implemented option for direct connection via socat and busybox nc #513
Conversation
|
This is great! Totally saves wasted CPU cycles on two systems connected by a trusted network doing pointless SSH encrypt/decrypt (especially when sending raw encrypted streams). |
|
sorry, but how can i install busybox netcat in a clean way on centos 7 (via rpm command) ? |
|
do we really really need busybox nc and socat ? couldn't we simply use: mbuffer -W 10 -I 8888mbuffer: error: watchdog timeout: input stalled; sending SIGINT and wrap "mbuffer -O host:port" tries/retries in the syncoid perl-script ? |
|
@phreaker0 does this start the netcat listener on the remote side and close it again as needed, or just expect to find an always-on listener? |
|
@devZer0 Nice, It didn't read/found out that mbuffer timeout also works for non established connection, for all the other tools I tested it didn't (normal netcat, socat, ...). So I guess I can exchange busbox netcat for mbuffer then (will test this latter). But I still need socat for the connection retry options. @jimsalterjrs it will start the netcat listener on the remote side as needed and will close it again after the replication or on error |
|
If you're going to reimplement with mbuffer I'll wait to test.
Is there any value to allowing either mbuffer or netcat as transports,
keeping some of your existing work for netcat--or should we do mbuffer
only, to minimize maintenance complexity down the road?
|
|
i had some little conversation with socat author/maintainer and asked for listen timeout feature in socat and convinced him it could be useful. he sent a patch with 1 day :) as it will need some time that such enhancement will find it's way in major distros, i think there could be 2 ways to proceed:
@phreaker0 , if you like testing the socat patch i can forward it to you furthermore, i'm feeling uncomfortable that there is a listener on the receiving side which accepts connection from everywhere for the timeframe of transfer. if socat is used on the receiving side, there could be easily added some security option to restrict access ( see "RANGE option group" in https://linux.die.net/man/1/socat ) |
|
btw, i get the following warning: Use of uninitialized value $sourcehost in string ne at ./syncoid line 128. |
|
I get a "Use of uninitialized value $sourcehost in string ne at ./syncoid line 128." warning when using
Also could use command checking for socat. If it doesn't exist commands just repeatedly fail. Otherwise works well for me |
|
@TheLQ warnings are fixed, command checks are in place @jimsalterjrs I don't see a point in supporting busybox nc as well if mbuffer can do the job as well, you can test now |
|
mhm, it doesn't work on my servers (i only tested with local addresses on my machine), need to investigate |
|
So, mbuffer behaves much differently than the other listening tools. The address provided to mbuffer isn't used as listening address but as src address whitelist. mbuffer will listen on all network interfaces. Therefore I switched back to busybox nc as default and added an option for switching to mbuffer (in which case the specified listen address is used as an IP filter). I also increased the default timeout to 60 seconds and made it configurable, for some of my datasets with tiny files on rust and lot's of metadata changes zfs send can be so slow that a timeout is triggered. Command check for busybox nc and mbuffer is done according to the provided options. examples: busybox nc, target and listen ip is the same (no NAT) busybox nc, target and listen ip is different -> NAT busybox nc, target and listen ip is the same (no NAT) and timeout of 120 seconds mbuffer tcp (192.168.32.1 is src address), target and listen ip is the same and timeout of 120 seconds |
|
Would love to see this for LAN syncs ... |
|
This looks awesome, looking forward to seeing it merged |
There was a problem hiding this comment.
Also adding some tests in tests/syncoid/... would help ensure the code does not break exiting types of transfers. And any changes down the line will not break them. At the very leas I would add one test for secure and another one for insecure - just happy path.
| @@ -262,6 +262,11 @@ As of 1.4.18, syncoid also automatically supports and enables resume of interrup | |||
|
|
|||
| Use specified identity file as per ssh -i. | |||
|
|
|||
| + --insecure-direct-connection=IP:PORT[,IP:PORT,[TIMEOUT,[mbuffer]]] | |||
There was a problem hiding this comment.
Why not use different parameters for each of these 4 "sub-parameters"? If user wants to change the timeout, while he wants the second parameter as default, he/she will be confused.
| @@ -1911,6 +1986,7 @@ Options: | |||
| --sshport=PORT Connects to remote on a particular port | |||
| --sshcipher|c=CIPHER Passes CIPHER to ssh to use a particular cipher set | |||
| --sshoption|o=OPTION Passes OPTION to ssh for remote usage. Can be specified multiple times | |||
| --insecure-direct-connection=IP:PORT[,IP:PORT] WARNING: DATA IS NOT ENCRYPTED. First address pair is for connecting to the target and the second for listening at the target | |||
There was a problem hiding this comment.
