如何在Centos 7中使用firewalld啟用MPI mpirun

Question

我正在嘗試使MPI在Centos 7 OS的小型群集上運行。 防火牆阻止其運行。 這是我得到的錯誤：

    $ mpirun -np 30 -hostfile hosts.txt mpi_sample_program/mpitest
    ------------------------------------------------------------
    A process or daemon was unable to complete a TCP connection
to another process:
  Local host:    marcher5
  Remote host:   ***.***.***.***.***
This is usually caused by a firewall on the remote host. Please
check that any firewall (e.g., iptables) has been disabled and
try again.
------------------------------------------------------------
--------------------------------------------------------------------------
ORTE was unable to reliably start one or more daemons.
This usually is caused by:

* not finding the required libraries and/or binaries on
  one or more nodes. Please check your PATH and LD_LIBRARY_PATH
  settings, or configure OMPI with --enable-orterun-prefix-by-default

* lack of authority to execute on one or more specified nodes.
  Please verify your allocation and authorities.

* the inability to write startup files into /tmp (--tmpdir/orte_tmpdir_base).
  Please check with your sys admin to determine the correct location to use.

*  compilation of the orted with dynamic libraries when static are required
  (e.g., on Cray). Please check your configure cmd line and consider using
  one of the contrib/platform definitions for your system type.

* an inability to create a connection back to mpirun due to a
  lack of common network interfaces and/or no route found between
  them. Please check network connectivity (including firewalls
  and network routing requirements).
--------------------------------------------------------------------------

當我使用：sudo systemctl disable firewalld禁用防火牆時，MPI可以正常工作。 我已經嘗試了很長時間，以添加一條規則，該規則允許MPI在不關閉防火牆的情況下運行，但是它尚未起作用。 我能夠使用sudo iptables -A INPUT -s -j ACCEPT來做到這一點，並且它起作用了。 但是由於Centos 7，現在我必須使用firewall-cmd。您建議我怎么做，而不影響群集的安全性。 是否應該添加規則以允許節點之間的所有流量？

我當前的firewall-cmd配置為：

$ firewall-cmd --list-all
work (default, active)
  interfaces: eno1
  sources:
  services: dhcpv6-client ipp-client ssh
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

Answer 1

我試圖使用此添加源：

sudo firewall-cmd --permanent --zone=work --add-source=[host_IP]

但是仍然無法使MPI應用程序正確運行。 然后決定在此群集上啟用MPI的唯一方法是制定一條規則以接受節點之間的所有流量。 我運行了這兩個命令。

sudo firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -s  [server+IP] -j ACCEPT

firewall-cmd --reload

但這確實是一種魅力。不確定這是否是最好的解決方案安全性。