Re: [Monotone-devel] db kill_rev_locally

[Ethan Blanton]

Daniel Carrera spake unto us the following wisdom:
>> If you have to serve through ssh, you'd be much better off starting a
>> netsync server somewhere on a localhost port, and tunneling that port
>> through ssh. That will take care of both concurrency and your security
>> concerns in a much cleaner fashion.
>
> How do you do that? I'm interested to hear more. What kind of access do  
> you need to do this? Can you do it if you are an un-privileged user? If  
> you can, that would be really neat. Are there any drawbacks to your  
> solution? (e.g. what if the server reboots? can you setup a cron job to  
> check that the server netsync server is up?).

It is possible to restrict the monotone server, but restricting it
would break a large number of normal applications, as well.  SELinux
or similar technologies might be able to effectively restrict it, but
I doubt any hosting service that would allow you to install and
execute a monotone binary in your hosted space would be using such
technologies, or have them configured to prevent this.

It is also possible to restrict ssh port forwards, and this may be
more likely.  I don't have any idea how common such restrictions are.
I use no services which restrict port forwards.

Simply start mtn serve on the hosted server as 'mtn serve
localhost:4691' (or whatever port -- any port over 1024 is available
to non-root users, 4691 is the default monotone port).  This will
start a monotone netsync server which can be connected to *only* by
processes on the local machine, over loopback.

Then, to connect to the server, run something like the following on
your workstation:

    ssh -L4691:localhost:4691 <server>

This somewhat confusing command line says "Forward port 4691 (the
leading 4691:) on the local host (-L) to port 4691 on the remote
machine (localhost:4691)".  See 'man ssh' for more on -L (and its
closely-related cousin, -R).  If you used a server port other than
4691 for 'mtn serve', replace the *final* 4691 in the above command
with the port the server is using.

Having done this, on your workstation again, run:

    mtn sync localhost <pattern>

If you used a port other than 4691 as the first argument to ssh -L,
provide it as localhost:<port> in the above command.  This will
connect to your workstation on a port which SSH tunnels through its
own connection to the remote host and connects to the remote monotone
server.

As far as drawbacks, they are what you would expect; you have to have
the SSH tunnel running to access monotone, the encrypted stream is
overhead, etc.  However, you pay all those penalties to use monotone
via SSH in any fashion.

Keeping the server running is the same as keeping any server running.
There are various scripts out there which will help with that task.

Ethan

-- 
The laws that forbid the carrying of arms are laws [that have no remedy
for evils].  They disarm only those who are neither inclined nor
determined to commit crimes.
                -- Cesare Beccaria, "On Crimes and Punishments", 1764

signature.asc
Description: Digital signature