WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

Re: [Xen-devel] [PATCH] add ssl/tls support to relocation

After further investigation, I find that I didn't get relocation using
ssl/tls: the read/write to the pyOpenSSL socket.fileno() will communicate
without data encrypted.

I have add a wrapper to the read/write with the following patch.

This patch also makes pyOpenSSL an optional package.

Note on changing:
    raise XendError("can't connect: %s" % err[1])
to:
    raise XendError("can't connect: %s" % err)
in tools/python/xen/xend/XendDomain.py: 
it will avoid the following error:

[2008-05-08 14:17:28 2678] ERROR (xmlrpclib2:178) Internal error handling
xend.domain.migrate
Traceback (most recent call last):
  File "/usr/lib/python2.4/site-packages/xen/util/xmlrpclib2.py", line 131, in
_marshaled_dispatch
    response = self._dispatch(method, params)
  File "/usr/lib/python2.4/SimpleXMLRPCServer.py", line 406, in _dispatch
    return func(*params)
  File "/usr/lib/python2.4/site-packages/xen/xend/XendDomain.py", line 1335,
in domain_migrate
    raise XendError("can't connect: %s" % err[1])
IndexError: tuple index out of range

Implement reference: 
http://twistedmatrix.com/trac/browser/trunk/twisted/internet/tcp.py

Sorry for the careless.

thanks,

zhigang

Carb, Brian A wrote:
> This works on SLES10SP1 if we download a compatible python openssl rpm
> (python-openssl-0.6-17.x86_64.rpm) from opensuse.
> 
> brian carb
> unisys corporation - malvern, pa
> 
> -----Original Message-----
> From: Zhigang Wang [mailto:zhigang.x.wang@xxxxxxxxxx] 
> Sent: Friday, May 02, 2008 2:11 PM
> To: Carb, Brian A
> Cc: xen-devel
> Subject: Re: [Xen-devel] [PATCH] add ssl/tls support to relocation
> 
> Yes. I add a dependency.
> 
> maybe we can separate SSLTCPListener to a new file like (tcp-ssl.py),
> and import it when needed, just like
> tools/python/xen/xend/server/SSLXMLRPCServer.py did.
> 
> will try it later, or you can help.
> 
> thanks,
> 
> zhigang
> 
> Carb, Brian A wrote:
>> With this patch included, xend start errors: 
>>
>> # xend start
>> Traceback (most recent call last):
>>   File "/usr/sbin/xend", line 44, in ?
>>     from xen.xend.server import SrvDaemon
>>   File
>> "/home/unisys/xen-unstable.hg/dist/install/usr/lib64/python/xen/xend/s
>> er
>> ver/SrvDaemon.py", line 26, in ?
>>     import relocate
>>   File
>> "/home/unisys/xen-unstable.hg/dist/install/usr/lib64/python/xen/xend/s
>> er
>> ver/relocate.py", line 23, in ?
>>     from xen.web import protocol, tcp, unix
>>   File
>>
> "/home/unisys/xen-unstable.hg/dist/install/usr/lib64/python/xen/web/tcp.
>> py", line 25, in ?
>>     from OpenSSL import SSL
>> ImportError: No module named OpenSSL
>>
>> I guess this produces a dependency on python-openssl, but this rpm is 
>> not included in the standard SLES10 distro.
>>
>> brian carb
>> unisys corporation - malvern, pa
>>
>>
>> -----Original Message-----
>> From: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
>> [mailto:xen-devel-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Zhigang 
>> Wang
>> Sent: Sunday, April 27, 2008 10:50 PM
>> To: xen-devel
>> Subject: [Xen-devel] [PATCH] add ssl/tls support to relocation
>>
>> hi, this patch add ssl/tls support to relocation:
>>
>>  * SSL/TLS support is disabled by default, as other server did.
>>
>>  * If "xend-relocation-server-ssl-key-file" and
>>    "xend-relocation-server-ssl-cert-file" exist, SSL/TLS is enabled
>>    automatically.
>>
>>  * "xend-relocation-tls" is used by relocation client only.
>>
>> Signed-off-by: Zhigang Wang <zhigang.x.wang@xxxxxxxxxx>
>>
>>
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-devel
Fix relocation ssl/tls support

 * Make a wrapper of read/write sock.fileno().

