svc/connect.in: Add a new `sabotage' command to test ping-failure actions.

[tripe] / svc / connect.8.in

.\" -*-nroff-*-
.\".
.\" Manual for the connect service
.\"
.\" (c) 2008 Straylight/Edgeware
.\"
.
.\"----- Licensing notice ---------------------------------------------------
.\"
.\" This file is part of Trivial IP Encryption (TrIPE).
.\"
.\" TrIPE is free software: you can redistribute it and/or modify it under
.\" the terms of the GNU General Public License as published by the Free
.\" Software Foundation; either version 3 of the License, or (at your
.\" option) any later version.
.\"
.\" TrIPE is distributed in the hope that it will be useful, but WITHOUT
.\" ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
.\" FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
.\" for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with TrIPE.  If not, see <https://www.gnu.org/licenses/>.
.
.\"--------------------------------------------------------------------------
.so ../defs.man.in \"@@@PRE@@@
.
.\"--------------------------------------------------------------------------
.TH connect 8tripe "11 December 2007" "Straylight/Edgeware" "TrIPE: Trivial IP Encryption"
.
.\"--------------------------------------------------------------------------
.SH "NAME"
.
connect \- tripe service to handle addition and removal of peers
.
.\"--------------------------------------------------------------------------
.SH "SYNOPSIS"
.
.B connect
.RB [ \-a
.IR socket ]
.RB [ \-d
.IR dir ]
.RB [ \-p
.IR file ]
.br
\&      \c
.RB [ \-\-daemon ]
.RB [ \-\-debug ]
.RB [ \-\-startup ]
.
.\"--------------------------------------------------------------------------
.SH "DESCRIPTION"
.
The
.B connect
service tracks associations with peers and performs various actions at
appropriate stages in the assocations' lifecycles.  It also registers
new peers with the
.BR tripe (8)
server on demand.
.PP
For example:
.hP \*o
When a peer is added, it arranges to configure the corresponding network
interface correctly, and (if necessary) to initiate a dynamic
connection.
.hP \*o
When a peer is removed, it arranges to bring down the network interface.
.hP \*o
While the peer is known, it
.BR PING s
it at regular intervals.  If the peer fails to respond, it can be
removed or reconnected.
.PP
A peer may participate
.I actively
or
.I passively
in a connection.  A peer participating actively (an
.IR "active peer" )
must already know its peer's connection details \(en its server's IP
address and port.  Active connection is suitable when the peer is a
well-known server with stable details.
.PP
A server participating passively (a
.IR "passive peer" )
waits to be contacted by its peer, and discovers the peer's IP address
and port as a result of a simple protocol described below.  Passive
connection is suitable when the peer's IP address or port can vary over
time \(en e.g., if its IP address is assigned dynamically by DHCP or
PPP, or if it is hidden behind a NAT firewall.
.PP
If both peers are active, we say that they establish an
.IR "static connection" ;
if one is passive, we say that they establish a
.IR "dynamic connection" .
At least one of the peers must be active; it is not possible to
establish a connection if both peers are passive.
.SS "Command line"
In addition to the standard options described in
.BR tripe-service (7),
the following command-line options are recognized.
.TP
.BI "\-p, \-\-peerdb=" file
Use
.I file
as the (CDB format) peer database.  In the absence of this option, the
file named by the
.B TRIPEPEERDB
environment variable is used; if that's not set either, then the default
default of
.B peers.cdb
in the current working directory is used instead.
.
.\"--------------------------------------------------------------------------
.SH "BEHAVIOUR"
.
.SS "Adoption"
The
.B connect
service maintains a list of peers which it has adopted.  A peer is
.I eligible for adoption
if it has a record in the peer database
.BR peers.cdb (5)
in which the
.B watch
key is assigned the value
.BR t ,
.BR true ,
.BR y ,
.BR yes ,
or
.BR on .
