FWIW, I still run a firewall on my compute nodes. The firewall is open to any
traffic from other compute nodes or the head node, but blocks traffic from
elsewhere on our network (unfortunately, we don't have a dedicated network for
our cluster environment). Here are my notes from my install of SLURM 16.05 on
CentOS 7 in hopes that they are helpful.
- head node
- NOTE: port 6817/tcp is for slurmctld, port 6819/tcp is for slurmdbd
- NOTE: opening to anything from cluster nodes, so that srun works (per Moe
Jette's comment in the link you sent)
- sudo firewall-cmd --add-rich-rule='rule family="ipv4" source
address="a.b.c.d/XX" accept'
- sudo firewall-cmd --runtime-to-permanent
- compute nodes
- NOTE: port 6818/tcp is for slurmd
- NOTE: opening to anything from cluster nodes makes it simpler to work
with MPI, although it
should be possible to configure specific port ranges in
/etc/openmpi-x86_64/openmpi-mca-params.conf
- sudo firewall-cmd --add-rich-rule='rule family="ipv4" source
address="a.b.c.d/XX" accept'
- sudo firewall-cmd --runtime-to-permanent
-----Original Message-----
From: Christopher Benjamin Coffey [mailto:chris.cof...@nau.edu]
Sent: Thursday, October 27, 2016 10:14 AM
To: slurm-dev <slurm-dev@schedmd.com>
Subject: [slurm-dev] Re: Requirement of no firewall on compute nodes?
Hi Ole,
I don’t see a reason for a firewall to exist on a compute node, is it a
requirement on your new cluster? If not, disable it. I don’t see Moe’s
statement as saying that you can’t have a firewall, just that if there is one,
you should open it up to allow all slurm communication.
Best,
Chris
—
Christopher Coffey
High-Performance Computing
Northern Arizona University
928-523-1167
On 10/27/16, 5:58 AM, "Ole Holm Nielsen" <ole.h.niel...@fysik.dtu.dk> wrote:
In the process of developing our new cluster using Slurm, I've been
bitten by the firewall settings on the compute nodes preventing MPI jobs
from spawning tasks on remote nodes.
I now believe that Slurm actually has a requirement that compute nodes
must have their Linux firewall disabled. I haven't been able to find
any hint of this requirement in the official Slurm documentation. I did
find an old slurm-devel posting by Moe Jette (pretty authoritative!) in 2010
https://groups.google.com/forum/#!topic/slurm-devel/wOHcXopbaXw
saying:
> Other communications (say between srun and the spawned tasks) are
intended to operate within a cluster
> and have no port restrictions. If there is a firewall between nodes in
your cluster (at least as a "cluster" is
> configured in SLURM), then logic would need to be added to SLURM to
provide the functionality you describe.
Can anyone confirm that Moe's statement is still valid with the current
Slurm version?
Conclusion: Compute nodes must have their Linux firewall disabled.
Thanks,
Ole
