source: etherws/trunk/README.rst @ 284

Revision 284, 8.0 KB checked in by atzm, 9 years ago (diff)
  • version bump
  • Property svn:keywords set to Id
RevLine 
[141]1Introduction
2============
[260]3etherws is an implementation of software switch with the Ethernet over
4WebSocket tunnel.
[141]5
[216]6Overview
7========
[260]8*etherws sw* is a simple virtual ethernet switch.  And this is controlled by
9*etherws ctl*::
[141]10
[260]11   [tap] [netdev]
12     |      |
13  +--+------+--+   (control)
[216]14  | etherws sw | <-----------+
15  +-----||-----+             |
16        ||            +-------------+
17    (WebSocket)       | etherws ctl |
18        ||            +-------------+
19  +-----||-----+             |
20  | etherws sw | <-----------+
[260]21  +--+------+--+   (control)
22     |      |
23   [tap] [netdev]
[141]24
[216]25Basic Usage
26===========
27For example, consider creating following simple network::
[141]28
[216]29          (Physical Network)
[260]30  -----+--------- // --------+-----
[216]31       | 10.0.0.10           | 10.0.0.5
32  +----+-----+         +-----+----+
33  | NodeA    |         | NodeB    |
34  |          |         |          |
35  | [ethws0] |         | [ethws0] |
36  +----||----+         +----||----+
37       || 192.0.2.10/24     || 192.0.2.5/24
38       ``===================''
39          (WebSocket Tunnel)
[141]40
[260]41In this case, WebSocket Tunnel will be created by following commands.
[141]42
[216]43on NodeA::
[141]44
[216]45  # etherws sw
46  # etherws ctl addport tap ethws0
[218]47  # etherws ctl setif --address 192.0.2.10 --netmask 255.255.255.0 1
[141]48
[216]49on NodeB::
[146]50
[216]51  # etherws sw
52  # etherws ctl addport tap ethws0
[218]53  # etherws ctl setif --address 192.0.2.5 --netmask 255.255.255.0 1
[216]54  # etherws ctl addport client ws://10.0.0.10/
[144]55
[216]56*listport*, *listif* or *listfdb* commands will show you current port list,
57interface list, or forwarding database entries::
[162]58
[216]59  # etherws ctl listport
60  # etherws ctl listif
61  # etherws ctl listfdb
[162]62
[156]63Using SSL/TLS
[216]64-------------
[260]65etherws supports SSL/TLS connection.  Tunnels will be encrypted and server will
[216]66be verified by using following options.
[144]67
[216]68On server side::
[152]69
[216]70  # etherws sw --sslkey ssl.key --sslcert ssl.crt
[144]71
[260]72*ssl.key* is a server private key, and *ssl.crt* is a server
73certificate.
[144]74
[216]75On client side::
[144]76
[216]77  # etherws ctl addport client --cacerts ssl.crt wss://10.0.0.10/
[152]78
[216]79URL scheme was just changed to *wss*, and CA certificate to verify server
80certificate was specified.
[156]81
[260]82Client verifies server certificate by default.  So, for example, *addport* will
[216]83fail if your server uses self-signed certificate and client uses another CA
84certificate.
[156]85
[216]86If you want to just encrypt tunnels and do not need to verify server
87certificate, then you can use *--insecure* option::
[156]88
[216]89  # etherws ctl addport client --insecure wss://10.0.0.10/
[156]90
[216]91Note: see http://docs.python.org/library/ssl.html for more information about
92certificates.
[156]93
[282]94Using HTTP Proxy
95----------------
96You can create WebSocket tunnels via HTTP proxy.  Proxy server's address and
97port number are specified by generic environment variables: e.g. *$http_proxy*
98
99See https://docs.python.org/library/urllib.html for more information about
100environment variables for the proxy.
101
[283]102If you want to know what WebSocket client requires to HTTP proxy server, you
103can see library documentation: https://pypi.python.org/pypi/websocket-client/
104
[152]105Client Authentication
[216]106---------------------
[260]107etherws supports HTTP Basic Authentication.  This means you can use etherws as
[216]108simple L2-VPN server/client.
[152]109
[216]110On server side, etherws requires user informations in Apache htpasswd format
[260]111(and currently supports SHA-1 digest only).  To create this file::
[152]112
113  # htpasswd -s -c filename username
114
[216]115If you do not have htpasswd command, then you can use python one-liner
116instead::
[152]117
118  # python -c 'import hashlib; print("username:{SHA}" + hashlib.sha1("password").digest().encode("base64"))'
119
[216]120To run server with this file::
[152]121
[216]122  # etherws sw --htpasswd filename
[152]123
[216]124On client side, etherws requires username and password from option with
125*addport* command::
[152]126
[216]127  # etherws ctl addport client --user username --passwd password ws://10.0.0.10/
[152]128
[216]129Or, password can be input from stdin::
[152]130
[216]131  # etherws ctl addport client --user username ws://10.0.0.10/
132  Client Password:
[152]133
[216]134If authentication did not succeed, then *addport* will fail.