.PP
The service pings adopted peers periodically in order to ensure that
they are alive, and takes appropriate action if no replies are received.
.PP
A peer is said to be
.I adopted
when it is added to this list, and
.I disowned
when it removed.
.
.SS "Configuring interfaces"
The
.B connect
service configures network interfaces by invoking an
.B ifup
script.  The script is invoked as
.IP
.I script
.IR args ...
.I peer
.I ifname
.IR addr ...
.PP
where the elements are as described below.
.TP
.IR script " and " args
The peer's database record is retrieved; the value assigned to the
.B ifup
key is split into words (quoting is allowed; see
.BR tripe-admin (5)
for details).  The first word is the
.IR script ;
subsequent words are gathered to form the
.IR args .
.TP
.I peer
The name of the peer.
.TP
.I ifname
The name of the network interface associated with the peer, as returned
by the
.B IFNAME
administration command (see
.BR tripe-admin (5)).
.TP
.I addr
The network address of the peer's TrIPE server, in the form output by
the
.B ADDR
administration command (see
.BR tripe-admin (5)).
The first word of
.I addr
is therefore a network address family, e.g.,
.BR INET .
.PP
The
.B connect
service deconfigures interfaces by invoking an
.B ifdown
script, in a similar manner.  The script is invoked as
.IP
.I script
.IR args ...
.I peer
.PP
where the elements are as above, except that
.I script
and
.I args
are formed by splitting the value associated with the peer record's
.B ifdown
key.
.PP
In both of the above cases, if the relevant key (either
.B ifup
or
.BR ifdown )
is absent, no action is taken.
.PP
The key/value pairs in the peer's database record and the server's
response to the
.B ALGS
administration command (see
.BR tripe-admin (5))
are passed to the
.B ifup
and
.B ifdown
scripts as environment variables.  The environment variable name
corresponding to a key is determined as follows:
.hP \*o
Convert all letters to upper-case.
.hP \*o Convert all sequences of one or more non-alphanumeric characters
to an underscore
.RB ` _ '.
.hP \*o Prefix the resulting name by
.RB ` P_ '
or
.RB ` A_ '
depending on whether it came from the peer's database record or the
.B ALGS
output respectively.
.PP
For example,
.B ifname
becomes
.BR P_IFNAME ;
and
.B cipher-blksz
becomes
.BR A_CIPHER_BLKSZ .
.
.SS "Dynamic connection"
If a peer's database record assigns a value to the
.B connect
key, then the
.B connect
service will attempt to establish a connection dynamically with the
peer.  The value of the
.B connect
key is invoked as a Bourne shell command, i.e.,
.IP
.B /bin/sh \-c
.I connect
.PP
is executed.  The command is expected to contact the remote server and
report, on standard output, a challenge string, typically by issuing
a
.B passive
command to the instance of the
.B connect
service running on the peer.  The
.B connect
service reads this challenge, and submits the command
.IP
.B GREET
.I peer
.I challenge
.PP
Typically, the
.B connect
command will issue a command such as
.IP
.B SVCSUBMIT connect passive
.I our-name
.PP
where
.I our-name
is the remote peer's name for this host.
.PP
Similarly, if the database record has a
.B disconnect
entry, then
.B connect
will use this to give the peer explicit notification that its services
are no longer needed.  The value of the
.B disconnect
key is invoked as a Bourne shell command.  This ought to result in a
.B KILL
command being issued to the peer's server.
.PP
In detail, the protocol for passive connection works as follows.
.hP 1.
The active peer
.BR ADD s
its partner, typically using the
.B \-cork
option to suppress the key-exchange message which the server usually
sends immediately, since otherwise the passive peer will warn about it.
.hP 2.
The active peer issues the command
.RS
.IP
.B SVCSUBMIT connect passive
.I user
.PP
to the passive peer's server.  (Here,
.I user
is a name identifying the active peer; see below.)  Doing this is the
responsibility of the
.B connect
command.
.RE
.hP 3.
