Hey Giles:
I'm going to forward this
over to oscar-users, since this is more a user question than a developer
question. Please subscribe to it if you're not already on it.
Which version of OSCAR is
this? Latest (i.e 4.1)?
Can you try turning off
pfilter on both the headnode and the compute node to see if it helps?
/etc/init.d/pfilter stop.
Pfilter should allow ntpd
traffic to go through, though.
You may try to leave it for a
little while and then come back and start up ntpd again on the compute node, to
see if it comes up then. I can do a test to see if I can re-produce this
issue.
Cheers,
Bernard
From: Giles Lesser [mailto:[EMAIL PROTECTED]
Sent: Thu 23/06/2005 7:25 PM
To: Bernard Li
Subject: RE: [Oscar-devel] NTP fails to contact headnode
Hi Bernard
distro: RHEL3 (WS)
firewall... Hmm. Haven't specifically installed anything that doesn't come standard. I'm not an expert at this, but I get
at the headnode...
[EMAIL PROTECTED] root]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
and at a comp node...
[EMAIL PROTECTED] root]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
pfilter all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
pfilter all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain pfilter (2 references)
target prot opt source destination
REJECT all -- anywhere 127.0.0.0/8 reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere Node1.Tangaroa state NEW tcp dpt:ssh
ACCEPT all -- Headnode Node1.Tangaroa state NEW
ACCEPT all -- Node1.Tangaroa Node1.Tangaroa state NEW
ACCEPT all -- Node2.Tangaroa Node1.Tangaroa state NEW
ACCEPT all -- Node3.Tangaroa Node1.Tangaroa state NEW
ACCEPT icmp -- anywhere Node1.Tangaroa state NEW icmp echo-reply
ACCEPT icmp -- anywhere Node1.Tangaroa state NEW icmp echo-request
ACCEPT icmp -- anywhere 192.168.1.255 state NEW icmp echo-reply
ACCEPT icmp -- anywhere 192.168.1.255 state NEW icmp echo-request
DROP all -- anywhere 224.0.0.1
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
does that shed any light?
I have the "usual" setup with eth0 connected to the outside world and eth1 local to the cluster.
Many thanks
Giles
At 06:59 PM 6/23/2005, you wrote:
distro: RHEL3 (WS)
firewall... Hmm. Haven't specifically installed anything that doesn't come standard. I'm not an expert at this, but I get
at the headnode...
[EMAIL PROTECTED] root]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
and at a comp node...
[EMAIL PROTECTED] root]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
pfilter all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
pfilter all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain pfilter (2 references)
target prot opt source destination
REJECT all -- anywhere 127.0.0.0/8 reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere Node1.Tangaroa state NEW tcp dpt:ssh
ACCEPT all -- Headnode Node1.Tangaroa state NEW
ACCEPT all -- Node1.Tangaroa Node1.Tangaroa state NEW
ACCEPT all -- Node2.Tangaroa Node1.Tangaroa state NEW
ACCEPT all -- Node3.Tangaroa Node1.Tangaroa state NEW
ACCEPT icmp -- anywhere Node1.Tangaroa state NEW icmp echo-reply
ACCEPT icmp -- anywhere Node1.Tangaroa state NEW icmp echo-request
ACCEPT icmp -- anywhere 192.168.1.255 state NEW icmp echo-reply
ACCEPT icmp -- anywhere 192.168.1.255 state NEW icmp echo-request
DROP all -- anywhere 224.0.0.1
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
does that shed any light?
I have the "usual" setup with eth0 connected to the outside world and eth1 local to the cluster.
Many thanks
Giles
At 06:59 PM 6/23/2005, you wrote:
Which distribution are you running? Also, do you have any firewall software running on your cluster (eg. pfilter package)?
Cheers,
Beranrd
From: [EMAIL PROTECTED] on behalf of Giles Lesser
Sent: Thu 23/06/2005 6:56 PM
To: [email protected]
Subject: [Oscar-devel] NTP fails to contact headnode
Hi all
I have what appears to be exactly the same problem as Gareth had back in April, I followed that thread, but couldn't find a solution. The ntpd's on the comp nodes fail to contact the headnode, but the ntpd on the headnode works fine
Here are the details: Node 1 first, then headnode.
[EMAIL PROTECTED] root]# /etc/init.d/ntpd start
ntpd: Synchronizing with time server: [FAILED]
Starting ntpd: [ OK ]
