entry and
then adding a firewall rule to make them timeout very quickly.
Charles