The
.B connect
service on the passive peer responds with a
.I challenge
\(en a short Base64-encoded string.  Somehow this challenge is sent back
to the passive peer without being intercepted.
.hP 4.
The active peer sends a
.BR GREET ing
containing the challenge to its passive partner.  The passive server
announces the arrival of this message, and the originating address and
port.
.hP 5.
The
.B connect
service running on the passive host receives the notification, matches
it up with the
.I user
from the initial connection request, and
.BR ADD s
the appropriate peer, with the address from the
.BR GREET ing.
.
.SS "Operation"
On startup,
.B connect
requests a list of current peers from the
.BR tripe (8)
server, and adopts any eligible peers.  If the
.B \-\-startup
flag was passed on the command line, the newly adopted peers have their
interfaces configured and connection attempts are made.
.PP
Adopted peers are pinged at regular intervals (using the
.B PING
administrative command; see
.BR tripe-admin (5)).
This process can be configured by assigning values to keys in the peer's
database record.  Some of these parameters are time intervals,
expressed as a nonnegative integer followed optionally by
.BR d ,
.BR h ,
.BR m ,
or
.B s
for days, hours, minutes, or seconds, respectively; if no suffix is
given, seconds are assumed.
.PP
The parameters are as follows.
.TP
.B every
A time interval: how often to ping the peer to ensure that it's still
alive.  The default is 30 seconds for active dynamic peers, and 5
minutes for passive peers.
.IP
The period for dynamic peers should be no longer than
.I timeout
\(mu
.RI ( retries
\- 1).  Consider an idle mobile peer which has its IP address changed
just before its passive peer begins pinging.  The static peer's pings
will go to the old address until it receives a ping back from the mobile
peer.  Therefore, the static peer has to keep pinging until it would
definitely have received an unsolicited ping from the mobile peer, and
therefore be informed of the change of address.  And it's no use
learning about the change of address just after sending the last ping to
the old address, so the last retry doesn't count for the purposes of
this calculation.
.IP
Besides, the consequences of failed pinging differ between dynamic and
passive peers.  In the former case, a failure provokes a reconnection
attempt, after which (hopefully) things will work again: it's probably a
good thing to check frequently and fail fast.  In the latter case, the
dynamic peer will certainly have to notice that it's been abandoned and
arrange to retry, causing a communication failure where maybe there
wasn't really one before.
.TP
.B timeout
A time interval: how long to wait for a reply before retrying or giving
up.  The default is 10 seconds.
.TP
.B retries
An integer: how many failed attempts to make before deciding that the
peer is unreachable and taking action.  The default is 5 attempts.
.PP
The algorithm is as follows.  Send up to
.I retries
pings; if a reply is received before the
.I timeout
then the peer is alive; wait
.I every
and check again.  If no reply is received within the
.IR timeout ,
then try again up to
.I retries
times.  If no attempt succeeds, the peer is declared unreachable.  If
the peer has a
.B connect
command (i.e., it connects dynamically) then another connection attempt
is made.  Otherwise the peer is killed.
.
.\"--------------------------------------------------------------------------
.SH "SERVICE COMMAND REFERENCE"
.
.\"* 10 Service commands
The commands provided by the service are as follows.
.SP
.BI "active " peer
Make an active connection to the named
.IR peer .
The service will submit the command
.RS
.IP
.B ADD
.RB [ \-cork ]
.RB [ \-keepalive
.IR time ]
.RB [ \-key
.IR tag ]
.RB [ \-priv
.IR tag ]
.RB [ \-mobile ]
.RB [ \-tunnel
.IR driver ]
.I address
.PP
Specifically:
.hP \*o
The option
.B \-cork
is provided if the peer's database record assigns the
.B cork
key one of the values
.BR t ,
.BR true ,
.BR y ,
.BR yes,
or
.BR on .
.hP \*o
The option
.B \-keepalive
.I time
is provided if the database record assigns a value
.I time
to the
.B keepalive
key.
