pmirror: Add option --unix-socket #109

donald · 2019-12-15T17:33:44Z

Currently the sender (master) and the receiver (slave) establish a
separate TCP connection for the file data. This requires that the
master can connect to a random TCP port which the slave creates, which
might not be possible if the systems are separated by a firewall.

We can ask ssh to forward another TCP connection, but we'd need to
define the port number from the master not knowing, which ports are free
on the slave. The port namespace is very limited, so collisions are not
unlikely. To avoid that, we use the ability of ssh to use AF_UNIX
sockets for a forwarded channel. These have a much bigger namespace, so
collisions can be better avoided.

Add a option --unix-socket to use a ssh channel for the data connection.
Use /tmp/pmirror_USER_NNNNN as the default socket name, where USER is
the username (on the master) and NNNNN is a 5 digit random value. This
can be overwritten with --unix-socket-name=PATH. The same name is used
on the master and on the server. The name is removed immediately after
the data channel ist established to reduce the time frame for
collisions.

Unlike the TCP based data channel, the unix-socket based data channel is
forwarded by ssh and so is encrypted.

Usage:

If your systems are seperated by a firewall or you want encryption on
the data channel, add --unix-socket to the pmirror command line.

pmenzel · 2019-12-16T12:10:25Z

immediately

pmenzel · 2019-12-16T12:12:17Z

pmirror/pmirror

@@ -1094,5 +1117,9 @@ if ($slave_mode) {
 		$>==0 or $slave_user='whatever';	# if we are not root, the local slave will also no be root
 	}

+	if ($unix_socket && !defined $unix_socket_name) {
+		$unix_socket_name=sprintf '/tmp/pmirror_setup_%s_%05d',$ENV{'USER'},int(rand(100000));


Should TMPDIR be used?

Currently the sender (master) and the receiver (slave) establish a separate TCP connection for the file data. This requires that the master can connect to a random TCP port which the slave creates, which might not be possible if the systems are separated by a firewall. We can ask ssh to forward another TCP connection, but we'd need to define the port number from the master not knowing, which ports are free on the slave. The port namespace is very limited, so collisions are not unlikely. To avoid that, we use the ability of ssh to use AF_UNIX sockets for a forwarded channel. These have a much bigger namespace, so collisions can be better avoided. Add a option --unix-socket to use a ssh channel for the data connection. Use /tmp/pmirror_USER_NNNNN as the default socket name, where USER is the username (on the master) and NNNNN is a 5 digit random value. This can be overwritten with --unix-socket-name=PATH. The same name is used on the master and on the server. The name is removed immediately after the data channel ist established to reduce the time frame for collisions. Unlike the TCP based data channel, the unix-socket based data channel is forwarded by ssh and so is encrypted. Usage: If your systems are seperated by a firewall or you want encryption on the data channel, add --unix-socket to the pmirror command line.

donald · 2019-12-16T12:35:10Z

Thanks. Addressed both comments.

pmenzel approved these changes Dec 16, 2019

View reviewed changes

donald force-pushed the pmirror-named-sockets branch from d11c3c5 to d497662 Compare December 16, 2019 12:26

donald force-pushed the pmirror-named-sockets branch from d497662 to ca4337b Compare December 16, 2019 12:33

pmenzel merged commit 61b546d into master Dec 16, 2019

pmirror: Add option --unix-socket #109

pmirror: Add option --unix-socket #109

donald commented Dec 15, 2019 •

edited by pmenzel

pmenzel commented Dec 16, 2019

pmenzel Dec 16, 2019

donald commented Dec 16, 2019

pmirror: Add option --unix-socket #109

pmirror: Add option --unix-socket #109

Conversation

donald commented Dec 15, 2019 • edited by pmenzel

pmenzel commented Dec 16, 2019

pmenzel Dec 16, 2019

Choose a reason for hiding this comment

donald commented Dec 16, 2019

donald commented Dec 15, 2019 •

edited by pmenzel