 * Makes pyOpenSSL an optional package.

 * Implement reference:
   http://twistedmatrix.com/trac/browser/trunk/twisted/internet/tcp.py

Signed-off-by: Zhigang Wang <zhigang.x.wang@xxxxxxxxxx>

diff -Nura xen-unstable.orig/tools/python/xen/web/connectionssl.py 
xen-unstable/tools/python/xen/web/connectionssl.py
--- xen-unstable.orig/tools/python/xen/web/connectionssl.py     1970-01-01 
08:00:00.000000000 +0800
+++ xen-unstable/tools/python/xen/web/connectionssl.py  2008-05-08 
15:39:44.000000000 +0800
@@ -0,0 +1,188 @@
+#============================================================================
+# This library is free software; you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+#============================================================================
+# Copyright (C) 2005 Mike Wray <mike.wray@xxxxxx>
+# Copyright (C) 2005 XenSource Ltd.
+# Copyright (C) 2008 Oracle
+#============================================================================
+import os
+import socket
+
+from errno import EAGAIN, EINTR, EWOULDBLOCK
+from OpenSSL import SSL
+
+from connection import SocketServerConnection
+from xen.xend.XendLogging import log
+
+"""General classes to support server and client sockets, without
+specifying what kind of socket they are. There are subclasses
+for TCP and unix-domain sockets (see tcp.py and unix.py).
+
+As pyOpenSSL SSL.Connection fileno() method just retrieve the file descriptor
+number for the underlying socket, direct read/write to the file descriptor
+will result no data encrypted.
+
+recv2fd() and fd2send() are simple wrappers for functions who need direct
+read/write to a file descriptor rather than a socket like object.
+
+To use recv2fd(), you can create a pipe and start a thread to transfer all
+received data to one end of the pipe, then read from the other end:
+
+p2cread, p2cwrite = os.pipe()
+threading.Thread(target=connectionssl.recv2fd, args=(sock, p2cwrite)).start()
+os.read(p2cread, 1024)
+
+To use fd2send():
+
+p2cread, p2cwrite = os.pipe()
+threading.Thread(target=connectionssl.fd2send, args=(sock, p2cread)).start()
+os.write(p2cwrite, "data")
+
+"""
+
+BUFFER_SIZE = 1024
+
+
+class SSLSocketServerConnection(SocketServerConnection):
+    """An SSL aware accepted connection to a server.
+    """
+
+    def __init__(self, sock, protocol_class):
+        SocketServerConnection.__init__(self, sock, protocol_class)
+
+    def main(self):
+        try:
+            while True:
+                try:
+                    data = self.sock.recv(BUFFER_SIZE)
+                    if data == "":
+                        break
+                    if self.protocol.dataReceived(data):
+                        break
+                except socket.error, ex:
+                    if ex.args[0] not in (EWOULDBLOCK, EAGAIN, EINTR):
+                        break
+                except (SSL.WantReadError, SSL.WantWriteError, \
+                        SSL.WantX509LookupError):
+                    # The operation did not complete; the same I/O method
+                    # should be called again.
+                    continue
+                except SSL.ZeroReturnError:
+                    # The SSL Connection has been closed.
+                    break
+                except SSL.SysCallError, (retval, desc):
+                    if ((retval == -1 and desc == "Unexpected EOF")
+                        or retval > 0):
+                        # The SSL Connection is lost.
+                        break
+                    log.debug("SSL SysCallError:%d:%s" % (retval, desc))
+                    break
+                except SSL.Error, e:
+                    # other SSL errors
+                    log.debug("SSL Error:%s" % e)
+                    break
+        finally:
+            try:
+                self.sock.close()
+            except:
+                pass
+
+def recv2fd(sock, fd):
+    try:
+        while True:
+            try:
+                data = sock.recv(BUFFER_SIZE)
+                if data == "":
+                    break
+                count = 0
+                while count < len(data):
+                    try:
+                        nbytes = os.write(fd, data[count:])
+                        count += nbytes
+                    except os.error, ex:
+                        if ex.args[0] not in (EWOULDBLOCK, EAGAIN, EINTR):
+                            raise
+            except socket.error, ex:
+                if ex.args[0] not in (EWOULDBLOCK, EAGAIN, EINTR):
+                    break
+            except (SSL.WantReadError, SSL.WantWriteError, \
+                    SSL.WantX509LookupError):
+                # The operation did not complete; the same I/O method
+                # should be called again.
+                continue
+            except SSL.ZeroReturnError:
+                # The SSL Connection has been closed.
+                break
+            except SSL.SysCallError, (retval, desc):
+                if ((retval == -1 and desc == "Unexpected EOF")
+                    or retval > 0):
+                    # The SSL Connection is lost.
+                    break
+                log.debug("SSL SysCallError:%d:%s" % (retval, desc))
+                break
+            except SSL.Error, e:
+                # other SSL errors
+                log.debug("SSL Error:%s" % e)
+                break
+    finally:
+        try:
+            sock.close()
+            os.close(fd)
+        except:
+            pass
+
+def fd2send(sock, fd):
+    try:
+        while True:
+            try:
+                data = os.read(fd, BUFFER_SIZE)
+                if data == "":
+                    break
+                count = 0
+                while count < len(data):
+                    try:
+                        nbytes = sock.send(data[count:])
+                        count += nbytes
+                    except socket.error, ex:
+                        if ex.args[0] not in (EWOULDBLOCK, EAGAIN, EINTR):
+                            raise
+                    except (SSL.WantReadError, SSL.WantWriteError, \
+                            SSL.WantX509LookupError):
+                        # The operation did not complete; the same I/O method
+                        # should be called again.
+                        continue
+                    except SSL.ZeroReturnError:
+                        # The SSL Connection has been closed.
+                        raise
+                    except SSL.SysCallError, (retval, desc):
+                        if not (e[0] == -1 and data == ""):
+                            # errors when writing empty strings are expected
+                            # and can be ignored
+                            log.debug("SSL SysCallError:%d:%s" % (retval, 
desc))
+                            raise
+                    except SSL.Error, e:
+                        # other SSL errors
+                        log.debug("SSL Error:%s" % e)
+                        raise
+            except os.error, ex:
+                if ex.args[0] not in (EWOULDBLOCK, EAGAIN, EINTR):
+                    break
+    finally:
+        try:
+            sock.close()
+            os.close(fd)
+        except:
+            pass
+
diff -Nura xen-unstable.orig/tools/python/xen/web/tcp.py 
xen-unstable/tools/python/xen/web/tcp.py
--- xen-unstable.orig/tools/python/xen/web/tcp.py       2008-05-05 
14:17:45.000000000 +0800
+++ xen-unstable/tools/python/xen/web/tcp.py    2008-05-05 14:32:16.000000000 
+0800
@@ -22,8 +22,6 @@
 import socket
 import time
 
