Hello, Could somebody help me with a question? We have a client node that is behind firewall at a remote location. We can''t access the node unless we log onto a frontend node within the site. The node itself can see the outside world. If we try to mount the node, we get the error: LustreError: 15c-8: MGC128.227.221.13 at tcp: The configuration from log ''lustre-client'' failed (-108). This may be the result of communication errors between this node and the MGS, a bad configuration, or other errors. See the syslog for more information. Is there an easy way to mount lustre filesystem remotely on this node (as lustre client)? Thanks in advance for your help. Regards, Yujun
Aaron Knister
2009-Oct-12 21:44 UTC
[Lustre-discuss] mounting lustre client behind firewall
I believe port tcp port 988 is used by default for the tcp lnet module. I''m not sure what other ports are required, but at the very least the client needs be able to connect to port 988 on the MDS and OSSes. The connection will be initiated by the node from a source port <1024. Does that help? On Mon, Oct 12, 2009 at 2:12 PM, Yujun Wu <yujun at phys.ufl.edu> wrote:> Hello, > > Could somebody help me with a question? We have a client > node that is behind firewall at a remote location. We > can''t access the node unless we log onto a frontend node > within the site. The node itself can see the outside world. > If we try to mount the node, we get the error: > > LustreError: 15c-8: MGC128.227.221.13 at tcp: The configuration from log > ''lustre-client'' failed (-108). This may be the result of communication > errors between this node and the MGS, a bad configuration, or other > errors. See the syslog for more information. > > Is there an easy way to mount lustre filesystem remotely > on this node (as lustre client)? > > Thanks in advance for your help. > > > Regards, > Yujun > > > > > > _______________________________________________ > Lustre-discuss mailing list > Lustre-discuss at lists.lustre.org > http://lists.lustre.org/mailman/listinfo/lustre-discuss >
Hello Aaron, Thanks for your info. Does this mean the client side have to open both inbound and outbound port on 988 all the way between servers and clients? Regards, Yujun On Mon, 12 Oct 2009, Aaron Knister wrote:> I believe port tcp port 988 is used by default for the tcp lnet > module. I''m not sure what other ports are required, but at the very > least the client needs be able to connect to port 988 on the MDS and > OSSes. The connection will be initiated by the node from a source port > <1024. Does that help? > > On Mon, Oct 12, 2009 at 2:12 PM, Yujun Wu <yujun at phys.ufl.edu> wrote: > > Hello, > > > > Could somebody help me with a question? We have a client > > node that is behind firewall at a remote location. We > > can''t access the node unless we log onto a frontend node > > within the site. The node itself can see the outside world. > > If we try to mount the node, we get the error: > > > > LustreError: 15c-8: MGC128.227.221.13 at tcp: The configuration from log > > ''lustre-client'' failed (-108). This may be the result of communication > > errors between this node and the MGS, a bad configuration, or other > > errors. See the syslog for more information. > > > > Is there an easy way to mount lustre filesystem remotely > > on this node (as lustre client)? > > > > Thanks in advance for your help. > > > > > > Regards, > > Yujun > > > > > > > > > > > > _______________________________________________ > > Lustre-discuss mailing list > > Lustre-discuss at lists.lustre.org > > http://lists.lustre.org/mailman/listinfo/lustre-discuss > > >
Brian J. Murrell
2009-Oct-13 16:03 UTC
[Lustre-discuss] mounting lustre client behind firewall
On Tue, 2009-10-13 at 11:53 -0400, Yujun Wu wrote:> Hello Aaron, > > Thanks for your info. Does this mean the client side have to open > both inbound and outbound port on 988 all the way between servers > and clients?No. As Aaron said, the connection would be initiated from a source port < 1024 (by default). If you have a stateful/connecection-tracking firewall, then just opening port 988 from clients to servers should be enough. If your firewall is not stateless/connection-tracking, then you would need a rule for all servers with source port 988 and destination ports < 1024 to all clients. b. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part Url : http://lists.lustre.org/pipermail/lustre-discuss/attachments/20091013/7878199b/attachment.bin