It’s a renovated note.
Nowadays many of us will enjoy the cloud cluster rather than build a self managed cluster, as it’s less management, high availability, more secure, pay-as-you-go, and all the advantages you can think of the cloud computing. However, if you accidentally own several old computers, and don’t want to sell/transfer them and don’t know how to deal with them, a home-managed cluster will be a good choice. there is a lot of fun of a self managed cluster.
Architecture
Let’s define our architecture here: 4 nodes: 1 master/worker, 3 worker
1. master node
-
eth0: connect with institute cable
- public interface, using DHCP
- internet download, update
- users can access it: ssh/scp
-
eth1: connect with worker ndoes
- private interface, using static IP
-
communicate other code:
- ssh/scp
- data transfer
- parallel communicate
config network interface eth0 and eth1
# Configure public interface (assumes DHCP from institute network) cat > /etc/sysconfig/network-scripts/ifcfg-eth0 << EOF TYPE=Ethernet DEVICE=eth0 BOOTPROTO=dhcp ONBOOT=yes # Request static IP from our institute's DHCP server if possible # This makes routing more reliable DHCP_CLIENT_ID=cluster-master EOF # Configure private cluster network cat > /etc/sysconfig/network-scripts/ifcfg-eth1 << EOF TYPE=Ethernet DEVICE=eth1 BOOTPROTO=static IPADDR=192.168.10.1 NETMASK=255.255.255.0 ONBOOT=yes EOF # Apply new network configuration systemctl restart network NAT
# Enable IP forwarding persistently echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf # Enable connection tracking timeout optimization for HPC workloads echo "net.netfilter.nf_conntrack_tcp_timeout_established = 86400" >> /etc/sysctl.conf echo "net.netfilter.nf_conntrack_max = 131072" >> /etc/sysctl.conf # Apply sysctl changes sysctl -p # Set up NAT with higher connection limits iptables -t nat -A POSTROUTING -o eth0 -s 192.168.10.0/24 -j MASQUERADE the last command is important, as it will contribute to the return traffic. We will explain later.
setup the firewall
# Clear existing rules iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X # Set default policies iptables -P INPUT DROP iptables -P FORWARD DROP # We'll explain this choice iptables -P OUTPUT ACCEPT # Allow loopback iptables -A INPUT -i lo -j ACCEPT # Allow established and related connections iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow SSH from institute network iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT # Allow all traffic from the cluster's private network iptables -A INPUT -i eth1 -s 192.168.10.0/24 -j ACCEPT # Allow forwarding from cluster to internet iptables -A FORWARD -i eth1 -s 192.168.10.0/24 -o eth0 -j ACCEPT # Allow HTTP/HTTPS for package downloads iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT # Set up local package caching repository later (optional) iptables -A INPUT -i eth1 -p tcp --dport 80 -j ACCEPT # Save iptables rules iptables-save > /etc/sysconfig/iptables I set the default FORWARD policy to DROP for security reasons:
It prevents unauthorized traffic from traversing the master node
It creates a default-deny stance, where only explicitly allowed traffic passes
It prevents potential lateral movement if one node is compromised
2. worker nodes
config
# Worker node 1 (192.168.10.2) cat > /etc/sysconfig/network-scripts/ifcfg-eth0 << EOF TYPE=Ethernet DEVICE=eth0 BOOTPROTO=static IPADDR=192.168.10.2 NETMASK=255.255.255.0 GATEWAY=192.168.10.1 DNS1=8.8.8.8 ONBOOT=yes EOF # here GATEWAY will auto generate the route rule in table # Worker node 2 (192.168.10.3) # Change IPADDR=192.168.10.3 on the second worker node # Worker node 3 (192.168.10.4) # Change IPADDR=192.168.10.4 on the third worker node # Restart network service on each worker node systemctl restart network Routing Configuration for Worker Nodes
As we use the master node eth1 (192.168.10.1) as the gateway for work nodes (GATEWAY=192.168.10.1), above setting creates a default route on each worker node that sends all traffic not destined for the local network (192.168.10.0/24) to the master node (192.168.10.1).
