[opensuse-buildservice] Using osc behind a ssh tunnel
Hi there, Is there a way to use osc through a ssh tunnel ? The problem is that my university's proxy configuration is causing all kind of problems (osc connections hang up), and one way to avoid the proxy is to use a ssh tunnel to one of the university's machine with direct access to the internet. Basically, I would need to tell osc to connect to localhost at a certain port, which would be redirected to api.opensuse.org:443 through the ssh tunnel. In the $HOME/.oscrc, there is a comment about changing api.opensuse.org to a different server, but without enough details to make it work ? thanks, David --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Monday 02 April 2007 06:16:09 wrote David Cournapeau:
Hi there,
Is there a way to use osc through a ssh tunnel ? The problem is that my university's proxy configuration is causing all kind of problems (osc connections hang up), and one way to avoid the proxy is to use a ssh tunnel to one of the university's machine with direct access to the internet. Basically, I would need to tell osc to connect to localhost at a certain port, which would be redirected to api.opensuse.org:443 through the ssh tunnel. In the $HOME/.oscrc, there is a comment about changing api.opensuse.org to a different server, but without enough details to make it work ?
Well, the api uses an https interface, but no ssh protocol. However, when you have no stable https connections to the outside the problem is a bit bigger imho. I would debug why this is and if either you can fix your network or we need to add something to handle some obscur secure network setups better ... If https does not work, also browsing a number of web pages will not work for you, so I doubt this is really wanted. bye adrian -- Adrian Schroeter SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) email: adrian@suse.de --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
Adrian Schröter wrote:
On Monday 02 April 2007 06:16:09 wrote David Cournapeau:
Hi there,
Is there a way to use osc through a ssh tunnel ? The problem is that my university's proxy configuration is causing all kind of problems (osc connections hang up), and one way to avoid the proxy is to use a ssh tunnel to one of the university's machine with direct access to the internet. Basically, I would need to tell osc to connect to localhost at a certain port, which would be redirected to api.opensuse.org:443 through the ssh tunnel. In the $HOME/.oscrc, there is a comment about changing api.opensuse.org to a different server, but without enough details to make it work ?
Well, the api uses an https interface, but no ssh protocol. The network configuration in my lab is a bit unusual: there is no DNS server, all connections are done through a proxy server. This is sometimes a pain, but has the nice side effect to trigger hidden bugs :) I already had some similar problems with bzr.
Normally, what I do is to create a ssh tunnel to the machine which has direct (eg no proxy) access to the internet. For example, with subversion, I do something like ssh -NL 8888:svn.sourceforge.org:80 ssh_server and after that, I do things like svn ls http://localhost:8888. If I could do that with osc, this would avoid the proxy problem.
However, when you have no stable https connections to the outside the problem is a bit bigger imho. I would debug why this is and if either you can fix your network or we need to add something to handle some obscur secure network setups better ...
I looked a bit to see if I could solve the problem by myself: it looks like connections in osc are done with the urllib2 package, and there are some problems when using https proxy: http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/456195 I know next to nothing about http/https protocols, so I am pretty stuck there. The basic problem is: I have in my environment the https_proxy set to my https proxy, and if I try for example osc co home:<login> Then, it got stuck, doing nothing. If I cancel it with Ctrl+C, I get the following backtrace: Traceback (most recent call last): File "../osc/osc-wrapper.py", line 7, in ? commandline.main() File "/usr/media/src/src/opensuse-bld/osc/osc/commandline.py", line 1080, in main cmd(args) File "/usr/media/src/src/opensuse-bld/osc/osc/commandline.py", line 354, in checkout for package in meta_get_packagelist(project): File "/usr/media/src/src/opensuse-bld/osc/osc/core.py", line 721, in meta_get_packagelist f = urlopen(u) File "/usr/media/src/src/opensuse-bld/osc/osc/core.py", line 657, in urlopen fd = urllib2.urlopen(url, data=data) File "/usr/lib/python2.4/urllib2.py", line 130, in urlopen return _opener.open(url, data) File "/usr/lib/python2.4/urllib2.py", line 364, in open response = meth(req, response) File "/usr/lib/python2.4/urllib2.py", line 471, in http_response response = self.parent.error( File "/usr/lib/python2.4/urllib2.py", line 396, in error result = self._call_chain(*args) File "/usr/lib/python2.4/urllib2.py", line 337, in _call_chain result = func(*args) File "/usr/lib/python2.4/urllib2.py", line 554, in http_error_302 return self.parent.open(new) File "/usr/lib/python2.4/urllib2.py", line 358, in open response = self._open(req, data) File "/usr/lib/python2.4/urllib2.py", line 376, in _open '_open', req) File "/usr/lib/python2.4/urllib2.py", line 337, in _call_chain result = func(*args) File "/usr/lib/python2.4/urllib2.py", line 1029, in https_open return self.do_open(httplib.HTTPSConnection, req) File "/usr/lib/python2.4/urllib2.py", line 993, in do_open h.request(req.get_method(), req.get_selector(), req.data, headers) File "/usr/lib/python2.4/httplib.py", line 804, in request self._send_request(method, url, body, headers) File "/usr/lib/python2.4/httplib.py", line 827, in _send_request self.endheaders() File "/usr/lib/python2.4/httplib.py", line 798, in endheaders self._send_output() File "/usr/lib/python2.4/httplib.py", line 679, in _send_output self.send(msg) File "/usr/lib/python2.4/httplib.py", line 646, in send self.connect() File "/usr/lib/python2.4/httplib.py", line 1073, in connect ssl = socket.ssl(sock, self.key_file, self.cert_file) File "/usr/lib/python2.4/socket.py", line 74, in ssl return _realssl(sock, keyfile, certfile) KeyboardInterrupt If anyone is willing to work on this bug, I can help testing it (I am already working with SVN version of osc), cheers, David --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
Hi David,
Normally, what I do is to create a ssh tunnel to the machine which has direct (eg no proxy) access to the internet. For example, with subversion, I do something like
ssh -NL 8888:svn.sourceforge.org:80 ssh_server
and after that, I do things like svn ls http://localhost:8888. If I could do that with osc, this would avoid the proxy problem.
