[Csync2] csync2 cannot reach each other using second NIC

Thu Sep 6 11:03:07 CEST 2012

Lars,

I once tried making CSync work with CA generated certificates so that peers
can have different certificates all generated by the same CA, but owing to
my limited practice on programming in C, i could not make much progress.

I can attempt it again to get that working this time considering that i
have gained a little experience in writing the 'patch to
sync_subdir_deletion'. If you can suggest what needs to be done to cover
this case as well, then I'll update that patch accordingly.

Thanks and Regards,
Samba

--------------------------------------------------------------------------------------------------------
On Thu, Sep 6, 2012 at 2:08 PM, Lars Ellenberg <lars.ellenberg at linbit.com>wrote:

> On Wed, Sep 05, 2012 at 05:40:03PM +0200, Nils Stöckmann wrote:
> > Am 05.09.2012 16:55, schrieb Art -kwaak- van Breemen:
> > > To describe it better: it's: host nodename(@address); Where you use
> > > the @address if nodename itself does not resolv to the right ip
> > > address. address can be an ip address, or a resolvable hostname.
> > now that's an interesting insight, thank you!
> >
> > To try that, I changed the beginning of csync2.cfg to:
> > > nossl 172.31.* 172.31.*;
> > > nossl leihnix*h* leihnix*h*;
> > >
> > > group cfg_sync-etc {
> > >         host leihnix6h1 at 172.31.1.16;
> > >         host leihnix5h1 at 172.31.1.11;
> > and turned /etc/hosts back to:
> > > 172.31.1.11     leihnix5h1
> > > 172.31.1.16     leihnix6h1
> > >
> > > 127.0.0.1       localhost
> > >
> > > 192.168.1.11    leihnix5h1
> > > 192.168.1.16    leihnix6h1
> >
> >
> > Which results in the following error:
> > > SQL: SELECT filename, myname, force FROM dirty WHERE peername =
> > > '172.31.1.11' ORDER by filename ASC
> > > SQL Query finished.
> > > Connecting to host 172.31.1.11 (SSL) ...
> > > Local> SSL\n
> > > Peer> OK (activating_ssl).\n
> > > Establishing SSL connection failed.
> > > SQL: COMMIT TRANSACTION
> > although
> > - 1. I have disabled ssl using nossl directive in csync2.cfg
> > - 2. SSL worked using the default NIC.
> >
> > What wonders me most is that the nossl directive is ignored.
> > Ignoring the certificate is most probably because the SSL certificate is
> > matched against the address, not against the hostname (which feels
> > somewhat senseless to me).
>
> I'm not sure what and when, exactly, is matched against the nossl patterns.
> But the config statement is "nossl from-pattern to-pattern",
> and "from" is probably always the node name, not the outgoing IP used.
> So maybe an (additional?)
>   nossl leihnix* 172.31*;
> does that?
>
> You could add a few -v, or use gdb to find out...
>
> To be honest, the whole ssl certificate checking in csync2
> could do with a proper rewrite.
> Which will certainly not be done by me.
>
> I'd prefer to get the "assume preauthenticated via SSH tunnel" mode
> working instead, similar to the RSYNC_RSH or RSYNC_CONNECT_PROG way.
>
> > Any experience on how to make it work via IP or interface name?
> > If not, Lars' workaround isn't too bad :)
>
> That is not a workaround at all.
> It is the intended usage.
>
> Though I admit it may be unclear from the wording in the paper
> ("interfacename").
> If you read the full paper, you'll see it talks about "interface DNS
> name", which is meant to say the *resolvable* name you give the IP on
> that interface.
>
> Patches to improve the wording in the paper gladly accepted ;-)
>
> Thanks,
>         Lars
>
> _______________________________________________
> Csync2 mailing list
> Csync2 at lists.linbit.com
> http://lists.linbit.com/mailman/listinfo/csync2
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linbit.com/pipermail/csync2/attachments/20120906/9c1774a2/attachment.htm>