[152]135
[216]136Note that you should not use HTTP Basic Authentication without SSL/TLS support,
[260]137because this is insecure in itself.
[152]138
[216]139Advanced Usage
140==============
[152]141
[216]142Remote Control
143--------------
[260]144*etherws ctl* controls *etherws sw* by JSON-RPC over HTTP.  This means you can
145control *etherws sw* from remote nodes.  However, allowing remote control
146without careful consideration also allows to attack to your server or
147network.  So control URL is bound to localhost by default.
[170]148
[216]149If you just want to allow remote control, you can use following options for
150example::
[170]151
[216]152  # etherws sw --ctlhost 10.0.0.10 --ctlport 1234
[170]153
[216]154This means allowing remote control from any nodes that can access
[260]15510.0.0.10:1234 TCP/IP.  Of course this is very dangerous as described above.
[170]156
[216]157Here, *etherws ctl* can control remote *etherws sw* using following option::
[170]158
[216]159  # etherws ctl --ctlurl http://10.0.0.10:1234/ctl ...
160
161*etherws sw* controller supports SSL/TLS connection and client authentication
162as well as WebSocket tunnel service.
163
164On server side::
165
166  # etherws sw --ctlhost 10.0.0.10 --ctlport 443 \
167               --ctlhtpasswd htpasswd --ctlsslkey ssl.key --ctlsslcert ssl.crt
168
169On client side::
170
171  # etherws ctl --ctlurl https://10.0.0.10/ctl \
172                --ctluser username --ctlpasswd password ...
173
174Password can be input from stdin as well as WebSocket tunnel creation.
175
[282]176Logging
177-------
178etherws uses standard logging library.  You can customize the logger using the
179*fileConfig* described in https://docs.python.org/library/logging.config.html
180
181To run *etherws sw* with the custom logger::
182
[283]183  # etherws sw --logconf /path/to/logging.ini ...
[282]184
185etherws uses a logger stream named "etherws".  And internally Tornado uses
186some logger streams described in http://www.tornadoweb.org/en/stable/log.html
187
188Note: etherws does not write debug logs even if you simply configure loglevel
189DEBUG, to avoid performance degradation.  To write debug logs, you can
190specify *--debug* option.
191
[260]192Virtual Machines Connection
193---------------------------
[216]194For example, consider creating following virtual machine network::
195
196  +------------------+             +------------------+
197  | HypervisorA      |             |      HypervisorB |
198  |  +-----+         |             |         +-----+  |
199  |  | VM  |         |             |         | VM  |  |
200  |  +--+--+         |             |         +--+--+  |
[260]201  |  (vnet0)         |             |         (vnet0)  |
[216]202  |     |            |             |            |     |
[260]203  | [etherws] (eth0) |             | (eth0) [etherws] |
[216]204  +----||--------+---+             +----+-------||----+
205       ||        |                      |       ||
[260]206       ||   -----+--------- // ---------+-----  ||
[216]207       ||           (Physical Network)          ||
208       ||                                       ||
209       ``=======================================''
210                   (WebSocket Tunnel)
211
[260]212Existing network interfaces can also be added to *etherws sw*.
213So in this case, this will be created by following commands.
[216]214
215on HypervisorA::
216
217  # etherws sw
[260]218  # etherws ctl addport netdev vnet0
[216]219
220on HypervisorB::
221
222  # etherws sw
[260]223  # etherws ctl addport netdev vnet0
[216]224  # etherws ctl addport client ws://HypervisorA/
225
[282]226Of course, you can create TAP ports and connect them using the Linux Bridge
[260]227or the like.
228
[141]229History
230=======
[284]2311.3 (2015-06-26 JST)
[280]232  - logging support
[279]233  - http proxy support on client connection
[276]234  - fix listport bug on tornado 4.0.x
235
[274]2361.2 (2014-12-29 JST)
237  - verification of controller SSL certificate support
238  - correspond to some library updates
239
[260]2401.1 (2013-10-10 JST)
241  - netdev (existing network interfaces) support
242
[220]2431.0 (2012-08-18 JST)
[216]244  - global architecture change
245
[170]2460.7 (2012-06-29 JST)
247  - switching support
248  - multiple ports support
249
[162]2500.6 (2012-06-16 JST)
251  - improve performance
252
[160]2530.5 (2012-05-20 JST)
254  - added passwd option to client mode
255  - fixed bug: basic authentication password cannot contain colon
256  - fixed bug: client loops meaninglessly even if server stops
257
[158]2580.4 (2012-05-19 JST)
259  - server certificate verification support
260
[152]2610.3 (2012-05-17 JST)
262  - client authentication support
263
[144]2640.2 (2012-05-16 JST)
265  - SSL/TLS connection support
266
2670.1 (2012-05-15 JST)
[141]268  - First release
Note: See TracBrowser for help on using the repository browser.