-from OpenSSL import SSL
-
 import connection
 
 from xen.xend.XendLogging import log
@@ -67,41 +65,3 @@
             except:
                 pass
 
-class SSLTCPListener(TCPListener):
-
-    def __init__(self, protocol_class, port, interface, hosts_allow,
-                 ssl_key_file = None, ssl_cert_file = None):
-        if not ssl_key_file or not ssl_cert_file:
-            raise ValueError("SSLXMLRPCServer requires ssl_key_file "
-                             "and ssl_cert_file to be set.")
-
-        self.ssl_key_file = ssl_key_file
-        self.ssl_cert_file = ssl_cert_file
-
-        TCPListener.__init__(self, protocol_class, port, interface, 
hosts_allow)
-
-
-    def createSocket(self):
-        # make a SSL socket
-        ctx = SSL.Context(SSL.SSLv23_METHOD)
-        ctx.set_options(SSL.OP_NO_SSLv2)
-        ctx.use_privatekey_file (self.ssl_key_file)
-        ctx.use_certificate_file(self.ssl_cert_file)
-        sock = SSL.Connection(ctx,
-                              socket.socket(socket.AF_INET, 
socket.SOCK_STREAM))
-        sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
-
-        # SO_REUSEADDR does not always ensure that we do not get an address
-        # in use error when restarted quickly
-        # we implement a timeout to try and avoid failing unnecessarily
-        timeout = time.time() + 30
-        while True:
-            try:
-                sock.bind((self.interface, self.port))
-                return sock
-            except socket.error, (_errno, strerrno):
-                if _errno == errno.EADDRINUSE and time.time() < timeout:
-                    time.sleep(0.5)
-                else:
-                    raise
-
diff -Nura xen-unstable.orig/tools/python/xen/web/tcpssl.py 
xen-unstable/tools/python/xen/web/tcpssl.py
--- xen-unstable.orig/tools/python/xen/web/tcpssl.py    1970-01-01 
08:00:00.000000000 +0800
+++ xen-unstable/tools/python/xen/web/tcpssl.py 2008-05-08 15:38:54.000000000 
+0800
@@ -0,0 +1,82 @@
+#============================================================================
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of version 2.1 of the GNU Lesser General Public
+# License as published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+#============================================================================
+# Copyright (C) 2005 Mike Wray <mike.wray@xxxxxx>
+# Copyright (C) 2005 XenSource Ltd.
+# Copyright (C) 2008 Oracle
+#============================================================================
+
+
+import errno
+import socket
+import time
+
+import connection
+import connectionssl
+
+from OpenSSL import SSL
+from tcp import TCPListener
+from xen.xend.XendLogging import log
+
+
+class SSLTCPListener(TCPListener):
+
+    def __init__(self, protocol_class, port, interface, hosts_allow,
+                 ssl_key_file = None, ssl_cert_file = None):
+        if not ssl_key_file or not ssl_cert_file:
+            raise ValueError("SSLXMLRPCServer requires ssl_key_file "
+                             "and ssl_cert_file to be set.")
+
+        self.ssl_key_file = ssl_key_file
+        self.ssl_cert_file = ssl_cert_file
+
+        TCPListener.__init__(self, protocol_class, port, interface, 
hosts_allow)
+
+
+    def createSocket(self):
+        # make a SSL socket
+        ctx = SSL.Context(SSL.SSLv23_METHOD)
+        ctx.set_options(SSL.OP_NO_SSLv2)
+        ctx.use_privatekey_file (self.ssl_key_file)
+        ctx.use_certificate_file(self.ssl_cert_file)
+        sock = SSL.Connection(ctx,
+                              socket.socket(socket.AF_INET, 
socket.SOCK_STREAM))
+        sock.set_accept_state()
+        sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+
+        # SO_REUSEADDR does not always ensure that we do not get an address
+        # in use error when restarted quickly
+        # we implement a timeout to try and avoid failing unnecessarily
+        timeout = time.time() + 30
+        while True:
+            try:
+                sock.bind((self.interface, self.port))
+                return sock
+            except socket.error, (_errno, strerrno):
+                if _errno == errno.EADDRINUSE and time.time() < timeout:
+                    time.sleep(0.5)
+                else:
+                    raise
+
+
+    def acceptConnection(self, sock, addrport):
+        addr = addrport[0]
+        if connection.hostAllowed(addrport, self.hosts_allow):
+            connectionssl.SSLSocketServerConnection(sock, self.protocol_class)
+        else:
+            try:
+                sock.close()
+            except:
+                pass
+
diff -Nura xen-unstable.orig/tools/python/xen/xend/server/relocate.py 
xen-unstable/tools/python/xen/xend/server/relocate.py
--- xen-unstable.orig/tools/python/xen/xend/server/relocate.py  2008-05-05 
14:17:46.000000000 +0800
+++ xen-unstable/tools/python/xen/xend/server/relocate.py       2008-05-07 
16:39:00.000000000 +0800
@@ -17,10 +17,18 @@
 #============================================================================
 
 import re
+import os
 import sys
 import StringIO
+import threading
 
 from xen.web import protocol, tcp, unix
+try:
+    from xen.web import tcpssl
+    from xen.web import connectionssl
+    ssl_enabled = True
+except ImportError:
+    ssl_enabled = False
 
 from xen.xend import sxp
 from xen.xend import XendDomain
@@ -116,6 +124,27 @@
             log.error(name + ": no transport")
             raise XendError(name + ": no transport")
 
