[MPICH] Re: Using MPICH2 on different ports

Jayesh Krishna jayesh at mcs.anl.gov
Tue Apr 24 11:11:32 CDT 2007 

 Hi,
  There is another thing to consider when running MPI programs across a
firewall using smpd process manager. The smpd process manager on a remote
machine spawns a new instance of the process manager to handle the requests.
This new instance of the process manager listens on a different port than
the original smpd port. This port number is conveyed across using the PMI
Wire protocol. So in principle even if you are able to specify the port
numbers in the machine file and able to filter connections based on the IP +
port no (& perform NAT), it would be hard to dynamically add rules to the
firewall for the new connection to the newly created instance of the smpd
process manager (However, SMPD allows you to restrict the range of the port
numbers used to the newly created smpd process manager via the
MPICH_PORT_RANGE environment variable).
  This might be the reason that you have the gateway machine in your current
setup.

(PS: From what I had seen before Windows firewall on XP does not even allow
port ranges to be specified in the filter rules.)

Regards,
Jayesh

-----Original Message-----
From: Anthony Chan [mailto:chan at mcs.anl.gov] 
Sent: Friday, April 20, 2007 12:34 PM
To: Matt Valerio
Cc: Matthew Chambers; Jayesh Krishna; mpich-discuss at mcs.anl.gov
Subject: Re: [MPICH] Re: Using MPICH2 on different ports



On Fri, 20 Apr 2007, Matt Valerio wrote:

> Yeah, that may be what I end up doing -- just forcing everyone to run 
> their stuff from the gateway computer.  Definitely not ideal, though.

Is your gateway machine a windows server that allows simultaneous RDP
sessions ?

>
> In my specific application the amount of message passing is pretty 
> minimal
> -- send a task to a computer, wait 10-15 minutes, get the results 
> back.  I think a single NAT could handle that.