But you can do something like this, if you have any host outside of your network reachable via ssh, that can reach api.opensuse.org: ssh -L 9999:api.opensuse.org:443 your.outside.ssh.host Then you can tell osc to use https://localhost:9999 -- David Mayr, http://davey.de openSUSE LINUX, http://opensuse.de --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Monday, 2. April 2007 06:16, David Cournapeau wrote:
Hi there,
Hi,
Is there a way to use osc through a ssh tunnel ? The problem is that my university's proxy configuration is causing all kind of problems (osc connections hang up), and one way to avoid the proxy is to use a ssh tunnel to one of the university's machine with direct access to the internet. Basically, I would need to tell osc to connect to localhost at a certain port, which would be redirected to api.opensuse.org:443 through the ssh tunnel. In the $HOME/.oscrc, there is a comment about changing api.opensuse.org to a different server, but without enough details to make it work ?
To use another apiserver, you have to add another section in .oscrc similar to the api.opensuse.org section: [localhost:8888] user = youruser pass = yourpass then you can change the apisrv setting to apisrv = localhost:8888 However, I tried it, and didn't get it to work. The only thing I got as response from the server was an opening bracket, no matter what request I sent. Maybe it's a problem with ichain. OTOH, I have zero clue about ssh tunnels, so I could be doing something wrong what is obvious to someone more experienced. So please try it. Andreas
thanks,
David
-- Andreas Bauer - Novell - SUSE Internal Tools --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
Hi David, Am Montag, 2. April 2007 16:42 schrieb Andreas Bauer:
On Monday, 2. April 2007 06:16, David Cournapeau wrote:
Is there a way to use osc through a ssh tunnel ? The problem is that my university's proxy configuration is causing all kind of problems (osc connections hang up), and one way to avoid the proxy is to use a ssh tunnel to one of the university's machine with direct access to the internet. Basically, I would need to tell osc to connect to localhost at a certain port, which would be redirected to api.opensuse.org:443 through the ssh tunnel. In the $HOME/.oscrc, there is a comment about changing api.opensuse.org to a different server, but without enough details to make it work ?
To use another apiserver, you have to add another section in .oscrc similar to the api.opensuse.org section: [localhost:8888] user = youruser pass = yourpass
then you can change the apisrv setting to apisrv = localhost:8888
However, I tried it, and didn't get it to work. The only thing I got as response from the server was an opening bracket, no matter what request I sent. Maybe it's a problem with ichain. OTOH, I have zero clue about ssh tunnels, so I could be doing something wrong what is obvious to someone more experienced. So please try it.
OK, I got it work: First, you need to start your ssh tunnel. You need to have a host (here 'ssh.reachable.host') outside your network, that can connect to api.opensuse.org:443 without limitations: ssh -L 9999:api.opensuse.org:443 ssh.reachable.host Then edit your /etc/hosts to have a line like the following - this is important because 1. the ssl certificate needs to be accepted by osc (hostname must be the same as in the certificate) and 2. the api-webserver needs to be called by it's real name (to choose the right vhost). Also remember to revert this step if you would like to connect to api.opensuse.org the normal way (without the ssh tunnel) again: 127.0.0.1 localhost api.opensuse.org After that, edit your ~/.oscrc like this: apisrv = api.opensuse.org:9999 [api.opensuse.org:9999] user = yourusername pass = yourpassword Then osc should work even in your 'buggy' network :-) Have a lot of fun... -- David Mayr, http://davey.de openSUSE LINUX, http://opensuse.de --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
David Mayr wrote:
OK, I got it work:
First, you need to start your ssh tunnel. You need to have a host (here 'ssh.reachable.host') outside your network, that can connect to api.opensuse.org:443 without limitations:
ssh -L 9999:api.opensuse.org:443 ssh.reachable.host
Then edit your /etc/hosts to have a line like the following - this is important because 1. the ssl certificate needs to be accepted by osc (hostname must be the same as in the certificate) and 2. the api-webserver needs to be called by it's real name (to choose the right vhost). Also remember to revert this step if you would like to connect to api.opensuse.org the normal way (without the ssh tunnel) again:
127.0.0.1 localhost api.opensuse.org
After that, edit your ~/.oscrc like this:
apisrv = api.opensuse.org:9999 [api.opensuse.org:9999] user = yourusername pass = yourpassword
Then osc should work even in your 'buggy' network :-) Have a lot of fun...
Thanks, I manage to make a connection this way from a vmware image. May I suggest to make a note about the constraint to have the same DNS in the config file ? Because I don't think the current comment is really helpful. Is there a chance that "normal" access through a https proxy will be worked out ? Anyway, thanks for the quick reply ! David --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
participants (4)
-
Adrian Schröter
-
Andreas Bauer
-
David Cournapeau
-
David Mayr