$ route -n # see the result: (send all traffic (0.0.0.0/0) to gateway 192.168.10.1) 0.0.0.0 192.168.10.1 0.0.0.0 UG 0 0 0 eth0 Manual Command
Using manual command can also achieve the same result.
route add -net 0.0.0.0 gw 192.168.10.1 This manually adds a default route to the current routing table. It has the same immediate effect as the configuration file setting, but it's temporary and will be lost after a reboot or network service restart.
The difference is primarily in persistence and when the configuration happens. Using the network configuration file is the standard way to set up permanent routes in CentOS/RHEL systems.
Fire wall
# Clear existing rules iptables -F iptables -X # Set default policies iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT # Allow loopback iptables -A INPUT -i lo -j ACCEPT # Allow established connections iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow SSH from cluster nodes only iptables -A INPUT -p tcp --dport 22 -s 192.168.10.0/24 -j ACCEPT # HPC/MPI Communication - comprehensive approach # Allow all TCP/UDP between cluster nodes for parallel computing # this is optinal if you don't want do parallel computing iptables -A INPUT -s 192.168.10.0/24 -p tcp -j ACCEPT iptables -A INPUT -s 192.168.10.0/24 -p udp -j ACCEPT # Save iptables rules iptables-save > /etc/sysconfig/iptables systemctl enable iptables 3. Package management
3.1 Local yum Repo
because the worker node will not have the access to internet, we keep them inside the private, therefore, for package installation, updating, we need to find a way to resolve these.
we want to specify the packages in our yum repo
so here we build a local yum repo
# On master node # Install required packages yum install -y createrepo nginx # Create repository directory mkdir -p /var/www/html/centos-repo # Configure Nginx cat > /etc/nginx/conf.d/repo.conf << EOF server { listen 80; server_name _; root /var/www/html; location / { autoindex on; } } EOF # Start and enable Nginx systemctl enable nginx systemctl start nginx # Download packages to repository yum install -y yum-utils repotrack -p /var/www/html/centos-repo <package-name> # Repeat for packages we need # Create repository metadata createrepo /var/www/html/centos-repo # Configure worker nodes to use this repository cat > /etc/yum.repos.d/cluster-local.repo << EOF [cluster-local] name=Cluster Local Repository baseurl=http://192.168.10.1/centos-repo enabled=1 gpgcheck=0 EOF 3.2 Optional for package management
In order to realise
worker node package update
self-managed packages
we can also use scp to transfer package from master node.
# On master node, download and transfer RPM yum install -y yum-utils yumdownloader <package-name> scp <package-name>.rpm 192.168.10.1:/tmp/ # On worker node sudo rpm -ivh /tmp/<package-name>.rpm 3.3 directly route worker node to internet
If we don’t need high security, we can also open the private cluster to public internet. Which will configure the router table and we don’t discuss here.
