Hi Tim,

Adye, TJ (Tim) wrote:
> Hi Fabrizio,
> Yes, this is very interesting. We have been investigating the use of the
> xrootd proxy as another way to access data remotely from SLAC. Using ssh
> seems to have the advantage of not requiring any extra infrastructure,
> but only works for xrdcp (at the moment) and requires specific user
> setup. Anything else? Have you made any performance comparisons?

  Well, the only setup which is needed is to specify the value of two 
variables in the env of XrdClient (not the shell's one!) , which can be 
done via command line. The tunnel itself can be established by another 
user, and one should be sufficient for many connections.
  I am making performance comparisons right now, as well as debugging 
under high load.


> Thanks,
> Tim.
>> -----Original Message-----
>> From: [log in to unmask] On Behalf Of 
>> Fabrizio Furano
>> Sent: 30 October 2006 14:54
>> To: Jean-Yves Nief; Brew, CAJ (Chris)
>> Cc: Xrootd Mailing List; Andrew Hanushevsky; Peter Elmer
>> Subject: Ssh tunnels for XrdClient
>> Hi JY and Chris,
>>   I remember that, at some point (if I remember correctly) 
>> you have been 
>> interested in the possibility of communicating with an xrootd server 
>> through ssh tunnels. Since this was one of the latest commits, if you 
>> want to give a try to it, it's there (in the head).
>>   Basically it's an implementation of the SOCKS4 protocol in 
>> XrdClient. 
>> What follows is an example of how to use it.
>> I suppose that I want to access the file
>> root://
>> .4.0c/SP_000993_002423.02E.root
>> into my laptop in Padova. We know that the kanga cluster at 
>> slac is not 
>> accessible from outside (at least not from here). Here is a trivial 
>> example of how to do it using a SOCKS4 ssh tunnel and xrdcp.
>> Step 1: Tunnel localhost-->noric02 mapping the local port 
>> 8080 through 
>> fabrizio@dhcp-61 15:20:32 ~>ssh -D 8080 
>> [log in to unmask]
>> Step 2: in another window...
>> fabrizio@dhcp-61>xrdcp -d 2 -DISocks4Port 8080 
>> -DSSocks4Server 
>> root://
>> .4.0c/SP_000993_002423.02E.root 
>>   ~fabrizio/
>> and the copy should be ok.
>> ... if you want to shut it up, remove the "-d 2" parameter.
>> Well, from Europe you will note that the data xfer rate is very low. 
>> This will hopefully change in December, when we finish 
>> implementing the 
>> multistream stuff.
>> Please note that the parameter Socks4Server does not understand names 
>> yet, but IP addresses only.
>> Another thing that made me crazy. Typically the ssh-tunnelled 
>> port (8080 
>> in the example) is only available from localhost. To override 
>> this and 
>> make it visible also from other hosts, you have to use the 
>> "-g" switch 
>> (for older ssh) or specify */8080 (in the more recent 
>> releases of ssh).
>> Any comment?
>> Fabrizio