search

frazer-lab / cluster

Repo for cluster issues.
1 stars 0 forks source link

Open ports for IPython notebooks #12

Closed cdeboever3 closed 8 years ago

cdeboever3 commented 8 years ago

Once we have a web server running on the head nodes, can we open two ports for David and I to test setting up Jupyter/IPython notebooks? I was generally using ports around 7777 in the past but can use anything. The set up details for the notebook server are here.

tatarsky commented 8 years ago

Sounds reasonable. Currently there is no firewall on the external side of the head nodes. Its exposed. So we should probably limit that to some subnet of items really needed for external use. But 7777/tcp sounds fine.

hirokomatsui commented 8 years ago

I need two ports for two of Python web servers on flh1, they access to MySQL. The number could be 7777 and 7776, or whatever's fine. Chris, I don't think IPython uses a lot of memory, but do you think it will be better on flh2, separated from mines?

cdeboever3 commented 8 years ago

You can use whichever ports you'd like, I'll just take something that is unused for my notebooks. I can run the notebooks on flh2 but I don't think we'll stress the nodes either way. It's easy to switch nodes if need be.

On Fri, Oct 30, 2015 at 2:23 PM, hirokomatsui notifications@github.com wrote:

I need two ports for two of Python web servers on flh1, they access to MySQL. The number could be 7777 and 7776, or whatever's fine. Chris, I don't think IPython uses a lot of memory, but do you think it will be better on flh2, separated from mines?

— Reply to this email directly or view it on GitHub https://github.com/frazer-lab/cluster/issues/12#issuecomment-152654574.

hirokomatsui commented 8 years ago

OK, then can we open four ports, 7776-7779, on flh1.

tatarsky commented 8 years ago

You can currently open whatever ports you would like ;) There is no firewall so be careful. When we get a bit further along we should setup iptables with the finalized selection of ports.

tatarsky commented 8 years ago

Leaving this open for when we firewall the external interfaces. Probably soon.

tatarsky commented 8 years ago

A prototype for an iptables ruleset that allows the items listed above but generically protects the system from non-UCSD access is being slowly added to head node 2. It will not block anything at first. Just keep track of the rule matches. No changes to head node 1 yet.

tatarsky commented 8 years ago

Head node 2 will move to a blocking iptables config for external interfaces shortly. After a period of that running I will attempt the same rules on Head node 1. They are currently very open to UCSD ranges with a permit any to the world for SSH.

tatarsky commented 8 years ago

Per call 7700/tcp - 7799/tcp

tatarsky commented 8 years ago

I am ready to test HN2 with a deny at the end of the iptables. Been waiting for a good week to monitor. Just advise if not a good week for the final firewall add to the head nodes.

tatarsky commented 8 years ago

The deny rule was added to the end of the iptables on HN2 external this morning.

The ruleset is basically:

Allow SSH from anywhere (denyhosts provided brute force protection) Allow the iPython notebook port range of 7700-7799 from anywhere Allow on campus IP ranges to anything (a placeholder and could be changed) Deny the rest.

Advise if anything you were doing to HN2 is now not possible and we'll review the ruleset.

I would like to apply the same ruleset to the HN1 system shortly.

cdeboever3 commented 8 years ago

Can we open up ports for mosh from anywhere?

mosh did not make a successful connection to 169.228.63.175:60001.
Please verify that UDP port 60001 is not firewalled and can reach the server.

(By default, mosh uses a UDP port between 60000 and 61000. The -p option
selects a specific UDP port number.)
tatarsky commented 8 years ago

See if I did that right. Added.

cdeboever3 commented 8 years ago

Yep that works thanks.

On Tue, Dec 8, 2015 at 8:36 AM, tatarsky notifications@github.com wrote:

See if I did that right. Added.

— Reply to this email directly or view it on GitHub https://github.com/frazer-lab/cluster/issues/12#issuecomment-162938679.

tatarsky commented 8 years ago

Saved. Working on a log only version for HN01.

tatarsky commented 8 years ago

Conceptual one without end deny on HN01. Monitoring it. May attempt soon.

tatarsky commented 8 years ago

Unless I hear by say 1:00PM (your time) or so to give people time I will finish the HN01 firewall with a deny line at the end and we can adjust for anything missed. The final breakdown for inbound allows (all outbound is allowed)

Alllow the mosh ports 60000-61000 udp from anywhere
Allow the chosen ipython notebook ports 7700-7799 tcp from anywhere
Allow 22 tcp (SSH) from anywhere
Allow 80 tcp (HTTP) from anywhere

Allow oncampus access to any service from the ranges 132.249.0.0/16 and 137.110.0.0/16.
The above is a place holder we may decide we don't want.

Deny the rest.
tatarsky commented 8 years ago

I got overloaded and did not add the deny line last week. I have added it this morning. Please advise if other allows are needed.

tatarsky commented 8 years ago

I believe this is resolved. If going forward you find a service you need blocked to either head node from the campus networks or "the world" please open an issue describing as best possible the ports and protocols required or networks.