LISTSERV 16.5 - XROOTD-L Archives

Hi Gerri,

   thanks for this contribution. You are right, and this is how I am 
tunneling imapd through ssh when on sites that have everything closed 
except ssh (forgot to look in my tunnel script ;-) ).

Cheers, Fons.


Gerri Ganis wrote:
> 
> Hi,
> 
> I am sorry to enter this discussion only now.
> 
> Perhaps I am missing something, but ssh tunneling to a xrootd data 
> server is
> working since a while both from xrdcp and TXNetFile.
> 
> What you have to do is to setup the channel with the ssh -L option and 
> access
> the remote host as "localhost:<mapped_port>".
> 
> Example:
> 
>    0. I start xrootd at SLAC on 'noric01' and port 1094
> 
>    1. On my client machine at CERN I open the tunnel
> 
>        ssh -2 -f -N -L 3094:noric01.slac.stanford.edu:1094 
> noric01.slac.stanford.edu
> 
>       This maps the local port 3094 to the port 1094 on the remote host 
> noric01.slac.stanford.edu
>       via a tunnel.
> 
>    2. I start a ROOT session and open the file
> 
>   root[0] f = 
> TFile::Open("root://localhost:3094//afs/slac.stanford.edu/u/br/ganis/rootdata/lwg_his.root") 
> 
>   root[1] (class TFile*)0x8a92098
> 
> 
>    3. Or I copy the file via xrdcp
> 
>    > xrdcp 
> root://localhost:3094//afs/slac.stanford.edu/u/br/ganis/rootdata/lwg_his.root 
> /tmp
> 
> About performances: I haven' t made  detailed studies, but for copying 
> SLAC to CERN the xrdcp
> progress bar shows a rate degradation of about 25-30% when going via the 
> tunnel.
> 
> Of course, as already mentioned, this does not work in case of 
> redirection. In that case one
> should probably use - as it has also been mentioned already- a xrootd in 
> proxy mode, but I
> never tried by myself. Perhaps Andy could help in setting this up.
> 
> Gerri
> 
> 
> 
> Jean-Yves Nief wrote:
> 
>> Adye, TJ (Tim) wrote:
>>
>>> Hi Fabrizio,
>>>
>>> Yes, this is very interesting. We have been investigating the use of the
>>> xrootd proxy as another way to access data remotely from SLAC. Using ssh
>>> seems to have the advantage of not requiring any extra infrastructure,
>>> but only works for xrdcp (at the moment) and requires specific user
>>> setup. Anything else? Have you made any performance comparisons?
>>>   
>>
>> in the ROOT framework, the people who were using the ssh tunnel from 
>> their site made some performances tests compared to local access to 
>> the file (local disk): there was a factor of 2, but of course that 
>> includes not only the tunnelling but also the fact that the access was 
>> made from a distant site. It was considered to be satisfactory for the 
>> kind of applications they were meant to run from a distant site (most 
>> of their processing is made directly from the Lyon batch farm).
>> JY
>>
>>> Thanks,
>>> Tim.
>>>
>>>  
>>>
>>>> -----Original Message-----
>>>> From: [log in to unmask] On Behalf Of Fabrizio 
>>>> Furano
>>>> Sent: 30 October 2006 14:54
>>>> To: Jean-Yves Nief; Brew, CAJ (Chris)
>>>> Cc: Xrootd Mailing List; Andrew Hanushevsky; Peter Elmer
>>>> Subject: Ssh tunnels for XrdClient
>>>>
>>>> Hi JY and Chris,
>>>>
>>>>   I remember that, at some point (if I remember correctly) you have 
>>>> been interested in the possibility of communicating with an xrootd 
>>>> server through ssh tunnels. Since this was one of the latest 
>>>> commits, if you want to give a try to it, it's there (in the head).
>>>>   Basically it's an implementation of the SOCKS4 protocol in 
>>>> XrdClient. What follows is an example of how to use it.
>>>>
>>>> I suppose that I want to access the file
>>>>
>>>> root://kanolb-a.slac.stanford.edu//store/SP/R14/000993/run4/14
>>>> .4.0c/SP_000993_002423.02E.root
>>>>
>>>> into my laptop in Padova. We know that the kanga cluster at slac is 
>>>> not accessible from outside (at least not from here). Here is a 
>>>> trivial example of how to do it using a SOCKS4 ssh tunnel and xrdcp.
>>>>
>>>> Step 1: Tunnel localhost-->noric02 mapping the local port 8080 
>>>> through SOCKS4
>>>>
>>>> fabrizio@dhcp-61 15:20:32 ~>ssh -D 8080 
>>>> [log in to unmask]
>>>>
>>>> Step 2: in another window...
>>>>
>>>> fabrizio@dhcp-61>xrdcp -d 2 -DISocks4Port 8080 -DSSocks4Server 
>>>> 127.0.0.1 
>>>> root://kanolb-a.slac.stanford.edu//store/SP/R14/000993/run4/14
>>>> .4.0c/SP_000993_002423.02E.root   ~fabrizio/
>>>>
>>>> and the copy should be ok.
>>>> ... if you want to shut it up, remove the "-d 2" parameter.
>>>> Well, from Europe you will note that the data xfer rate is very low. 
>>>> This will hopefully change in December, when we finish implementing 
>>>> the multistream stuff.
>>>>
>>>> Please note that the parameter Socks4Server does not understand 
>>>> names yet, but IP addresses only.
>>>> Another thing that made me crazy. Typically the ssh-tunnelled port 
>>>> (8080 in the example) is only available from localhost. To override 
>>>> this and make it visible also from other hosts, you have to use the 
>>>> "-g" switch (for older ssh) or specify */8080 (in the more recent 
>>>> releases of ssh).
>>>>
>>>> Any comment?
>>>> Fabrizio
>>>>
>>>>
>>>>     
>>>
>>
>>
> 

-- 
Org:    CERN, European Laboratory for Particle Physics.
Mail:   1211 Geneve 23, Switzerland
E-Mail: [log in to unmask]              Phone: +41 22 7679248
WWW:    http://fons.rademakers.org           Fax:   +41 22 7669640