GC3: Grid Computing Competence Center

Since July 1st, 2014, GC3 merged into S3IT.
This web site is only kept for historical reasons and may be out-of-date.
Visit the S3IT website for more up-to-date information.

Blog index

GC3 graudates into S3IT
Posted early Tuesday morning, July 1st, 2014
How to create a module that also load a virtualenvironment
Posted mid-morning Friday, March 7th, 2014
Openstack workshop at GC3
Posted mid-morning Saturday, February 22nd, 2014
Moving LVM volumes used by a Cinder storage
Posted Friday evening, February 21st, 2014
How to configure swift glusterfs
Posted Monday night, February 10th, 2014
Fixing LDAP Authentication over TLS/SSL
Posted Monday night, January 6th, 2014
Linker command-line options for Intel MKL
Posted late Saturday evening, January 4th, 2014
A virtue of lazyness
Posted Saturday afternoon, December 21st, 2013
(Almost) readable CFEngine logs
Posted Thursday afternoon, December 19th, 2013
CFEngine error: ExpandAndMapIteratorsFromScalar called with invalid strlen
Posted at lunch time on Wednesday, December 11th, 2013
'Martian source' log messages and the default IP route
Posted Monday afternoon, November 25th, 2013
GC3 takes over maintenance of the Schroedinger cluster
Posted mid-morning Monday, November 4th, 2013
Grid Engine: how to find the set of nodes that ran a job (after it's finished)
Posted terribly early Wednesday morning, October 30th, 2013
Python2 vs Python3
Posted Friday afternoon, September 13th, 2013
GC3Pie 2.1.1 released
Posted at teatime on Friday, September 6th, 2013
Happy SysAdmin day!
Posted early Friday morning, July 26th, 2013
Object-oriented Python training
Posted at lunch time on Thursday, July 25th, 2013
Elasticluster 1.0.0 released
Posted late Thursday evening, July 18th, 2013
Short Autotools tutorial
Posted mid-morning Friday, July 5th, 2013
Patch Emacs' PostScript printing
Posted late Tuesday afternoon, June 11th, 2013
Slides of the Object-oriented Python course now available!
Posted late Tuesday afternoon, June 11th, 2013
Compile an Objective-C application on Ubuntu (Hobbes instance)
Posted late Friday afternoon, May 31st, 2013
Automated deployment of CFEngine keys
Posted Thursday night, May 30th, 2013
blog/Resize_an_image
Posted late Tuesday afternoon, May 14th, 2013
Join us at the Compute Cloud Experience Workshop!
Posted early Monday morning, April 29th, 2013
GC3 Beamer theme released
Posted mid-morning Friday, April 5th, 2013
VM-MAD at the International Supercompting Conference 2013
Posted late Tuesday morning, March 26th, 2013
The GC3 is on GitHub
Posted late Monday morning, March 18th, 2013
How to enable search in IkiWiki
Posted Friday afternoon, March 15th, 2013
GC3Pie Training
Posted Thursday night, March 7th, 2013
Object-oriented Python training
Posted Thursday afternoon, March 7th, 2013
Advance Reservations in GridEngine
Posted mid-morning Thursday, March 7th, 2013
GridEngine accounting queries with PostgreSQL
Posted Wednesday night, March 6th, 2013
Floating IPs not available on Hobbes
Posted Tuesday afternoon, February 26th, 2013
Notes on SWIFT
Posted early Tuesday morning, February 12th, 2013
An online Python code quality analyzer
Posted late Saturday morning, February 9th, 2013
Seminar on cloud infrastructure
Posted Sunday night, February 3rd, 2013
GC3 announce its cloud infrastructure Hobbes
Posted at lunch time on Wednesday, January 30th, 2013
GC3Pie 2.0.2 released
Posted Monday afternoon, January 28th, 2013
Continuous Integration with Jenkins
Posted late Saturday morning, January 26th, 2013
On the importance of testing in a clean environment
Posted early Monday morning, January 21st, 2013
Weirdness with ImageMagick's `convert`
Posted Tuesday afternoon, January 15th, 2013
boto vs libcloud
Posted Tuesday afternoon, January 15th, 2013
Resolve timeout problem when starting many instances at once
Posted late Monday morning, January 7th, 2013
Proceedings of the EGI Community Forum 2012 published
Posted Monday afternoon, December 17th, 2012
SGE Workaround Installation
Posted at noon on Tuesday, December 4th, 2012
How to pass an argument of list type to a CFEngine3 bundle
Posted early Thursday morning, November 22nd, 2012
GC3 at the 'Clouds for Future Internet' workshop
Posted early Wednesday morning, November 21st, 2012
GC3 attends European Commission Cloud Expert Group
Posted early Monday morning, October 29th, 2012
SwiNG - SDCD2012 event
Posted mid-morning Monday, October 22nd, 2012
Large Scale Computing Infrastructures class starts tomorrow!
Posted Tuesday afternoon, September 25th, 2012
From bare metal to cloud at GC3
Posted early Monday morning, September 24th, 2012
GC3 at the EGI Technical Forum 2012
Posted late Thursday evening, September 20th, 2012
Training on GC3Pie and Python
Posted Friday evening, September 7th, 2012
GC3Pie used for research in Computational Quantum Chemistry
Posted Thursday afternoon, September 6th, 2012
``What's so great about MPI or Boost.MPI?''
Posted early Thursday morning, September 6th, 2012
blog/How to generate UML diagram with `pyreverse`
Posted early Thursday morning, August 23rd, 2012
Git's `rebase` command
Posted early Friday morning, June 15th, 2012
AppPot 0.27 released!
Posted mid-morning Thursday, June 14th, 2012
Urban computing - connecting to your server using `mosh`
Posted early Wednesday morning, June 6th, 2012
Whitespace cleanup with Emacs
Posted at lunch time on Tuesday, June 5th, 2012
Translate pages on this site
Posted late Thursday afternoon, May 31st, 2012
Scientific paper citing GC3Pie
Posted at teatime on Wednesday, May 30th, 2012
GC3 attends Nordugrid 2012 conference
Posted mid-morning Wednesday, May 30th, 2012
How the front page image was made
Posted Wednesday evening, May 16th, 2012
GC3 blog launched!
Posted Tuesday evening, May 15th, 2012
New GC3 Wiki now online!
Posted Tuesday afternoon, May 15th, 2012
AppPot paper on arXiv
Posted Tuesday afternoon, May 15th, 2012
GC3 at the EGI Technical Forum 2011
Posted Tuesday afternoon, May 15th, 2012