+    def op_sslreceive(self, name, _):
+        if self.transport:
+            self.send_reply(["ready", name])
+            p2cread, p2cwrite = os.pipe()
+            if not ssl_enabled:
+                raise ValueError("pyOpenSSL not installed. "
+                                 "Unable to start relocation with ssl")
+            threading.Thread(target=connectionssl.recv2fd,
+                             args=(self.transport.sock, p2cwrite)).start()
+            try:
+                XendDomain.instance().domain_restore_fd(p2cread,
+                                                        relocating=True)
+            except:
+                os.close(p2cread)
+                os.close(p2cwrite)
+                self.send_error()
+                self.close()
+        else:
+            log.error(name + ": no transport")
+            raise XendError(name + ": no transport")
+
 
 def listenRelocation():
     xoptions = XendOptions.instance()
@@ -136,10 +165,13 @@
         ssl_cert_file = xoptions.get_xend_relocation_server_ssl_cert_file()
 
         if ssl_key_file and ssl_cert_file:
-            tcp.SSLTCPListener(RelocationProtocol, port, interface = interface,
-                               hosts_allow = hosts_allow,
-                               ssl_key_file = ssl_key_file,
-                               ssl_cert_file = ssl_cert_file)
+            if not ssl_enabled:
+                raise ValueError("pyOpenSSL not installed. "
+                                 "Unable to start relocation server with ssl")
+            tcpssl.SSLTCPListener(RelocationProtocol, port, interface = 
interface,
+                                  hosts_allow = hosts_allow,
+                                  ssl_key_file = ssl_key_file,
+                                  ssl_cert_file = ssl_cert_file)
         else:
             tcp.TCPListener(RelocationProtocol, port, interface = interface,
                             hosts_allow = hosts_allow)
diff -Nura xen-unstable.orig/tools/python/xen/xend/XendDomain.py 
xen-unstable/tools/python/xen/xend/XendDomain.py
--- xen-unstable.orig/tools/python/xen/xend/XendDomain.py       2008-05-05 
14:17:45.000000000 +0800
+++ xen-unstable/tools/python/xen/xend/XendDomain.py    2008-05-08 
14:56:54.000000000 +0800
@@ -1297,19 +1297,39 @@
             tls = xoptions.get_xend_relocation_tls()
             if tls:
                 from OpenSSL import SSL
+                from xen.web import connectionssl
                 ctx = SSL.Context(SSL.SSLv23_METHOD)
-                sock = SSL.Connection(ctx, socket.socket(socket.AF_INET, 
socket.SOCK_STREAM))
+                sock = SSL.Connection(ctx,
+                           socket.socket(socket.AF_INET, socket.SOCK_STREAM))
                 sock.set_connect_state()
+                sock.connect((dst, port))
+                sock.send("sslreceive\n")
+                sock.recv(80)
+                p2cread, p2cwrite = os.pipe()
+                threading.Thread(target=connectionssl.fd2send,
+                                 args=(sock, p2cread)).start()
+                XendCheckpoint.save(p2cwrite, dominfo, True, live, dst,
+                                    node=node)
+                os.close(p2cread)
+                os.close(p2cwrite)
+                sock.shutdown()
+                sock.close()
             else:
                 sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-            sock.connect((dst, port))
+                # When connecting our ssl enabled relocation server using a
+                # plain socket, send will success but recv will block. Add a
+                # 30 seconds timeout to raise a socket.timeout exception to
+                # inform the client.
+                sock.settimeout(30.0)
+                sock.connect((dst, port))
+                sock.send("receive\n")
+                sock.recv(80)
+                sock.settimeout(None)
+                XendCheckpoint.save(sock.fileno(), dominfo, True, live, dst,
+                                    node=node)
+                sock.close()
         except socket.error, err:
-            raise XendError("can't connect: %s" % err[1])
-
-        sock.send("receive\n")
-        sock.recv(80)
-        XendCheckpoint.save(sock.fileno(), dominfo, True, live, dst, node=node)
-        sock.close()
+            raise XendError("can't connect: %s" % err)
 
     def domain_save(self, domid, dst, checkpoint=False):
         """Start saving a domain to file.
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel