694453 – SECMAN:2007:Failed to end classad from condor_status with shared port configured

Bug 694453 - SECMAN:2007:Failed to end classad from condor_status with shared port configured

Summary: SECMAN:2007:Failed to end classad from condor_status with shared port configured

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise MRG
Classification:	Red Hat
Component:	condor
Sub Component:
Version:	Development
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	2.0
Target Release:	---
Assignee:	Timothy St. Clair
QA Contact:	Tomas Rusnak
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	691821
TreeView+	depends on / blocked

Reported:	2011-04-07 12:40 UTC by Tomas Rusnak
Modified:	2011-04-15 14:47 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-04-15 14:47:26 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Tomas Rusnak 2011-04-07 12:40:03 UTC

Description of problem:
condor_status return no answer or communication error while shared port is configured.

Version-Release number of selected component (if applicable):
$CondorVersion: 7.6.0 Mar 24 2011 BuildID: RH-7.6.0-0.3.el5 PRE-RELEASE-GRID $
$CondorPlatform: X86_64-Redhat_5.6 $

How reproducible:
always

Steps to Reproduce:
1. configuration:

Node1:
USE_SHARED_PORT=True
DAEMON_SOCKET_DIR = /var/lock/condor/daemon_soc
SHARED_PORT_ARGS = "-p 4080"
DAEMON_LIST=$(DAEMON_LIST),SHARED_PORT
SHARED_PORT_DEBUG = D_COMMAND
 
Node2:

CONDOR_HOST = <node1_hostname>
DAEMON_LIST=MASTER SCHEDD STARTD

2. set up firewall to drop all except 4080(and 22) on node1

Chain INPUT (policy DROP 21407 packets, 6391K bytes)
 pkts bytes target     prot opt in     out     source               destination         
1409K 1563M ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
13437 1264K ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:4080 
 3454  262K ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:ssh 
60298 3618K ACCEPT     tcp  --  any    any     network/21           anywhere

3. try condor_status or condor_status -direct <node1>:4080 from node2
  
Actual results:

Without -direct it provides no output:
$condor_status
$

With -direct it provides error message like this:
$condor_status -direct <hostname>:4080
Error: communication error
SECMAN:2007:Failed to end classad message.
Error: Failed to contact startd <hostname>:4080 at <IP:4080>

At same time:
==> /var/log/condor/SharedPortLog <==
04/07/11 08:25:33 Calling Handler <DaemonCore::HandleReqSocketHandler> (2)
04/07/11 08:25:33 Return from Handler <DaemonCore::HandleReqSocketHandler> 0.0002s


Expected results:
just works

Additional info:
I'm also using settings to allow all connections to avoid issues with permissions:

ALLOW_WRITE = *
ALLOW_READ = *
ALLOW_NEGOTIATOR = *
ALLOW_ADMINISTRATOR_READ = *

Comment 3 Timothy St. Clair 2011-04-15 14:47:26 UTC

Presently you will still need port 9618 open for collector and (shared port) for all other (direct) requests.  

if you wish to route all ports through 4080 including the collector you will 
need to configure: 

COLLECTOR_HOST = $(CONDOR_HOST):4080?sock=collector
COLLECTOR_ARGS = -sock collector

Note You need to log in before you can comment on or make changes to this bug.