Dynamic Cluster Isolation (DCI) provides an optional method to add an additional layer of security to join external servers to your jobs. DCI works by creating a customizable firewall around the nodes allocated to your job and any external server. This is a unique way to securely connect external servers such as databases to a job.
By default, only the nodes that are members of your job and the file servers are allowed to communicate with each other. Other hosts will not be able to connect to the nodes in your job. You may however allow access from other hosts and ports.
To activate DCI for a particular job, all you have to do is include the “-A DCI” option to qsub when you submit the job. This will create the default firewall which allows access from only the file server and the other nodes allocated to that job. If you want to allow access from another host or hosts, use the following qsub option:
qsub -A DCI=host_list script.pbs
where “host_list” is a comma separated list of hostnames or IP addresses. This will allow access from all the hosts in host_list on all ports.
If you would like to allow access from only a specific port from a specific host, just prepend the hostname with PROTO%PORT@ where PROTO is either “tcp” or “udp” and PORT is a port number. For example, to allow connections to tcp port 1234 from the login server (scicluster.com) use the following:
qsub -A DCI=tcp%1234@scicluster.com script.pbs
Additional Notes
All outbound traffic from the nodes is allowed. This allows your job to connect to the internet if needed.
If you would like to run an interactive job while using DCI, be sure to include scicluster.com to the hosts_list.
If you have already setup the special license server tunnels with our service, DCI will automatically include your license server tunnels in the firewall.