This is not consistent with the README.md and the actual parameters.
| print("CRITICAL: invalid insecure-direct-connection argument!\n"); | ||
| pod2usage(2); | ||
| exit 127; | ||
| } elsif (scalar @parts >= 2) { |
There was a problem hiding this comment.
What is $parts[1] when you have two parameters? It could be the $directtimeout if it is a single number? Or $directmbuffer if it is a string? Or $directlisten if it matches HOST:PORT?
| if ($directmbuffer) { | ||
| $remotecmd .= " $mbuffercmd $args{'target -bwlimit'} -W $directtimeout -I " . $directlisten . " $mbufferoptions |"; | ||
| } elsif (length $directlisten) { | ||
| $remotecmd .= " busybox nc -l " . $directlisten . " -w $directtimeout |"; |
There was a problem hiding this comment.
Extract busybox nc to something like $bbnccmd (similar to $socatcmd and the rest), and check its availability.
Use of uninitialized value in concatenation (.) or string at ./syncoid line 1317. just an asuumption on my part considering the rest of the variables with same name dont have the space in that location
|
just wanted to comment that I have tested the insecure connection and it 'works for me' using 10Gb SFP+ . I was limited to about 200MB per second network transfer with ssh cipher 'aes128-ctr' . only about 150MB with the default ssh cipher. using the insecure connection was able to sustain almost 400MB per second. The data was being transferred between ssd's on both ends. BTW I just copied the syncoid from https://github.com/phreaker0/sanoid/blob/direct-connection/syncoid and dropped it into /usr/local/bin and here is the command line tested |
typo 'target -bwlimit'
|
I'm using this and it works fine for me. Merged with latest master and fixed the minor conflict from a new option being added, still no problems. |
|
regarding #513 (comment) , socat since version 1.7.4.0 now supports option "accept-timeout" , which make it also suitable for sanoid/syncoid http://www.dest-unreach.org/socat/doc/socat.html#OPTION_ACCEPT_TIMEOUT accept-timeout= http://www.dest-unreach.org/socat/doc/CHANGES |
|
What else is needed for this to be included in the next release? Or, at least, merged to master? |
|
does this only work local to remote? or am I using it wrong? I'm trying remote to local and fails like this (the resume interrupted is because I started it via ssh then CTRL-C'd it, but fails the same on clean send). BTW here is |
|
@mailinglists35 checking your output ncat is exiting immediately: and socat retries 10 times with 1 second intervals and gives up. |
This comment was marked as outdated.
This comment was marked as outdated.
|
oh so the $directtimeout is for socat, not for nc? it seems to be used both by nc and socat, though. |
|
oh, sorry, nmap-ncat does not like -l IP:PORT :) |
|
@phreaker0 I see you have a $directmbuffer hardcoded, is it usable if I switch to 1, and how? will that bypass nc? |
|
ok, I modified my local copy of syncoid to understand nmap-ncat, since there is no busybox in EL9 repos... |
|
For reference for people looking, and since im not sure where to put it but: socat seems to for some reason ignore your ip routes so if you have like me set up a (example: wireguard) gateway on your lan which port-forwards to the target at the other end of the tunnel you cannot specify the "ip routed ip", but must use the ip of the gateway directly. Example:LAN at source is: 168.192.1.1/24 then the commands Took me a good while to stumble into 😅 |
|
Tried using this today and after a bit of head scratching finally got it to work by modifying Could not get it to work with the arguments like it was producing with "HOST:PORT". This is on Rocky 8, so maybe I have an older/different version of |
This implements the desired feature to bypass ssh for sending the replication data and use a plain TCP connection. Added warnings of course that this option should not be used lightweight, the parameter option alone should be a big hint to the user :-)
An example use case: Two servers connected via a common network and via a dedicated link.
syncoid --compress=none --insecure-direct-connection=192.168.32.2:4444 local_pool root@backup:remote_pool192.168.32.2 is the network for the direct link and the target host ip address. So all the unencrypted data is transferred via the dedicated link which is trusted.
The option can also be used in the case of natted network topolgies by specifying a differen listen address:
syncoid --compress=none --insecure-direct-connection=192.168.32.2:4444,10.0.2.4:3333 local_pool root@backup:remote_poolWhy did I use socat and busybox nc? Because it made it possible to make it really easy and clean to implement.
socat supports connection retrying which is needed because the listening socket isn't available immediately.
And the busybox netcat implementation is the only one I found which can timeout on an listening socket which is needed to abort if the connection doesn't work (firewall, argument error, ...)
Fixes #371