Bridging DRb UNIX socket services on two hosts

ruby-talk
1

Hi,

I have two computers, both running a bunch of DRb services on them. The services run on UNIX sockets with drbunix in order to use the OS file permissions for access control.

How would I go about bridging the computers in a secure fashion so that one computer's services can talk to the other? Preferably without exposing the services to the network or using a NFS/Samba mount.

One way I am thinking about is using an SSH tunnel between the computers (again, to benefit from the existing access controls in the OS), and run a proxy service that proxies calls between the hosts.

Is that sensible? How would I go about writing that? Start proxy service on both hosts, set up the tunnel to make them talk to each other, set up new proxy object for each method call, wrap all DRbObjects? Is there a better way?

Any pointers appreciated.

···

--
  -Ilmari

2

Hi,

I have two computers, both running a bunch of DRb services on them. The services run on UNIX sockets with drbunix in order to use the OS file permissions for access control.

How would I go about bridging the computers in a secure fashion so that one computer's services can talk to the other? Preferably without exposing the services to the network or using a NFS/Samba mount.

You can use DRb over SSL:

http://segment7.net/projects/ruby/drb/DRbSSL/

One way I am thinking about is using an SSH tunnel between the computers (again, to benefit from the existing access controls in the OS), and run a proxy service that proxies calls between the hosts.

You can use GWIdConv to link process (Gateway id Converter)

http://segment7.net/projects/ruby/drb/idconv.html

Is that sensible? How would I go about writing that? Start proxy service on both hosts, set up the tunnel to make them talk to each other, set up new proxy object for each method call, wrap all DRbObjects? Is there a better way?

You don't need to write anything, its all built in :slight_smile:

···

On 10 Dec 2004, at 23:09, Ilmari Heikkinen wrote:

3

Thank you, Eric.

···

On 2004/12/11, at 16:12, Eric Hodel wrote:

One way I am thinking about is using an SSH tunnel between the computers (again, to benefit from the existing access controls in the OS), and run a proxy service that proxies calls between the hosts.

You can use GWIdConv to link process (Gateway id Converter)

http://segment7.net/projects/ruby/drb/idconv.html

and Japanese version is here.

* http://www.druby.org/ilikeruby/drbssh.html
== 10.2 dRuby gateway

4

Eric, Masatoshi, thank you for the tips.

> You can use GWIdConv to link process (Gateway id Converter)
>
> http://segment7.net/projects/ruby/drb/idconv.html

and Japanese version is here.

* http://www.druby.org/ilikeruby/drbssh.html

It seems that the gateway approach would need extra work (translating
DRbObject uris) to pass DRbObjects through it?

As an example:

# ...
# Set up gateway on remote host from unix socket to tcp socket.

···

#
# def remote_object.hello(x); "Hello, " + x.to_s; end
# def remote_object.self; self; end
# ...

#local:
DRb.start_service('drbunix:/tmp/local')
ro = DRbObject.new_with_uri(remote_uri)
ro[:unix].hello "Foo" #=> "Hello, Foo"

a = Object.new
a.extend DRbUndumped
def a.to_s; "Bar"; end

ro.hello a #=> DRb::DRbConnError: drbunix:/tmp/local -
                 #<Errno::ENOENT: No such file or directory -
                   /tmp/local>

# Which is fixed by switching to a TCP socket instead of the UNIX socket
# for the local service.

DRb.stop_service
DRb.start_service
ro.hello a #=> "Hello, Bar"

# But:

ro.self.hello "Foo" #=> DRb::DRbConnError: drbunix:/tmp/gw_c -
                         #<Errno::ENOENT: No such file or directory -
                          /tmp/gw_c>

Or am I missing something?

I got it somewhat working by using socat with ssh to tunnel between two
unix sockets. It doesn't need extra TCP sockets for communication, but
would require writing some connection handling code to automatically set
up the tunnels.

Using the objects from above:

First, start services on both hosts:
------------------------------------
#remote:
DRb.start_service('drbunix:/tmp/remote', remote_object)

#local:
DRb.start_service('drbunix:/tmp/local')

Next, set up tunnels:
---------------------
# Connect remote /tmp/remote to local /tmp/remote
local$ socat UNIX-LISTEN:/tmp/remote \
             EXEC:'ssh remote socat STDIO UNIX-CONNECT:/tmp/remote'

# Connect local /tmp/local to remote /tmp/local
remote$ socat UNIX-LISTEN:/tmp/local \
              EXEC:'ssh local socat STDIO UNIX-CONNECT:/tmp/local'

Ready to go:
------------
#local:
ro = DRbObject.new_with_uri('drbunix:/tmp/remote')
ro.hello "Foo" #=> "Hello, Foo"
ro.hello a #=> "Hello, Bar"
ro.self.hello a #=> "Hello, Bar"

# But, this doesn't work:
ro.hello ro #=> DRb::DRbConnError: drbunix:/tmp/remote -
                  #<Errno::ECONNREFUSED: Connection refused -
                    /tmp/remote>