4. Other Installations
ssh configuration
# On master node, generate SSH key ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa -N "" # Copy the key to all nodes (including itself) for i in {1..4}; do ssh-copy-id -i ~/.ssh/id_rsa.pub 10.10.10.$i done # Do the same on each worker node to allow any-to-any communication # (Run similar commands on each worker node) Network Monitor & iptables Log
# Install tools yum install -y tcpdump nmap iftop # Set up automatic monitoring with fail2ban to prevent brute force attacks yum install -y fail2ban cat > /etc/fail2ban/jail.local << EOF [sshd] enabled = true port = ssh filter = sshd logpath = /var/log/secure maxretry = 5 bantime = 3600 EOF # Start and enable fail2ban systemctl enable fail2ban systemctl start fail2ban # Add logging rules before the final DROP rules iptables -A INPUT -j LOG --log-prefix "IPTables-Input-Dropped: " --log-level 4 iptables -A FORWARD -j LOG --log-prefix "IPTables-Forward-Dropped: " --log-level 4 # Save iptables rules iptables-save > /etc/sysconfig/iptables Optional Parallel Computing Configuration
# On all nodes (master and workers) # Install OpenMPI yum install -y openmpi openmpi-devel # Configure environment in /etc/profile.d/ cat > /etc/profile.d/mpi.sh << EOF export PATH=\$PATH:/usr/lib64/openmpi/bin export LD_LIBRARY_PATH=\$LD_LIBRARY_PATH:/usr/lib64/openmpi/lib EOF # Source the new environment source /etc/profile.d/mpi.sh # Test MPI communication # Create a hostfile cat > /home/username/hostfile << EOF 192.168.10.1 slots=128 192.168.10.2 slots=128 192.168.10.3 slots=128 192.168.10.4 slots=128 EOF # Run a simple MPI test mpirun -np 4 --hostfile /home/username/hostfile hostname Torque/PBS
# Install Torque on master node yum install -y torque-server torque-scheduler torque-client # Configure server nodes file cat > /var/torque/server_priv/nodes << EOF 192.168.10.1 np=128 192.168.10.2 np=128 192.168.10.3 np=128 192.168.10.4 np=128 EOF # Start Torque server systemctl enable pbs_server systemctl start pbs_server # Install Torque on worker nodes for i in {2..4}; do ssh 192.168.10.$i "yum install -y torque-mom torque-client; systemctl enable pbs_mom; systemctl start pbs_mom" done 5. Traffic Flow:
Forward Chain Traffic Flow in Both Directions
When we create the forward chain, iptables -A FORWARD -i eth1 -s 192.168.10.0/24 -o eth0 -j ACCEPT, this command let the traffic come into eth1 can be forward to eth0, which means traffic from worker nodes to master nodes, and master nodes forward it to institute internet. Here comes the question, where is the backward flow?
iptables -A FORWARD -i eth1 -s 192.168.10.0/24 -o eth0 -j ACCEPT Let’s see how the traffic flows first.
Outbound Traffic (Worker → Internet)
The rule above allows packets to travel from the worker nodes (coming in on eth1) to be forwarded out to the institute network (through eth0). This handles the first half of any connection, which is the outbound request.
Return Traffic (Internet → Worker)
For the return traffic, typically we will think what we need as:
iptables -A FORWARD -i eth0 -d 192.168.10.0/24 -o eth1 -j ACCEPT However, if we look closely at the original configuration, here is the command:
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT This rule is handling the return traffic, because:
When a worker node initiates a connection, the outbound packet creates an entry in the connection tracking table (create a ESTABLISHED connection)
Any returning packets associated with that connection are marked as ESTABLISHED
The rule above allows all ESTABLISHED connections through, regardless of interface
This is more secure than explicitly allowing all traffic from eth0 to eth1, because it only permits return traffic for connections that were initiated from inside our cluster.
If this state tracking rule wasn't present, we would absolutely need to the backward traffic rule. Without either approach, connections would work one-way only, which means worker nodes could send requests, but never receive response…
Connection Flow
Let's trace a web request from a worker node:
- Worker (192.168.10.2) tries to access google.com
- Packet travels: Worker → Master's
eth1 - Master checks FORWARD chain, matches
-i eth1 -s 192.168.10.0/24 -o eth0rule - Master performs NAT, changing source IP to its own public IP
- Packet leaves through
eth0to institute network - Google responds to master's public IP
- Packet arrives at master's
eth0 - Master checks connection tracking table, sees this is a response
- Packet is marked as ESTABLISHED
- Master checks FORWARD chain, matches the ESTABLISHED rule
- Master performs reverse NAT, changing destination to worker's IP
- Packet leaves through eth1 to worker
- Worker receives response
More details
more details can check the post before here.
Top comments (0)