On Jul 23, 2008, at 3:40 AM, Harry Enke wrote:
The configuration of the gsiftp follows the globus-admin guide :
http://www.globus.org/toolkit/docs/2.4/admin/guide-
startup.html#gridftp
and as I understand, it's part of (passive) ftp implementation to
call the process involving the authd/identd. The firewall rule
rejects this call instead of waiting for the timeout (on RHEL t=60
sec).
The lines:
log_on_success += DURATION USERID
log_on_failure += USERID
have been removed in subsequent admin guides because they were found
to have this effect. It is not part of the FTP protocol, this is
strictly a xinetd helper feature.
You should just turn
that off in the GridFTP xinetd.d entry rather than firewalling it.
It's not particularly useful, and many places will drop you into a
firewall black hole, causing it to timeout, which adds the kind of
latencies you're seeing to GridFTP operations.
Does this indicate, that the gsiftp-implementations do not call the
authd anyway?
Right.
Which is not to say you will get down to gsissh levels of speed,
but it's probably an easier solution to propagate to other sites
than asking them to change their firewall settings.
It's just changing the rule on the globus-nodes, not the
organisation's firewall rules.
If you feel that it's useful to cahnge the globus-settings here,
please do so in the admin-guide, so others might as well profit from
this discussion.
2.4 is well out of our support policy, but I have made this change
anyway.
(BTW: if an app needs a substantial share of its whole process time
connecting, it's not really fit to run on the grid.)
Yes. That's why we stopped recommending the extra xinetd logging. :-)
Charles
