Restrict interface bindings and test connections #16292
Conversation
ViralBShah
added
backport pending 0.4
parallelism
amitmurthy
changed the title
|
If this gets backported, does this mean every worker will have to be using the very latest version of julia to be able to communicate with the main node? What about workers that get updated but node 1 still uses an older point version of julia? Would both of those situations break? |
|
Yes.
We could port only the first commit, i.e., binding only to one interface to 0.4. That would only break the specific use case of a local addprocs followed by a remote one. Which can be fixed by specifying |
amitmurthy
force-pushed
the
amitm/secure
branch
2 times, most recently
from
e925935
to
46f8cad
Compare
amitmurthy
changed the title
|
Ready for review. |
| @@ -1204,6 +1204,7 @@ export | |||
| # multiprocessing | |||
| addprocs, | |||
| asyncmap, | |||
| cluster_cookie, | |||
There was a problem hiding this comment.
should this really be exported? it's kind of an internal detail
There was a problem hiding this comment.
Only required by folks writing their own ClusterManagers. But I guess we could document its use as Base. cluster_cookie()
|
|
||
| Returns the cluster cookie. If a cookie is passed, also sets it as the cluster cookie. | ||
| """ | ||
| Base.cluster_cookie |
There was a problem hiding this comment.
better to do this inline rather than adding to this file
There was a problem hiding this comment.
Had it inline but moved it after removing the export since we cannot have the function definition as Base.cluster_cookie.
|
Merging this in a short while if there are no major concerns. |
|
I wish you hadn't squashed this since the cookie part is not backwards compatible. Please open a separate PR against release-0.4 with the less breaking portion. |
|
Will keep this in mind in the future. For this patch though the first commit wouldn't have merged cleanly and we also need to update the manual. |
ghost
mentioned this pull request
This PR does the following:
addprocsrestricts socket bindings to127.0.0.1, the default ip or a specifiedbind-toaddress. Currently we listen on all interfaces.addprocs(N)by default binds only to127.0.0.1.addprocs(N); addprocs(["some_host"])will no longer work.addprocs(N; restrict=false); addprocs(["some_host"])is the alternative for adding local workers and then adding workers from a remote host.SSHManagernow binds only to the specified ip or to the first interface ip returned bygetipaddr.--worker <cookie>.This PR addresses basic hygiene by avoiding unnecessary socket bindings and testing for connections. Full fledged security requirements are best addressed through a custom ClusterManager.
Doc updates are pending.