Charles,
Your diagnosis is abundantly confirmed.
I removed my iptables rule, and ran Art's job
time globusrun-ws -submit -s -F <<servername>> -c /bin/true
I observed that job submissions from remote clients experienced a 30
second timeout, in addition to an 8 sec normal completion time.
Clients inside our local network, saw no timeout.
Then I looked in our (AstroGrid-D standard) /etc/init.d/gsiftp file, and saw
log_on_success += DURATION USERID
log_on_failure += USERID
So I commented these out, and re-started the xinted daemon.
The timeout disappeared.
Thank you for resolving this messy old problem for us!
The questions remain:
* Why does a simple job submission like the above use gsiftp?
* What was the original intent of these log lines?
* Can the desired effect of the log lines be had some other way?
Cheers!
On 22.07.08, Charles Bacon wrote:
> On Jul 22, 2008, at 10:55 AM, Steve White wrote:
>
> >Charles,
> >
> >On 21.07.08, Charles Bacon wrote:
> >>Interesting - I remember some discussion like that on this list, I
> >>think, but what does that rule achieve?
> >>
> >This is part of the AstroGrid-D documentation (I think I added it)
> >
> > http://www.gac-grid.org/project-products/grid-support/grid-installation.html#gsiftp
> >
> >As to where it came from, I haven't yet heard from Thomas, but I found
> >a discussion in which he took part (in German) on the internal GACG
> >WG1
> >mailing list, dated 3 Sep. 2007
> >
> >Thomas says there, that he was able to watch the TCP traffic during
> >some
> >grid exchanges, and that (in particular) GridFTP tries to connect
> >with an
> >'identd' server, which in case of a firewall, results in a dropped
> >packet
> >and usually a 30-second timeout.
> >
> >He then goes on to say that he thinks he saw the iptables rule in a
> >firewall
> >document, probably on the Globus website. I haven't located that
> >document.
> >
> >Anyway, the iptables rule solved Art's problem, as well as ours.
>
> Okay - I think the iptables might be fixing a problem which is self-
> created by the xinetd entries installed. GridFTP doesn't do ident
> lookups/callbacks by itself. It is only if you have lines like:
> on_success = HOST, USERID
>
> in the xinetd configuration file - that tells xinetd to make the ident
> request so it can put the result in syslog. Removing those lines is
> probably an easier solution than putting them in the xinetd entry and
> then adding a firewall rule to make them timeout very quickly.
>
>
> Charles
>
--
| - - - - - - - - - - - - - - - - - - - - - - - - -
| Steve White +49(331)7499-202
| e-Science / AstroGrid-D Zi. 35 Bg. 20
| - - - - - - - - - - - - - - - - - - - - - - - - -
| Astrophysikalisches Institut Potsdam (AIP)
| An der Sternwarte 16, D-14482 Potsdam
|
| Vorstand: Prof. Dr. Matthias Steinmetz, Peter A. Stolz
|
| Stiftung privaten Rechts, Stiftungsverzeichnis Brandenburg: III/7-71-026
| - - - - - - - - - - - - - - - - - - - - - - - - -
