Hi Gerri, thanks for this contribution. You are right, and this is how I am tunneling imapd through ssh when on sites that have everything closed except ssh (forgot to look in my tunnel script ;-) ). Cheers, Fons. Gerri Ganis wrote: > > Hi, > > I am sorry to enter this discussion only now. > > Perhaps I am missing something, but ssh tunneling to a xrootd data > server is > working since a while both from xrdcp and TXNetFile. > > What you have to do is to setup the channel with the ssh -L option and > access > the remote host as "localhost:<mapped_port>". > > Example: > > 0. I start xrootd at SLAC on 'noric01' and port 1094 > > 1. On my client machine at CERN I open the tunnel > > ssh -2 -f -N -L 3094:noric01.slac.stanford.edu:1094 > noric01.slac.stanford.edu > > This maps the local port 3094 to the port 1094 on the remote host > noric01.slac.stanford.edu > via a tunnel. > > 2. I start a ROOT session and open the file > > root[0] f = > TFile::Open("root://localhost:3094//afs/slac.stanford.edu/u/br/ganis/rootdata/lwg_his.root") > > root[1] (class TFile*)0x8a92098 > > > 3. Or I copy the file via xrdcp > > > xrdcp > root://localhost:3094//afs/slac.stanford.edu/u/br/ganis/rootdata/lwg_his.root > /tmp > > About performances: I haven' t made detailed studies, but for copying > SLAC to CERN the xrdcp > progress bar shows a rate degradation of about 25-30% when going via the > tunnel. > > Of course, as already mentioned, this does not work in case of > redirection. In that case one > should probably use - as it has also been mentioned already- a xrootd in > proxy mode, but I > never tried by myself. Perhaps Andy could help in setting this up. > > Gerri > > > > Jean-Yves Nief wrote: > >> Adye, TJ (Tim) wrote: >> >>> Hi Fabrizio, >>> >>> Yes, this is very interesting. We have been investigating the use of the >>> xrootd proxy as another way to access data remotely from SLAC. Using ssh >>> seems to have the advantage of not requiring any extra infrastructure, >>> but only works for xrdcp (at the moment) and requires specific user >>> setup. Anything else? Have you made any performance comparisons? >>> >> >> in the ROOT framework, the people who were using the ssh tunnel from >> their site made some performances tests compared to local access to >> the file (local disk): there was a factor of 2, but of course that >> includes not only the tunnelling but also the fact that the access was >> made from a distant site. It was considered to be satisfactory for the >> kind of applications they were meant to run from a distant site (most >> of their processing is made directly from the Lyon batch farm). >> JY >> >>> Thanks, >>> Tim. >>> >>> >>> >>>> -----Original Message----- >>>> From: [log in to unmask] On Behalf Of Fabrizio >>>> Furano >>>> Sent: 30 October 2006 14:54 >>>> To: Jean-Yves Nief; Brew, CAJ (Chris) >>>> Cc: Xrootd Mailing List; Andrew Hanushevsky; Peter Elmer >>>> Subject: Ssh tunnels for XrdClient >>>> >>>> Hi JY and Chris, >>>> >>>> I remember that, at some point (if I remember correctly) you have >>>> been interested in the possibility of communicating with an xrootd >>>> server through ssh tunnels. Since this was one of the latest >>>> commits, if you want to give a try to it, it's there (in the head). >>>> Basically it's an implementation of the SOCKS4 protocol in >>>> XrdClient. What follows is an example of how to use it. >>>> >>>> I suppose that I want to access the file >>>> >>>> root://kanolb-a.slac.stanford.edu//store/SP/R14/000993/run4/14 >>>> .4.0c/SP_000993_002423.02E.root >>>> >>>> into my laptop in Padova. We know that the kanga cluster at slac is >>>> not accessible from outside (at least not from here). Here is a >>>> trivial example of how to do it using a SOCKS4 ssh tunnel and xrdcp. >>>> >>>> Step 1: Tunnel localhost-->noric02 mapping the local port 8080 >>>> through SOCKS4 >>>> >>>> fabrizio@dhcp-61 15:20:32 ~>ssh -D 8080 >>>> [log in to unmask] >>>> >>>> Step 2: in another window... >>>> >>>> fabrizio@dhcp-61>xrdcp -d 2 -DISocks4Port 8080 -DSSocks4Server >>>> 127.0.0.1 >>>> root://kanolb-a.slac.stanford.edu//store/SP/R14/000993/run4/14 >>>> .4.0c/SP_000993_002423.02E.root ~fabrizio/ >>>> >>>> and the copy should be ok. >>>> ... if you want to shut it up, remove the "-d 2" parameter. >>>> Well, from Europe you will note that the data xfer rate is very low. >>>> This will hopefully change in December, when we finish implementing >>>> the multistream stuff. >>>> >>>> Please note that the parameter Socks4Server does not understand >>>> names yet, but IP addresses only. >>>> Another thing that made me crazy. Typically the ssh-tunnelled port >>>> (8080 in the example) is only available from localhost. To override >>>> this and make it visible also from other hosts, you have to use the >>>> "-g" switch (for older ssh) or specify */8080 (in the more recent >>>> releases of ssh). >>>> >>>> Any comment? >>>> Fabrizio >>>> >>>> >>>> >>> >> >> > -- Org: CERN, European Laboratory for Particle Physics. Mail: 1211 Geneve 23, Switzerland E-Mail: [log in to unmask] Phone: +41 22 7679248 WWW: http://fons.rademakers.org Fax: +41 22 7669640