Port Use
From UniCluster
Configuring Service Port Use
UniCluster Express includes components that enable users to securely initiate and manage jobs, move data between resources, and query resources to determine their availability. Each component has its own network traffic characteristics which must be considered when deploying UniCluster Express at a site with a firewall.
Several UniCluster Express components use default port settings, which can be configured during installation. Most of these are well-known ports. The default ports used by UniCluster Express components are:
- 2222 used by GSI-OpenSSH
- 2811 used by GridFTP
- 5432 used by PostgreSQL
- 7512 use by MyProxy/Auto-CA
- 8443 used by the service container
- 6444 used by the Grid Engine qmaster daemon
- 6445 used by the Grid Engine execd daemon
- 8649 used by the Ganglia gmond daemon
- 8651 used by the Ganglia gmetad XML daemon
- 8652 used by the Ganglia gmetad query daemon
In addition to these ports, many UniCluster Express components use ephemeral ports, or non-deterministic ports assigned by the system in the untrusted port range (> 1024). Controllable ephemeral ports can be restricted to a specific range.
UniCluster Express is composed of components written in C and Java and each language has a different method of controlling these ephemeral port ranges.
Controlling Port Use in Components Written in C
To control UniCluster Express services written in C, set the environmental variable GLOBUS_TCP_PORT_RANGE. GLOBUS_TCP_PORT_RANGE is formatted as follows:
[root@host ~]# GLOBUS_TCP_PORT_RANGE = min,max
where min,max is the minimum and maximum port numbers; this forces libraries to select port numbers for controllable ports within that specified range, allowing restriction of anonymous listener ports.
The environmental variable GLOBUS_TCP_PORT_RANGE_STATE_FILE is used in conjunction with GLOBUS_TCP_PORT_RANGE behind stateful firewalls to maintain the last used port among applications. The last port number used, plus one, is the next available port within the specified TCP port range. GLOBUS_TCP_PORT_RANGE_STATE_FILE is set as follows:
[root@host ~]# GLOBUS_TCP_PORT_RANGE_STATE_FILE = /tmp/port_state
where port_state is the file in which the port number is written; this file is created if it does not exist.
An additional environmental variable, GLOBUS_TCP_SOURCE_RANGE, is used to restrict local ports. GLOBUS_TCP_PORT_RANGE can be set in inetd or xinetd. To set GLOBUS_TCP_PORT_RANGE in inetd, change the line that starts the service to use /bin/env to set GLOBUS_TCP_PORT_RANGE. For example:
gsiftp stream tcp nowait root \ /bin/env env GLOBUS_TCP_PORT_RANGE=40000,45000 \ /path/to/uniclusterexpress/sbin/in.ftpd -l -a
where 40000,45000 is replaced with the actual port range and /path/to/uniclusterexpress is replaced with the path to the UniCluster Express installation.
For xinetd, add a line to the service script, located in /etc/xinet.d. For example, for the GridFTP service:
service univa-gridftp
{
instances = 100
socket_type = stream
wait = no
user = root
env += GLOBUS_LOCATION=/usr/local/express
env += GLOBUS_GSI_CRED_PERMISSION_CHECK=0
env += X509_USER_CERT=/usr/local/unicluster/etc/gridftp_cert.pem
env += X509_USER_KEY=/usr/local/unicluster/etc/gridftp_key.pem
env += X509_CERT_DIR=/usr/local/unicluster/share/certificates
env += LD_LIBRARY_PATH=/usr/local/express/lib
env += GLOBUS_TCP_PORT_RANGE=40000,45000
server = /usr/local/express/sbin/globus-gridftp-server
server_args = -i -S -p 2811
log_on_success += DURATION
nice = 10
port = 2811
type = unlisted
disable = no
}
where 40000,45000 is replaced by the actual port range.
Controlling Port Use in Components Written in Java
Java-based component ports are controlled by tcp.port.range. This sets the ports used for incoming connections in the same manner as GLOBUS_TCP_PORT_RANGE. The value of tcp.port.range can be set by:
1. Passing it on the command line:
[root@host ~]# java -D tcp.port.range=5000,6000
2. Specifying it in the application directly:
System.setProperty("tcp.port.range", "5000,6000")
In these example, 5000,6000 is replaced by the actual port range.
Back to Administrative How Tos.