More on topic...

Login nodes of the ?Schroedinger cluster are load-balanced: a director listens to SSH requests and then forwards them to one or the other login node. Node login1 had been quite unstable lately, so we took it off and reinstalled on new hardware. Today, we asked to add it back to the load-balancing configuration.

The problem

After a while, we got a complaint from a diligent user that he could not log in to Schroedinger. The log files had a lot of these entries in the logs:

login1:~ # fgrep 'martian source' /var/log/messages
Nov 20 16:51:03 login1 kernel: [  202.342355] martian source 130.60.206.171 from 130.60.206.163, on dev eth1
Nov 20 16:51:40 login1 kernel: [  239.380672] martian source 130.60.206.170 from 130.60.206.164, on dev eth1
[...]

The entries started at the the time we asked the Informatikdienste to add login1 back to the SSH load-balancer.

The IP numbers in the request were all different, proving that the issue affected several source hosts -- hence the problem is on the receiving end!

The solution

Antonio noted that the error is a combination of:

(a) default route pointing to dev eth0, and

(b) rp_filter being enabled in "strict" mode on all interfaces.

What was happening? Linux' reverse path filter drops incoming packets if the reply packet would not be routed through the same physical interface. So the packets received on eth1 and not belonging to eth1's local network would be classified as martian packets and dropped by the kernel.

In theory, there is not much to say about rp_filter. However, in practice the Internet seems to rather be a catalogue of cases in which you should turn it off (or relax its strictness). Well, this is not a case for turning rp_filter off. Rather, it's the default route of the system that is bad: it should point to the same subnet where the load-balancer resides.

The default route can be fixed on the fly, using the ip route command:

ip route change default via 130.60.206.161 dev eth1

Note that this only changes the in-memory route setting. Making the route permanent on SLES11 involves editing the file /etc/sysconfig/routes.

Further reading

So far, the best and most up-to-date resource I've found on the topic is reverse path filtering by example by Brandon Phillips.

--RM

top