Changeset 216 for etherws

Timestamp:

08/17/12 01:33:46 (12 years ago)

Author:

atzm

Message:

• update document

File:

• etherws/trunk/README.rst (modified) (3 diffs)

etherws/trunk/README.rst

@@ -1 +1 @@
 Introduction
 ============
-etherws is an implementation of Ethernet over WebSocket tunnel
-based on Linux Universal TUN/TAP device driver.
-
-How to Use
-==========
-For example, if you want to make virtual ethernet link for *VM1* and *VM2*
-whose hypervisor's broadcast domains were isolated by router *R*::
-
-  +------------------+            +------------------+
-  | Hypervisor1      |            |      Hypervisor2 |
-  |  +-----+         |            |         +-----+  |
-  |  | VM1 |         |            |         | VM2 |  |
-  |  +--+--+         |            |         +--+--+  |
-  |     | (vnet0)    |            |    (vnet0) |     |
-  |  +--+--+         |            |         +--+--+  |
-  |  | br0 |         |            |         | br0 |  |
-  |  +--+--+         |            |         +--+--+  |
-  |     |            |            |            |     |
-  | (ethws0)  (eth0) |            | (eth0)  (ethws0) |
-  +----||--------+---+            +----+-------||----+
-       ||        |        +---+        |       ||
-       ||   -----+--------| R |--------+-----  ||
-       ||                 +---+                ||
-       ||                                      ||
-       ``======================================''
-            (Ethernet over WebSocket tunnel)
-
-then you can use following commands.
-
-on *Hypervisor1*::
-
-  # etherws --device ethws0 server
+etherws is an implementation of Ethernet over WebSocket tunnel based on Linux
+Universal TUN/TAP device driver.
+
+Overview
+========
+*etherws sw* acts as a simple virtual ethernet switch, and it can create TAP
+interface or WebSocket tunnel by *etherws ctl*::
+
+      [tap]
+        |
+  +-----+------+   (control)
+  | etherws sw | <-----------+
+  +-----||-----+             |
+        ||            +-------------+
+    (WebSocket)       | etherws ctl |
+        ||            +-------------+
+  +-----||-----+             |
+  | etherws sw | <-----------+
+  +-----+------+   (control)
+        |
+      [tap]
+
+Basic Usage
+===========
+For example, consider creating following simple network::
+
+          (Physical Network)
+  -----+-------   //  -------+-----
+       | 10.0.0.10           | 10.0.0.5
+  +----+-----+         +-----+----+ 
+  | NodeA    |         | NodeB    |
+  |          |         |          |
+  | [ethws0] |         | [ethws0] |
+  +----||----+         +----||----+
+       || 192.0.2.10/24     || 192.0.2.5/24
+       ``===================''
+          (WebSocket Tunnel)
+
+In this case, *WebSocket Tunnel* will be created by following commands.
+
+on NodeA::
+
+  # etherws sw
+  # etherws ctl addport tap ethws0
+  # etherws ctl setif --address 192.168.0.10 --netmask 255.255.255.0 1
+
+on NodeB::
+
+  # etherws sw
+  # etherws ctl addport tap ethws0
+  # etherws ctl setif --address 192.168.0.5 --netmask 255.255.255.0 1
+  # etherws ctl addport client ws://10.0.0.10/
+
+*listport*, *listif* or *listfdb* commands will show you current port list,
+interface list, or forwarding database entries::
+
+  # etherws ctl listport
+  # etherws ctl listif
+  # etherws ctl listfdb
+
+Using SSL/TLS
+-------------
+etherws supports SSL/TLS connection. Tunnels will be encrypted and server will
+be verified by using following options.
+
+On server side::
+
+  # etherws sw --sslkey ssl.key --sslcert ssl.crt
+
+*ssl.key* is a server private key, and *ssl.crt* is a server certificate.
+
+On client side::
+
+  # etherws ctl addport client --cacerts ssl.crt wss://10.0.0.10/
+
+URL scheme was just changed to *wss*, and CA certificate to verify server
+certificate was specified.
+
+Client verifies server certificate by default. So, for example, *addport* will
+fail if your server uses self-signed certificate and client uses another CA
+certificate.
+
