[Csync2] csync2 cannot reach each other using second NIC
Lars Ellenberg
lars.ellenberg at linbit.com
Thu Sep 6 10:38:11 CEST 2012
On Wed, Sep 05, 2012 at 05:40:03PM +0200, Nils Stöckmann wrote:
> Am 05.09.2012 16:55, schrieb Art -kwaak- van Breemen:
> > To describe it better: it's: host nodename(@address); Where you use
> > the @address if nodename itself does not resolv to the right ip
> > address. address can be an ip address, or a resolvable hostname.
> now that's an interesting insight, thank you!
>
> To try that, I changed the beginning of csync2.cfg to:
> > nossl 172.31.* 172.31.*;
> > nossl leihnix*h* leihnix*h*;
> >
> > group cfg_sync-etc {
> > host leihnix6h1 at 172.31.1.16;
> > host leihnix5h1 at 172.31.1.11;
> and turned /etc/hosts back to:
> > 172.31.1.11 leihnix5h1
> > 172.31.1.16 leihnix6h1
> >
> > 127.0.0.1 localhost
> >
> > 192.168.1.11 leihnix5h1
> > 192.168.1.16 leihnix6h1
>
>
> Which results in the following error:
> > SQL: SELECT filename, myname, force FROM dirty WHERE peername =
> > '172.31.1.11' ORDER by filename ASC
> > SQL Query finished.
> > Connecting to host 172.31.1.11 (SSL) ...
> > Local> SSL\n
> > Peer> OK (activating_ssl).\n
> > Establishing SSL connection failed.
> > SQL: COMMIT TRANSACTION
> although
> - 1. I have disabled ssl using nossl directive in csync2.cfg
> - 2. SSL worked using the default NIC.
>
> What wonders me most is that the nossl directive is ignored.
> Ignoring the certificate is most probably because the SSL certificate is
> matched against the address, not against the hostname (which feels
> somewhat senseless to me).
I'm not sure what and when, exactly, is matched against the nossl patterns.
But the config statement is "nossl from-pattern to-pattern",
and "from" is probably always the node name, not the outgoing IP used.
So maybe an (additional?)
nossl leihnix* 172.31*;
does that?
You could add a few -v, or use gdb to find out...
To be honest, the whole ssl certificate checking in csync2
could do with a proper rewrite.
Which will certainly not be done by me.
I'd prefer to get the "assume preauthenticated via SSH tunnel" mode
working instead, similar to the RSYNC_RSH or RSYNC_CONNECT_PROG way.
> Any experience on how to make it work via IP or interface name?
> If not, Lars' workaround isn't too bad :)
That is not a workaround at all.
It is the intended usage.
Though I admit it may be unclear from the wording in the paper
("interfacename").
If you read the full paper, you'll see it talks about "interface DNS
name", which is meant to say the *resolvable* name you give the IP on
that interface.
Patches to improve the wording in the paper gladly accepted ;-)
Thanks,
Lars
More information about the Csync2
mailing list