Ransom Briggs wrote:
> Hello,
Hi,
>
> I just finished up an upgrade to LCG-2_4_0 and everything seemed to be
> working fine until I noticed that the BDII server is no longer reachable
> from the worker nodes. The peculiar thing was that the BDII was reachable
> from everywhere else. I came to the conclusion was that there is a problem
> with having our workers behind a NAT box and the new iptables rules.
>
> The reason I believe this is a problem is due to the fact that the worker
> nodes can see all other ports just fine except for 2170. I can even query
> the ldap on 2171-3. Does anyone have a suggestion on what I should do to
> get this to work?
More serious problem is that NAT-ed worker nodes (or routed through CE)
cannot reach any BDII on 2170 port in the world which breaks replication.
In /etc/init.d/lcg-bdii and /opt/lcg/bdii/sbin/lcg-bdii-update
replace the rule that is added to the PREROUTING chain (with REDIRECT
target) by a copy of the rule added to the OUTPUT chain (with DNAT target).
In /etc/init.d/lcg-bdii it should be:
iptables -t nat -I PREROUTING 1 -p tcp --dport ${BDII_PORT_READ} -d
`hostname -f` -j DNAT --to-destination `host $(hostname) | awk '{print
$4}'`:${BDII_PORT_READ}
in /opt/lcg/bdii/sbin/lcg-bdii-update:
system("iptables -t nat -R PREROUTING 1 -p tcp --dport $bdii_port_read
-d $bdii_host -j DNAT --to-destination `host $bdii_host | awk '{print
\$4}'`:$bdii_port_write");
Good luck,
Jan
--
Jan Astalos
Institute of Informatics, Slovak Academy of Sciences
|