[StarCluster] dealing with security groups

Justin Riley jtriley at MIT.EDU
Sun Dec 19 02:03:49 EST 2010 

Hi Igor,
> I was really impressed how easy it was to use StarCluster - thanks! 
> :) but I can't figure out how to work around EC2 security groups to 
> make it work for us.
Thanks, glad you like it :D
> We need to be able to mount an NFS share (which is an EBS volume). I 
> understand that StarCluster can attach and share an EBS volume but we 
> already have our EBS volumes attached and used by other nodes. So 
> instead of attaching an EBS volume we need to mount an existing NFS 
> share. Does this make sense? I wonder how many people have a similar 
> set up? (We also need access to our NIS server and possibly other 
> services)

This makes sense and you'll certainly have to manage mounting the 
external NFS share in a plugin.

> By default, new EC2 security groups have all of the ports closed 
> (except ssh) so one thing I could do is to open the relevant ports at 
> cluster startup.

Yes, you'll also have to add the relevant lines to /etc/fstab and run 
the 'mount' command for each share on each node off the top of my head. 
Modifying fstab and running 'mount' will need to be done in a plugin.

> Alternatively, I'd rather not deal with security groups at all. 
> 'default' would work fine for us. Unfortunately, it looks like the 
> code assumes that a cluster has its own security group with a certain 
> name. So I guess that's not an option, right?

Currently each cluster has it's own security group. This group is mostly 
used for accounting but is also useful if you want to apply a firewall 
to each individual cluster launched. The latest github code has support 
for applying security group permissions after the group is created which 
might meet your needs, however, currently the permission settings do not 
support specifying group-group permissions. I can add this fairly easily 
though...

Also, this use case suggests it would be handy to be able to specify 
additional security groups (such as 'default') to add each of the 
cluster nodes to in addition to their own (@sc-*). This would remove the 
need to add permissions since they'd all be in a common group (e.g. 
default).

> If I follow the first approach, I would need to do something like this:
>    ec2-authorize default -p <nfs-port> -o @sc-mycluster
> right? or do I also need to allow access from sc-cluster to default?
>
> Do I need to revoke these permissions when the cluster shuts down or 
> will EC2 take care of that as long as StarCluster deletes the security 
> group (does it?)

When the cluster shuts down, StarCluster deletes the cluster's security 
group so I'd imagine that would take care of the group-group permission 
but we'll need to test this to make sure that's the case. If the group 
is deleted the rule can't apply but it may still be defined. If this is 
the case the rule would have to be cleaned up.

~Justin

More information about the StarCluster mailing list