RTD does not support installing system packages, the only ways to install
dependencies are setuptools and pip. while ditaa is a tool written in
Java. so we need to find a native python tool allowing us to render ditaa
images. plantweb is able to the web service for rendering the ditaa
diagram. so let's use it as a fallback if "ditaa" is not around.
also start a new line after the directive, otherwise planweb server will
return 500 at seeing the diagram.
Signed-off-by: Kefu Chai <kchai@redhat.com>
The same scenario that was possible on client_ident is also possible
for reconnect: on the accepting side we recognized the client_addrs
but the client is trying to reach someone else. Since the cookie is a
random 64-bit value it is unlikely, but still possible, that we will
match an existing session that is not for the client.
Signed-off-by: Sage Weil <sage@redhat.com>
If we get a client_ident frame, and they are trying to talk to someone
else, drop the connection.
This is an inelegant workaround to http://tracker.ceph.com/issues/38247.
A nicer fix would be to restructure the protocol so that the client knows
who they connected to before they try to open a session. That is a bigger
change that can follow...
Fixes: http://tracker.ceph.com/issues/38247
Signed-off-by: Sage Weil <sage@redhat.com>
The modes are:
- crc: crc32c checksums to protect against bit errors. No secrecy or
authenticity guarantees, so a MITM could alter traffic in flight.
- secure: cryptographic secrecy and authenticity proection (i.e, encrypted
and signed).
We do not include a 'signed' mode that provides authenticity without
secrecy because the cryptographic protocols appear to be faster than
SHA-2.
New settings:
- ms_cluster_mode : mode(s list) for intra-cluster connections
- ms_service_mode : mode(s list) for daemons to allow
- ms_client_mode : mode(s list) for clients to allow
Also,
- ms_mon_cluster_mode : mon <-> mon connections
- ms_mon_service_mode : mon <-> daemon or client connections
The msgr2 protocol is expanded slightly to negotiate a mode. Client
shares it's allowed/preferred modes, and server picks one as auth finishes.
Negotiation is independent of the authentication, except that the
authentiction mode may precluse certain choices. Specifically, AUTH_NONE
does not support 'secure', only 'crc'.
Signed-off-by: Sage Weil <sage@redhat.com>
- specify entity_name_t in TAG_IDENT instead of every msg
header
- add more notes
- include optional padding before the data segment for a msg
Signed-off-by: Sage Weil <sage@redhat.com>
- Remove stream concept. it was incompletely/poorly
specified, and we dno't actually want to implement it now. We
can do it later now that we have a banner that advertises
features more clearly.
- Simplify the auth messages a bit: make a MORE message that
isn't a request (or reply), and a final DONE. DONE comes from
the server, not the client. Drop the SET_METHOD which can be
rolled into the REQUEST message.
Signed-off-by: Sage Weil <sage@redhat.com>
- Add stream ids to the protocol. This will allow us to
multiplex multiple entities over the same TCP
connection.
- Add a frame length. This lets us pull entire frames
off the wire without any introspection. This is
helpful on the implementation side because each stream
may have a different cipher and for performance reasons
because we want to pull large chunks from the network
at a time.
- Simplify to a single frame format description, with
only one optional variation (signature or no
signature).
Signed-off-by: Sage Weil <sage@redhat.com>
I don't think this is necessary. Our signature and cipher state
includes prior messages, so as long as we have a confounded
start (a confounder in MSG_AUTH_DONE, in this case) then we are
in good shape.
Signed-off-by: Sage Weil <sage@redhat.com>