+If you want to just encrypt tunnels and do not need to verify server
+certificate, then you can use *--insecure* option::
+
+  # etherws ctl addport client --insecure wss://10.0.0.10/
+
+Note: see http://docs.python.org/library/ssl.html for more information about
+certificates.
+
+Client Authentication
+---------------------
+etherws supports HTTP Basic Authentication. It means you can use etherws as
+simple L2-VPN server/client.
+
+On server side, etherws requires user informations in Apache htpasswd format
+(and currently supports SHA-1 digest only). To create this file::
+
+  # htpasswd -s -c filename username
+
+If you do not have htpasswd command, then you can use python one-liner
+instead::
+
+  # python -c 'import hashlib; print("username:{SHA}" + hashlib.sha1("password").digest().encode("base64"))'
+
+To run server with this file::
+
+  # etherws sw --htpasswd filename
+
+On client side, etherws requires username and password from option with
+*addport* command::
+
+  # etherws ctl addport client --user username --passwd password ws://10.0.0.10/
+
+Or, password can be input from stdin::
+
+  # etherws ctl addport client --user username ws://10.0.0.10/
+  Client Password:
+
+If authentication did not succeed, then *addport* will fail.
+
+Note that you should not use HTTP Basic Authentication without SSL/TLS support,
+because it is insecure in itself.
+
+Advanced Usage
+==============
+
+Remote Control
+--------------
+*etherws ctl* controls *etherws sw* by JSON-RPC over HTTP. It means you can
+control *etherws sw* from remote node. However, allowing remote control without
+careful consideration also allows to attack to your server or network. So
+control URL is bound to localhost by default.
+
+If you just want to allow remote control, you can use following options for
+example::
+
+  # etherws sw --ctlhost 10.0.0.10 --ctlport 1234
+
+This means allowing remote control from any nodes that can access
+10.0.0.10:1234 TCP/IP. Of course it is very dangerous as described above.
+
+Here, *etherws ctl* can control remote *etherws sw* using following option::
+
+  # etherws ctl --ctlurl http://10.0.0.10:1234/ctl ...
+
+*etherws sw* controller supports SSL/TLS connection and client authentication
+as well as WebSocket tunnel service.
+
+On server side::
+
+  # etherws sw --ctlhost 10.0.0.10 --ctlport 443 \
+               --ctlhtpasswd htpasswd --ctlsslkey ssl.key --ctlsslcert ssl.crt
+
+On client side::
+
+  # etherws ctl --ctlurl https://10.0.0.10/ctl \
+                --ctluser username --ctlpasswd password ...
+
+Password can be input from stdin as well as WebSocket tunnel creation.
+
+Note: *etherws ctl* currently cannot verify SSL certificate on controller.
+
+Connect Virtual Machines
+------------------------
+For example, consider creating following virtual machine network::
+
+  +------------------+             +------------------+
+  | HypervisorA      |             |      HypervisorB |
+  |  +-----+         |             |         +-----+  |
+  |  | VM  |         |             |         | VM  |  |
+  |  +--+--+         |             |         +--+--+  |
+  |     | (vnet0)    |             |    (vnet0) |     |
+  |  +--+--+         |             |         +--+--+  |
+  |  | br0 |         |             |         | br0 |  |
+  |  +--+--+         |             |         +--+--+  |
+  |     |            |             |            |     |
+  | (ethws0)  (eth0) |             | (eth0)  (ethws0) |
+  +----||--------+---+             +----+-------||----+
+       ||        |                      |       ||
+       ||   -----+--------  //  --------+-----  ||
+       ||           (Physical Network)          ||
+       ||                                       ||
+       ``=======================================''
+                   (WebSocket Tunnel)
+
+In this case, it will be created by following commands.
+
+on HypervisorA::
+
+  # etherws sw
+  # etherws ctl addport tap ethws0
   # brctl addbr br0
   # brctl addif br0 vnet0
@@ -38 +198 @@
   # ifconfig br0 up
 
