Client-Server Interaction

Schedulers listen on dedicated network ports for TCP communications from Cylc clients (jobs and user-invoked commands).

Use cylc scan to see which workflows are listening on which ports on scanned hosts.

Cylc generates public-private key pairs on the workflow server and job hosts which are used for authentication.

Authentication Files

Cylc uses CurveZMQ to ensure that any data, sent between the scheduler and the client, remains protected during transmission. Public keys are used to encrypt the data, private keys for decryption.

Authentication files will be created in your $HOME/cylc-run/<workflow-id>/.service/ directory at start-up. You can expect to find one client public key per file system for remote jobs.

On the workflow host, the directory structure should contain:

`-- .service
    |-- client_public_keys
    |   |-- client_localhost.key
    |   `-- <any further client keys>
    |-- client.key_secret
    |-- server.key
    `-- server.key_secret

On the remote job host, the directory structure should contain:

`-- .service
    |-- client.key
    |-- client.key_secret
    `-- server.key

Keys are removed as soon as they are no longer required.