.hP \*o
The option
.B \-key
.I tag
is provided if the database record assigns a value
.I tag
to the
.B key
key.
.hP \*o
The option
.B \-priv
.I tag
is provided if the database record assigns a value
.I tag
to the
.B priv
key.
.hP \*o
The option
.B \-mobile
is provided if the peer's database record assigns the
.B mobile
key one of the values
.BR t ,
.BR true ,
.BR y ,
.BR yes,
or
.BR on .
.hP \*o
The option
.B \-tunnel
.I driver
is provided if the database record assigns a value
.I driver
to the
.B tunnel
key.
.hP \*o
The
.I address
is the value assigned to the
.B peer
key in the database record.
.RE
.SP
.B adopted
For each peer being tracked by the
.B connect
service, write a line
.B INFO
.IR name .
(Compatibility note: it's possible that further information will be
provided about each peer, in the form of subsequent tokens.  Clients
should be prepared to ignore such tokens.)
.SP
.BI "info " peer
Lists the database record and additional information about the named
.IR peer .
For each key/value pair, a line
.RS
.IP
.B INFO
.IB key = value
.PP
is output.  The key/value pairs are output in an arbitrary order.
.PP
In addition to the fields of the peer's database record, the following
additional keys are defined.
.TP
.B failures
The number of failed pings in the current or most recent batch, in
decimal.
.TP
.B last-ping
The round-trip time of the most recent ping in milliseconds, in the form
.IB nn.n ms\fR,
or
.B timeout
if the most recent ping timed out,
or
.B \-
if no pings have yet completed.
.TP
.B max-ping
The maximum successful ping time so far in milliseconds, in the form
.IB nn.n ms\fR,
or
.B \-
if no pings have yet succeeded.
.TP
.B mean-ping
The average successful ping time so far in milliseconds, in the form
.IB nn.n ms\fR,
or
.B \-
if no pings have yet succeeded.
.TP
.B min-ping
The minimum successful ping time so far in milliseconds, in the form
.IB nn.n ms\fR,
or
.B \-
if no pings have yet succeeded.
.TP
.B n-lost
The number of pings which have been declared timed out so far, in
decimal.
.TP
.B n-ping
The number of successful pings so far, in decimal.
.TP
.B sd-ping
The standard deviation of ping times so far in milliseconds, in the form
.IB nn.n ms\fR,
or
.B \-
if no pings have yet succeeded.
.TP
.B state
One of the strings:
.B idle
if the peer has responded to a ping recently, and we are waiting for the
.B every
delay before we try again; or
.B check
if we are currently waiting for a ping to return.
.RE
.SP
.BI "kick " peer
If
.I peer
is currently added, and its record in the peer database contains a
.B connect
key (see
.BR peers.in )
then force a reconnection attempt.  See
.BR "Dynamic connection" .
.SP
.B "list-active"
Output a list of peers in the database.  For each peer name
.IR peer ,
a line
.RS
.IP
.B INFO
.I peer
.PP
is output.
.RE
.SP
.BI "passive \fR[" options "\fR]\fP " user
If the database contains a user record mapping
.I user
to some
.I peer
then an
.B INFO
line is written containing a freshly chosen challenge string.  If the
server receives a
.BR GREET ing
message quoting this challenge within 30 seconds, the
.B connect
service will issue an
.B ADD
request for the peer, as for the
.B active
command, except that the origin of the
.BR GREET ing
packet is used as the peer's address.
.RS
.\"+opts
.PP
The following option is recognized.
.TP
.BI "\-timeout " time
Wait for
.I time
instead of 30 seconds.  The
.I time
is expressed as a non-negative integer followed by
.BR d ,
.BR h ,
.BR m ,
or
.B s
for days, hours, minutes or seconds respectively; if no suffix is given,
seconds are assumed.
