From mboxrd@z Thu Jan  1 00:00:00 1970
From: Daniel Veillard <veillard@redhat.com>
Subject: Re: Re: [RFC][PATCH] Secure XML-RPC for Xend
Date: Fri, 9 Jun 2006 11:45:46 -0400
Message-ID: <20060609154546.GK31509@redhat.com>
References: <4488D93D.7070303@us.ibm.com>
	<20060609083434.GA19035@fork.recoil.org>
	<20060609084147.GH31509@redhat.com>
	<20060609085443.GA28541@fork.recoil.org>
	<pan.2006.06.09.14.57.24.87401@us.ibm.com>
Reply-To: veillard@redhat.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <xen-devel-bounces@lists.xensource.com>
Content-Disposition: inline
In-Reply-To: <pan.2006.06.09.14.57.24.87401@us.ibm.com>
List-Unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xensource.com>
List-Help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-Subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
Sender: xen-devel-bounces@lists.xensource.com
Errors-To: xen-devel-bounces@lists.xensource.com
To: Anthony Liguori <aliguori@us.ibm.com>
Cc: xen-devel@lists.xensource.com
List-Id: xen-devel@lists.xenproject.org

On Fri, Jun 09, 2006 at 09:57:24AM -0500, Anthony Liguori wrote:
> On Fri, 09 Jun 2006 09:54:44 +0100, Anil Madhavapeddy wrote:
> 
> > On Fri, Jun 09, 2006 at 04:41:48AM -0400, Daniel Veillard wrote:
> >> 
> >>    SSH authentication is really expensive especially when you compare to
> >> other cost in the XML-RPC. I would really like some persistency
> >> of the connection if possible, especially for operations like monitoring,
> >> it's okay to reopen from time to time, but without reuse it would just not
> >> work.
> > 
> > Yes, but the right place to do it is not in Xend.  The auth caching
> > can be set up outside of Xend much more robustly depending on your
> > version of OpenSSH.  If done in Xend, then it definitely needs to
> > use the wildcard support in ControlPath to avoid the authentication
> > race condition, and an OpenSSH version check.
> 
> I think Daniel is suggesting that we use HTTP Keep-Alive which I also
> think is a really good idea.  I think this will come in handy regardless
> of whether we use SSH.

  Activating Keep-Alive would be a really good idea in any case,
local or remote, direct auth or tunnelling ! IIRC the main question
was about activating it at the Python level, that's something we
discussed on IRC but never formally I guess :-)

> This makes my patch a lot nicer though.  I just would make sure the
> client uses Keep-Alive and then you get the same 1-time auth without
> any of the SSH trickery.

  Is that just client side ?

> I'm investigating this right now.  I seem to recall the HTTP server in
> python providing support for Keep-Alive...

  Okay, maybe I'm off base :-)

> > 
> > As Ian says, stunnel/SSL is probably easier from the client's point
> > of view (although I do like the easier SSH key management this patch
> > allows).
> 
> There doesn't have to be one solution.  The only real code that's needed
> here is xm serve which is not more than 100 lines.  The client code is
> more of an example.  I see no reason why we couldn't support all of these
> protocols (httpu, http, https, ssh).

  Agreed, those are layered features, they should not have to conflict.

Daniel

-- 
Daniel Veillard      | Red Hat http://redhat.com/
veillard@redhat.com  | libxml GNOME XML XSLT toolkit  http://xmlsoft.org/
http://veillard.com/ | Rpmfind RPM search engine http://rpmfind.net/