-on *Hypervisor2*::
-
-  # etherws --device ethws0 client --uri ws://<Hypervisor1's IP address>/
+on HypervisorB::
+
+  # etherws sw
+  # etherws ctl addport tap ethws0
+  # etherws ctl addport client ws://HypervisorA/
   # brctl addbr br0
   # brctl addif br0 vnet0
@@ -46 +208 @@
   # ifconfig br0 up
 
-Additionally, you may improve performance by increasing MTU.
-For example,
-
-on each hypervisor::
-
- # ifconfig vnet0 mtu 16436
- # ifconfig ethws0 mtu 16436
-
-on each VM::
-
- # ifconfig eth0 mtu 16436
-
-Using SSL/TLS
-=============
-etherws supports SSL/TLS connection.
-If you want to encrypt tunnels, then you can use following options.
-
-on *Hypervisor1*::
-
-  # etherws --device ethws0 server --keyfile ssl.key --certfile ssl.crt
-
-*ssl.key* is a server private key, and *ssl.crt* is a server certificate.
-
-Now you also can test SSL/TLS connection by following command::
-
-  # openssl s_client -connect <Hypervisor1's IP address>:443
-
-on *Hypervisor2*::
-
-  # etherws --device ethws0 client --uri wss://<Hypervisor1's IP address>/ --cacerts ssl.crt
-
-Here, URI scheme was just changed to *wss*, and CA certificate to verify
-server certificate was specified.
-
-By the way, client verifies server certificate by default.
-So, for example, client will die with error messages if your server uses
-self-signed certificate and client uses another CA certificate.
-
-If you want to just encrypt tunnels and do not need to verify
-certificate, then you can use following option::
-
-  # etherws --device ethws0 client --uri wss://<Hypervisor1's IP address>/ --insecure
-
-Note: see `<http://docs.python.org/library/ssl.html>`_
-for more information about certificates.
-
-Client Authentication
-=====================
-etherws supports HTTP Basic Authentication.
-It means you can use etherws as simple L2-VPN server/client.
-
-On server side, etherws requires user information in Apache htpasswd
-format (and currently supports SHA-1 digest only). To create this file::
-
-  # htpasswd -s -c filename username
-
-If you do not have htpasswd command, then you can use python one-liner::
-
-  # python -c 'import hashlib; print("username:{SHA}" + hashlib.sha1("password").digest().encode("base64"))'
-
-To run server with this::
-
-  # etherws --device ethws0 server --htpasswd filename
-
-You also can test by following command::
-
-  # telnet <address> 80
-  GET / HTTP/1.1
-
-It will return *401 Authorization Required*.
-
-On client side, etherws requires username from option, and password from
-option or stdin::
-
-  # etherws --device ethws0 client --uri ws://<address>/ --user username --passwd password
-  # etherws --device ethws0 client --uri ws://<address>/ --user username
-  Password: 
-
-If authentication did not succeed, then it will die with some error messages.
-
-Note that you should not use HTTP Basic Authentication without SSL/TLS
-support, because it is insecure in itself.
-
-Complex Examples
-================
-etherws has simple virtual Ethernet switch in itself and it can handle multiple
-TAP interfaces or WebSocket connections as virtual switch port::
-
-  (A)# etherws --device ethws0 --device ethws1 --device ethws2 server
-  (B)# etherws --device ethws0 server
-  (C)# etherws --device ethws0 --device ethws1 client --uri ws://x.x.x.x/
-  (D)# etherws --device ethws0 client --uri ws://x.x.x.x/ --uri ws://y.y.y.y/
-
-This will create following network::
-
-       (ethws0)  (ethws1)  (ethws2)             (ethws0)
-           |        |         |                    |
-     +-----+--------+---------+-----+     +--------+--------+
-     |           server (A)         |     |   server (B)    |
-     |        (ws://x.x.x.x/)       |     | (ws://y.y.y.y/) |
-     +-----+------------------+-----+     +-----+-----------+
-           |                  |                 |
-           |    (WebSocket)   |    +------------+
-           |                  |    |
-   +-------+------+   +-------+----+--+
-   |  client (C)  |   |   client (D)  |
-   +--+--------+--+   +-------+-------+
-      |        |              |
-  (ethws0)  (ethws1)      (ethws0)
-
-Also you can use TAP interface which is created by etherws as 802.1Q VLAN
-interface using vconfig command and so on.
-
 History
 =======
+1.0 (2012-XX-XX JST)
+  - global architecture change
+
 0.7 (2012-06-29 JST)
   - switching support