Torrent Suite SoftwareAdministration Guide


Torrent Suite Software space on Ion Community

Administration Guide TOC

Prepare Your Site

The Torrent Server requires internet connectivity to install software updates and patches from Ion Torrent. To facilitate deployment, it is important that you prepare your site network infrastructure in advance.

Icon

On the scheduled deployment date, IT support personnel should be scheduled to be available to ensure that the Torrent Server is properly connected to the network and, if needed, assist the FAS in troubleshooting connectivity issues.

Review the following topics to prepare your site for server installation:

Network connectivity preparation

Network provisioning

Network provisioning should be completed before the scheduled installation:

  • A network access jack should be identified and enabled in the area where the Torrent Server will be deployed. An Ethernet cable is provided with the server. The cable connects to the port labeled LAN on your Torrent Server; the remaining ports are used to connect to the Ion Proton and Ion PGM Sequencers.
  • DNS should be configured in advance of the scheduled installation.
Port assignment

To fully support the Torrent Server and Ion Torrent sequencers, remote monitoring must be provided using Axeda Remote System Monitoring software, enabled and able to reverse ssh into the boxes. This requirement means that the Ion sequencers andTorrent Servers be connected to the internet with outbound connections permitted on the following ports:

Port

Required

Use

22

Yes

Start reverse SSH tunnel for remote troubleshooting

80

Yes

Download updates from http://updates.iontorrent.com and http://us.archive.ubuntu.com

123

Yes

(UDP) NTP access to the Internet; incoming and outgoing.

443

Yes

Enable sending of basic status information to the remote monitoring server.

The IonReporterUploader plugin also requires port 443 to transfer data to Ion Reporter Software.

5432

No

Remote access to PostgreSQL database.

Name resolution

A DHCP-assigned address is recommended. (The Torrent Server can be reconfigured to use a static IP address, if necessary.)

Server run, report and configuration data are accessed using your workstation Web browser. You must be able to access the server UI by entering the server hostname in your browser URL address field.

Network security

Firewall

Your Torrent Server is shipped with a firewall enabled.

Ion Torrent networks have been added to the firewall rules (in /etc/iptables.rules ) to permit access to the Torrent Server.

Use /etc/iptables.custom if you add your own custom rules. The script /etc/init.d/networking restart picks up firewall settings from /etc/iptables.custom .

IP address

Use your web browser to discover your external (public) IP address.There are several sites that can be used to determine your IP address, such as http://whatismyip.com .

You may also use a text-based browser, such as Links , to find your external IP address. For Links, use the following command, which returns your external IP address:

             links -dump http://whatismyip.com | grep "Your IP Address Is"
            
Icon

You may need to first install Links, using the apt-get install links command.

Secure the Torrent Server and Ion PGM or Ion ProtonSequencer with iptables

The Torrent Server can further be secured by using iptables. (The administrator is assumed to be familiar with iptables and their use.)

A basic iptables configuration is provided by default with the Torrent Server.

Ensure the following Ion Torrent IP addresses are in the iptables.start file. For simplicity, add the entire address range as shown:

             $IPTABLES -A INPUT -p tcp --dport 22 -s 38.110.159.160/27 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 22 -s 38.126.104.128/25 -j ACCEPT
            

Use the following procedure to configure the iptables for your location:

  1. In the /etc directory, create iptables.start and iptables.stop files similar to the example files shown below.

  2. Type the command sudo chmod +x iptables* .

  3. Edit the rc.local file similar to the examples shown below (see ## ADD THE FOLLOWING LINE in the example).

  4. Start iptables using the command: sudo /etc/iptables.start.

Ion PGM or Ion ProtonSequencer

iptables.start

             #!/bin/sh
# iptables IonTorrent - PGM 1.0.0 #

IPTABLES="/sbin/iptables_32"

#$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A INPUT -p icmp -j ACCEPT
$IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT
# PGM instrument's own IP address here
$IPTABLES -A INPUT -s 128.114.63.84 -j ACCEPT

$IPTABLES -F
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

# Allow ssh from these addresses: NEW IW, IE, ... elided ...
$IPTABLES -A INPUT -p tcp --dport 22 -s 71.6.74.66 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 22 -s 173.13.110.174 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 22 -s 173.13.110.163 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 22 -s 173.13.146.13 -j ACCEPT

$IPTABLES -A INPUT -p tcp --dport 22 -s 128.114.63.83 -j ACCEPT

# Allow http connection to update server
$IPTABLES -A INPUT -p tcp --dport 80 -s 173.13.110.163 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 80 -s 66.166.233.178 -j ACCEPT
# Test connection from ICE
$IPTABLES -A INPUT -i eth0 -p udp --dport 67:68 ... elided ...
$IPTABLES -A INPUT -p tcp --dport 80 -j DROP
$IPTABLES -A INPUT -p tcp --dport 22 -j DROP
            

iptables.stop

             #!/bin/sh
# iptables IonTorrent - PGM 1.0.0 #
IPBLES="/sbin/iptables_32"
$IPTABLES -F
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
            

rc.local

             #!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

# Create file's magic database file.
if test -f /usr/share/misc/file/magic; then
  if test ! -f /usr/share/misc/file/magic.mgc; then
    file -C /usr/share/misc/file/magic.mgc
  fi
fi

touch /var/lock/subsys/local

## ADD THE FOLLOWING LINE
/etc/iptables.start
/software/patchcheck.sh
/bin/settime
/software/pciinit
modprobe radeonfb
fbset 800x600-75-32
/software/nanox/nano-X & /software/nanox/nanowm &
sleep 0.5
cd /software/gui
./launcher &
cd /software
/software/datacollect &
cd /software/gui/cntrl
sleep 0.25
/software/gui/cntrl/Controller &
            

Torrent Server

iptables.start

             #!/bin/sh

IPTABLES="/sbin/iptables"

$IPTABLES -F
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A INPUT -p icmp -j ACCEPT
$IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT
# Enter Server's IP address here
$IPTABLES -A INPUT -s 128.114.63.83 -j ACCEPT

# IP addresses to allow ssh access: NEW IE, IW, PGM, NEW IW
$IPTABLES -A INPUT -p tcp --dport 22 -s 173.13.110.163 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 22 -s 173.13.146.13 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 22 -s 128.114.63.83 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 22 -s 71.6.74.66 -j ACCEPT

# allow all traffic from PGM
# (FTP wants more than port 21 with extended response features)
$IPTABLES -A INPUT -p tcp -s 128.114.63.84 -j ACCEPT

$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT

$IPTABLES -A INPUT -i eth0 -p udp --dport 67:68 ... elided ...
$IPTABLES -A INPUT -p tcp --dport 80 -j DROP
$IPTABLES -A INPUT -p tcp --dport 22 -j DROP
            

iptables.stop

             #!/bin/sh
IPTABLES="/sbin/iptables"

$IPTABLES -F
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
            

rc.local

             #!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script ... elided ...
# bits.
#
# By default this script does nothing.

## ADD THE FOLLOWING LINE
/etc/iptables.start

exit 0