[CRIU] [PATCH 0/3] p.haul: ssh tunneling, v5
Ruslan Kuprieiev
kupruser at gmail.com
Wed Oct 29 02:29:15 PDT 2014
On 29.10.2014 10:03, Pavel Emelyanov wrote:
> On 10/28/2014 01:18 AM, Ruslan Kuprieiev wrote:
>> v2, use ssh tunnel by default, enhanced opts handling
>> v3, send addr to the client
>> v4, use rpc to send socket name
>> v5, add --no-ssh option
>>
>> Ruslan Kuprieiev (3):
>> p.haul: do not use getsockname() as a hash_name, v4
>> p.haul: add --port option to p.haul-service
>> p.haul: use ssh tunneling and controll it with ssh* cmdline opts, v2
>>
>> p.haul | 17 +++++++++++++++--
>> p.haul-service | 15 ++++++++++++++-
>> p_haul_iters.py | 6 +++---
>> ssh_tunnel.py | 36 ++++++++++++++++++++++++++++++++++++
>> util.py | 10 ++++++++++
>> xem_rpc.py | 53 ++++++++++++++++++++++++++++++++++++++---------------
>> 6 files changed, 116 insertions(+), 21 deletions(-)
>> create mode 100644 ssh_tunnel.py
>>
> I'm still not happy with the fact the spawned ssh with port forwarding
> takes time to prepare and we have to retry connecting to it.
>
> I was today told about the paramiko package -- https://pypi.python.org/pypi/paramiko/
> Isn't it better to utilize this one?
I've tried to use paramiko, but it is pretty slow and for port
forwarding requires
writing own local server
<https://github.com/paramiko/paramiko/blob/master/demos/forward.py> in
python. It is flexible, but it looks like an overkill to me.
> Another question -- how does this machinery works in qemu? Can you find out?
Qemu? Ok, i'll try.
> And the last thing. Our vzmigrate guys tell, that in Python it might be
> MUCH simpler to do this another way. First, you connect to ssh, authorize
> yourself, then generate an openssl sertificate and then use one to establish
> other connections between p.haul and p.haul-service. Maybe RPC control
> socket can just re-use the ssh channel, but data socket is better to work
> over openssl. Can you research this too?
Well, the problem here is we will still need to do some kind of forwarding,
because page-server uses splice(), but openssl sockets are not meant to
be used with it. They can't be even used with regular read(sk...) call.
I mean, you cant just get fd of ssl socket and use regular calls.
Btw, i'm not sure that:
1) authorizing through ssh
2) gen ssl keys
3) transfer ssl keys
4) create ssl socket
5) transfer data
is faster than:
1) create ssh tunnel
2) transfer data
I think, that using ssh tunneling is the most suitable way here.
> Thanks,
> Pavel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openvz.org/pipermail/criu/attachments/20141029/b2109846/attachment.html>
More information about the CRIU
mailing list