[EMAIL PROTECTED] root]# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
LOCAL(0) LOCAL(0) 10 l 47 64 1 0.000 0.000 0.008
Headnode 0.0.0.0 16 u - 64 0 0.000 0.000 4000.00
[EMAIL PROTECTED] root]# cat /etc/ntp.conf
# Added by OSCAR package ntpconfig
server oscar_server
restrict oscar_server mask 255.255.255.255
# Prohibit general access to this service.
restrict default ignore
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
# -- CLIENT NETWORK -------
# Permit systems on this network to synchronize with this
# time service. Do not permit those systems to modify the
# configuration of this service. Also, do not use those
# systems as peers for synchronization.
# restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
# --- OUR TIMESERVERS -----
# or remove the default restrict line
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
# restrict mytrustedtimeserverip mask 255.255.255.255 nomodify notrap noquery
# server mytrustedtimeserverip
# --- NTP MULTICASTCLIENT ---
#multicastclient # listen on default 224.0.1.1
# restrict 224.0.1.1 mask 255.255.255.255 notrust nomodify notrap
# restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
# --- GENERAL CONFIGURATION ---
#
# Undisciplined Local Clock. This is a fake driver intended for backup
# and when no outside source of synchronized time is available. The
# default stratum is usually 3, but in this case we elect to use stratum
# 0. Since the server line does not have the prefer keyword, this driver
# is never used for synchronization, unless no other other
# synchronization source is available. In case the local host is
# controlled by some external source, such as an external oscillator or
# another protocol, the prefer keyword would cause the local host to
# disregard all other synchronization sources, unless the kernel
# modifications are in use and declare an unsynchronized condition.
#
server 127.127.1.0 # local clock
fudge 127.127.1.0 stratum 10
#
# Drift file. Put this in a directory which the daemon can write to.
# No symbolic links allowed, either, since the daemon updates the file
# by creating a temporary in the same directory and then rename()'ing
# it to the file.
#
driftfile /var/lib/ntp/drift
broadcastdelay 0.008
#
# Authentication delay. If you use, or plan to use someday, the
# authentication facility you should make the programs in the auth_stuff
# directory and figure out what this number should be on your machine.
#
# authenticate yes
#
# Keys file. If you want to diddle your server at run time, make a
# keys file (mode 600 for sure) and define the key number to be
# used for making requests.
#
# PLEASE DO NOT USE THE DEFAULT VALUES HERE. Pick your own, or remote
# systems might be able to reset your clock at will. Note also that
# ntpd is started with a -A flag, disabling authentication, that
# will have to be removed as well.
#
keys /etc/ntp/keys
-----------------------------------------------------------------
OK, now the headnode....
[EMAIL PROTECTED] root]# /etc/init.d/ntpd start
ntpd: Synchronizing with time server: [ OK ]
Starting ntpd: [ OK ]
[EMAIL PROTECTED] root]# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
*mathfox.xs4all. auth2.xs4all.nl 3 u 469 512 377 170.566 1.307 13.197
[EMAIL PROTECTED] root]# cat /etc/ntp.conf
# Added by OSCAR package ntpconfig
# Prohibit general access to this service.
restrict default ignore
restrict 213.84.14.16 mask 255.255.255.255 nomodify notrap noquery
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
# -- CLIENT NETWORK -------
# Permit systems on this network to synchronize with this
# time service. Do not permit those systems to modify the
# configuration of this service. Also, do not use those
# systems as peers for synchronization.
# restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
# --- OUR TIMESERVERS -----
# or remove the default restrict line
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
# restrict mytrustedtimeserverip mask 255.255.255.255 nomodify notrap noquery
# server mytrustedtimeserverip
# --- NTP MULTICASTCLIENT ---
#multicastclient # listen on default 224.0.1.1
# restrict 224.0.1.1 mask 255.255.255.255 notrust nomodify notrap
# restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
# --- GENERAL CONFIGURATION ---
#
# Undisciplined Local Clock. This is a fake driver intended for backup
# and when no outside source of synchronized time is available. The
# default stratum is usually 3, but in this case we elect to use stratum
# 0. Since the server line does not have the prefer keyword, this driver
# is never used for synchronization, unless no other other
# synchronization source is available. In case the local host is
# controlled by some external source, such as an external oscillator or
# another protocol, the prefer keyword would cause the local host to
# disregard all other synchronization sources, unless the kernel
# modifications are in use and declare an unsynchronized condition.
#
server 213.84.14.16
fudge 127.127.1.0 stratum 10
#
# Drift file. Put this in a directory which the daemon can write to.
# No symbolic links allowed, either, since the daemon updates the file
# by creating a temporary in the same directory and then rename()'ing
# it to the file.
#
driftfile /var/lib/ntp/drift
broadcastdelay 0.008
#
# Authentication delay. If you use, or plan to use someday, the
# authentication facility you should make the programs in the auth_stuff
# directory and figure out what this number should be on your machine.
#
# authenticate yes
#
# Keys file. If you want to diddle your server at run time, make a
# keys file (mode 600 for sure) and define the key number to be
# used for making requests.
#
# PLEASE DO NOT USE THE DEFAULT VALUES HERE. Pick your own, or remote
# systems might be able to reset your clock at will. Note also that
# ntpd is started with a -A flag, disabling authentication, that
# will have to be removed as well.
#
keys /etc/ntp/keys
Many thanks for your help
Giles
------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click _______________________________________________ Oscar-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/oscar-devel
"All models are wrong, but
some are useful." George Box
(1979).
-------------------------------------------------
G.R.
Lesser
Visiting
Scientist
-------------------------------------------------
US Geological
Survey
Coastal and Marine Geology Program
345 Middlefield Road MS
999
Menlo Park, CA 94025
e-mail:
[EMAIL PROTECTED]
tel: +1 650
329-5475
fax: +1 650
329-5190
-------------------------------------------------
WL | Delft
Hydraulics
internet: http://www.wldelft.nl
US Geological Survey
Western Region
Coastal and Marine Geology
internet: http://walrus.wr.usgs.gov
