JoshKarpel
commented
4 years ago It turns out there's something that's so close to what we want: https://distributed.dask.org/en/latest/tls.html#distributed.security.Security.temporary . But it's not compatible with Dask-Jobqueue, because it doesn't write the certs to disk, so you just end up trying to pass the body of the cert inside the job arguments, which doesn't work out very well. So close to greatness... maybe something to poke at upstream.
At CHTC, we could (in principle, I guess I don't know whether this is a good idea) add an option to Security.temporary() to write certs to /staging. Then Dask-Jobqueue would just pass the paths through the command line instead of us having to do it manually and everyone would be happy. The joys of shared filesystems...
In the meantime, we'll generate the certs ourselves and ship them around using HTCondor file transfer.
By default, Dask communicates over TCP, which is not secure. We need to switch to TLS for all communications. This will involve shipping some certificate files around, altering the container entrypoint (#2) to use those certificates, and (most likely) generating those certificates at the scheduler if they don't already exist.