.\"-opts
.RE
.SP
.BI "sabotage " peer
Sabotage the
.I peer
so that
.B connect
thinks that it can't respond to pings.  This will usually provoke a
reconnection attempt.  Use
.B kick
instead unless you're trying to test
.BR connect .
.SP
.BI "userpeer " user
Output a single
.B INFO
line identifying the peer corresponding to the
.I user
name.
.
.\"--------------------------------------------------------------------------
.SH "NOTIFICATIONS"
.
.\"* 30 Notification broadcasts (NOTE codes)
All notifications issued by
.B connect
begin with the tokens
.BR "USER connect" .
.SP
.B "USER connect peerdb-update"
The peer database has changed.  Other interested clients should reopen
the database.
.SP
.BI "USER connect ping-failed " peer " " error\fR...
An attempt to
.B PING
the named
.I peer
failed; the server replied
.B FAIL
.IR error ...
.SP
.BI "USER connect " process\fR... " stdout " line
The
.I process
spawned by the
.B connect
service unexpectedly wrote
.I line
to its standard output.
.
.\"--------------------------------------------------------------------------
.SH "WARNINGS"
.
.\"* 40 Warning broadcasts (WARN codes)
All warnings issued by
.B connect
begin with the tokens
.BR "USER connect" .
.SP
.BI "USER connect auto-add-failed " name " " error\fR...
The attempt to add the peer
.I name
automatically failed: the
.B ADD
command reported
.B FAIL
.IR error ...
.SP
.BI "USER connect ping-ok " peer
A reply was received to a
.B PING
sent to the
.IR peer ,
though earlier attempts had failed.
.SP
.BI "USER connect ping-timeout " peer " attempt " i " of " n
No reply was received to a
.B PING
sent to the
.IR peer .
So far,
.I i
.BR PING s
have been sent; if a total of
.I n
consecutive attempts time out, the
.B connect
service will take further action.
.SP
.B "USER connect reconnecting " peer
The dynamically connected
.I peer
seems to be unresponsive.  The
.B connect
service will attempt to reconnect.
.SP
.BI "USER connect " process\fR... " stderr " line
The
.I process
spawned by the
.B connect
service wrote
.I line
to its standard error.
.SP
.BI "USER connect " process\fR... " exit-nonzero " code
The
.I process
spawned by the
.B connect
service exited with the nonzero status
.IR code .
.SP
.BI "USER connect " process\fR... " exit-signal S" code
The
.I process
spawned by the
.B connect
service was killed by signal
.IR code .
Here,
.I code
is the numeric value of the fatal signal.
.SP
.BI "USER connect " process\fR... " exit-unknown " status
The
.I process
spawned by the
.B connect
service exited with an unknown
.IR status .
Here,
.I status
is the raw exit status, as returned by
.BR waitpid (2),
in hexadecimal.
.
.\"--------------------------------------------------------------------------
.SH "CHILD PROCESS IDENTIFIERS"
.
.\"* 50 Child process identifiers
Some of the warnings and notifications refer to processes spawned by
.B connect
under various circumstances.  The process identifiers are as follows.
.SP
.BI "connect " peer
A child spawned in order to establish a dynamic connection with
.IR peer .
.SP
.BI "disconnect " peer
A child spawned in order to shut down a dynamic connection with
.IR peer .
.SP
.BI "ifdown " peer
A child spawned to deconfigure the network interface for
.IR peer .
.SP
.BI "ifup " peer
A child spawned to configure the network interface for
.IR peer .
.
.\"--------------------------------------------------------------------------
.SH "SUMMARY"
.
.\"= summary
.
.\"--------------------------------------------------------------------------
.SH "SEE ALSO"
.
.BR tripe-service (7),
.BR peers.in (5),
.BR tripe (8).
.
.\"--------------------------------------------------------------------------
.SH "AUTHOR"
.
Mark Wooding, <mdw@distorted.org.uk>
.
.\"----- That's all, folks --------------------------------------------------