Yes.
>
> Thanks,
> -Matt
>
>
> On 4/20/07, Anthony Chan <chan at mcs.anl.gov> wrote:
> >
> >
> > Wouldn't that be easier to use one (or couple) of the machines 
> > behind the firewall as the frontend(s) of your cluster.  Anyone who 
> > wants to run spmd/MPI job will need to login to the frontend(s) and run
from there ?
> > I think there may be performance hit to have all messages route 
> > through the NAT'ed machine (don't know how big though) even if what 
> > you are asking can be done.
> >
> > A.Chan
> >
> > On Fri, 20 Apr 2007, Matt Valerio wrote:
> >
> > > Hi everyone,
> > >
> > > Thanks for your responses.  I think they've answered my question, 
> > > and
> > the
> > > answer is that what I want to do is not possible.
> > >
> > > Yes, Matthew Chambers has it right.
> > >
> > > My current grid setup involves a number of computers 
> > > (192.168.0.*), each running smpd on port 8676.  I have one of 
> > > those computers as the
> > "gateway",
> > > that has 2 network cards, with one connected to the public network 
> > > and
> > one
> > > connected to the private network.  I want to give any computer in 
> > > the
> > public
> > > network access to the computers on the private network by opening 
> > > up a
> > range
> > > of ports on the gateway computer.  This approach is exactly how I 
> > > open
> > up
> > > Remote Desktop (RDP) currently.
> > >
> > > So for example, I want to set up the forwarding as:
> > > gateway:10101 --> slave01:8676
> > > gateway:10102 --> slave02:8676
> > > gateway:10103 --> slave03:8676
> > > etc.
> > >
> > > As you've said, this approach is currently not possible -- the 
> > > machine
> > file
> > > doesn't allow it.  For various reasons, I cannot put all of the
> > computers on
> > > the private network onto the public network -- using NAT is my 
> > > only
> > option.
> > >
> > > Sorry for the confusion of firewall vs. NAT.  The port forwarding 
> > > rules
> > are
> > > firewall exceptions in the control panel, so I get confused.
> > >
> > > So.....does anyone know if there are plans to implement this kind 
> > > of fine-grained control over the network connections?  I think it 
> > > would
> > greatly
> > > enhance the ways that MPICH2 clusters can be deployed.
> > >
> > > Thanks for your help,
> > > -Matt
> > >
> > >
> > > On 4/20/07, Matthew Chambers <matthew.chambers at vanderbilt.edu> wrote:
> > > >
> > > >  I don't understand how that could solve his problem.  I think 
> > > > Matt Valerio's initial description of the problem was 
> > > > misleading,
> > though.  It
> > > > seems to me that he is not trying to connect through a simple
> > firewall, he
> > > > is trying to connect through a NAT.  It seems he wants to use 
> > > > port forwarding set up on the NAT in way that will enable him, 
> > > > from a
> > computer
> > > > outside the NAT, to create a machine config file that connects 
> > > > to the
> > same
> > > > host IP (e.g. the WAN IP of the NAT) with different ports, which 
> > > > will logically connect to multiple machines inside of the NAT.  
> > > > However, as
> > you
> > > > say, that is not possible with the current SMPD machine config
> > file.  I do
> > > > think that is bad design on the part of the config file though.  
> > > > Would
> > it be
> > > > very difficult to extend the config file to support 
> > > > specification of
> > port as
> > > > well as host/IP?
> > > >
> > > >
> > > >   ------------------------------
> > > >
> > > > *From:* owner-mpich-discuss at mcs.anl.gov [mailto:owner- 
> > > > mpich-discuss at mcs.anl.gov] *On Behalf Of *Jayesh Krishna
> > > > *Sent:* Friday, April 20, 2007 10:56 AM
> > > > *To:* 'Matt Valerio'
> > > > *Cc:* mpich-discuss at mcs.anl.gov
> > > > *Subject:* RE: [MPICH] Re: Using MPICH2 on different ports
> > > >
> > > >
> > > >
> > > > Hi,
> > > >
> > > >  SMPD, by default, runs on the same port (8676) on all computers.
> > However
> > > > you can specify the port that smpd needs to run using the "-port"
> > option
> > > > while starting smpd (You can also ask smpd to run on any port 
> > > > assigned
> > by OS
> > > > using the "-anyport" option). The machine config file does not 
> > > > support specifying port names along with the machine name & number
of procs.
> > > >
> > > >  Instead of mapping the port numbers to IP+port you could allow 
> > > > connections from a certain list of client machines/IPs to 
> > > > certain port
> > (say
> > > > 8000) numbers on computer1/2/..
> > > >
> > > >  Let us know if you require any further information.
> > > >
> > > >
> > > >
> > > > Regards,
> > > >
> > > > Jayesh
> > > >
> > > >
> > > >  ------------------------------
> > > >
> > > > *From:* owner-mpich-discuss at mcs.anl.gov [mailto:owner- 
> > > > mpich-discuss at mcs.anl.gov] *On Behalf Of *Matt Valerio
> > > > *Sent:* Wednesday, April 18, 2007 11:04 AM
> > > > *To:* mpich-discuss at mcs.anl.gov
> > > > *Subject:* [MPICH] Re: Using MPICH2 on different ports
> > > >
> > > > Ok, let me try to simplify the question.
> > > >
> > > > Does smpd need to run on the same port on all computers?
> > > > Can I tell mpiexec that it needs to connect to all of the smpd
> > computers
> > > > on different ports?
> > > >
> > > > I know that the machine config file can specify different 
> > > > computers,
> > but
> > > > the same port.  I am just curious if the machine config file can
> > specify
> > > > different computers as well as different ports.
> > > >
> > > > Any help would be greatly apppreciated.  Thanks!
> > > > -Matt
> > > >
> > > >
> > > >  On 4/16/07, *Matt Valerio* <matt.valerio at gmail.com > wrote:
> > > >
> > > > Hello MPICH2 users,
> > > >
> > > > I am wondering if there is a way to instruct mpiexec to use 
> > > > multiple computers running smpd on different ports.
> > > >
> > > > For example, I have 10 computers behind a firewall.  Each of 
> > > > those 10 computers is running smpd on the same port (let's say
8000).
> > > > I want to put rules into a firewall computer that maps an 
> > > > externally-available port to the specific computer
> > > >
> > > > firewall:8001 ----(maps to)----------> computer1:8000
> > > > firewall:8002 ----(maps to)----------> computer2:8000 ...
> > > > firewall:8010 ----(maps to)----------> computer10:8000
> > > >
> > > > Then in the machine configuration file, I need to be able to 
> > > > tell
> > mpiexec
> > > > that it can use the same computer but different ports 
> > > > (8000-8010),
> > like
> > > >
> > > > firewall:8001
> > > > firewall:8002
> > > > ...
> > > > firewall:8010
> > > >
> > > > etc.
> > > >
> > > > Is this currently possible?  I know the machine file format is 
> > > > wrong because the number after the colon specifies the number of 
> > > > processes,
> > not
> > > > the port number.
> > > >
> > > > Does anyone have any ideas as to whether this kind of thing 
> > > > could
> > work?
> > > > Is there a better way?  Any help would be greatly appreciated.
> > > >
> > > > Thanks!
> > > > -Matt
> > > >
> > > >
> > > >
> > > >
> > >
> >
>

More information about the mpich-discuss mailing list