Reducing Firewall Exceptions
25 views
Skip to first unread message
Joshua Brown
Jul 7, 2022, 4:44:22 PM7/7/22
to Discuss
I have a question, what is the best set up to reducing the number of firewall exceptions that are needed when trying to provide transfer capabilities to a new machine.
Every time I set up a GCS, I need to poke holes in the firewall, which my security team does not like. This has me thinking that I am doing something wrong. If instead of setting up new GCS each time I want to provide transfer capabilities to a new machine does it make more sense to use an existing GCS and have network folder that is mounted on both the new machine and the machine with the GCS running, and then simply create a collection on the network mounted folder? Is this a supported solution or are there downfalls or caveats to such an approach?
Best,
Joshua
Every time I set up a GCS, I need to poke holes in the firewall, which my security team does not like. This has me thinking that I am doing something wrong. If instead of setting up new GCS each time I want to provide transfer capabilities to a new machine does it make more sense to use an existing GCS and have network folder that is mounted on both the new machine and the machine with the GCS running, and then simply create a collection on the network mounted folder? Is this a supported solution or are there downfalls or caveats to such an approach?
Best,
Joshua
Wagner, Richard
Jul 7, 2022, 7:29:37 PM7/7/22
to Joshua Brown, Discuss
Hi Joshua,
Absolutely, GCS can handle several networked file systems. Each mount can be under a single mapped collection, you can do a separate mapped collection per mount, or some combination. This what many centers do where they operate separate storage for home directories versus a parallel scratch file system. There will be one or more DTNs mounting the home and scratch file systems, but presenting them as a single collection.
Trying to operate the fewest number of GCS instances possible is the rule-of-thumb I would aim for. The arguments for fewer are not just the number of firewall exceptions, but also fewer systems to maintain, less hardware to fail, and limiting the places configuration needs to be monitored. Also, you can aggregate individual nodes as DTNs for a single endpoint, rather than having multiple single-DTN endpoints as potential failure points.
What’s possible will depend on several things, but here are some I can think of right now.
Security: some endpoints and DTNs will need to be distinct because of the data they handle.
Networking: you’ll need a reliable and secure network path between your DTNs and the storage. The definitions of reliable and secure are based on your needs.
Storage: your storage will need support a networked file system protocol that can be mounted on Linux (NFS, CIFS, Lustre, etc.).
Identities: avoiding identity collisions across file systems can be an issue. If you’ve got a bunch of NFS servers across labs where the UIDs 500 or 1000 map to whatever user setup the server, this can be challenging.
—Rick
> --
> You received this message because you are subscribed to the Google Groups "Discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to discuss+u...@globus.org.
Absolutely, GCS can handle several networked file systems. Each mount can be under a single mapped collection, you can do a separate mapped collection per mount, or some combination. This what many centers do where they operate separate storage for home directories versus a parallel scratch file system. There will be one or more DTNs mounting the home and scratch file systems, but presenting them as a single collection.
Trying to operate the fewest number of GCS instances possible is the rule-of-thumb I would aim for. The arguments for fewer are not just the number of firewall exceptions, but also fewer systems to maintain, less hardware to fail, and limiting the places configuration needs to be monitored. Also, you can aggregate individual nodes as DTNs for a single endpoint, rather than having multiple single-DTN endpoints as potential failure points.
What’s possible will depend on several things, but here are some I can think of right now.
Security: some endpoints and DTNs will need to be distinct because of the data they handle.
Networking: you’ll need a reliable and secure network path between your DTNs and the storage. The definitions of reliable and secure are based on your needs.
Storage: your storage will need support a networked file system protocol that can be mounted on Linux (NFS, CIFS, Lustre, etc.).
Identities: avoiding identity collisions across file systems can be an issue. If you’ve got a bunch of NFS servers across labs where the UIDs 500 or 1000 map to whatever user setup the server, this can be challenging.
—Rick
> You received this message because you are subscribed to the Google Groups "Discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to discuss+u...@globus.org.
Joshua Brown
Jul 8, 2022, 3:18:59 PM7/8/22
to Discuss, rpwa...@ucsd.edu, Discuss, Joshua Brown
Thanks Rick.
Reply all
Reply to author
Forward
0 new messages