[bug#64349] [PATH] Guix service for robust and flexible persistent ssh forwarding

[Runciter <runciter@pkbd.org>]

Bruno Victal <mirai@makinata.eu> writes:

Hello,

> Hi,
>
>> Missing:
>> 
>> * I have not started to work on control masters. When one has many
>>   connections daemonized to the same remote host, there could (should?)
>>   be a specialized service type extended only to serve as a control
>>   master for multiple other forwarding services. It's probably not that
>>   easy to program correctly.
>> 
>> * It only loads a private key directly from file, no ssh agent. I think
>>   it's probably quite easy to add.
>> 
>> * I haven't even tried to make host knowing configurable the
>>   slightest. No one is there to input "yes" when it starts, so I just
>>   hard coded ssh command switches that should completely tame the
>>   dreaded "SOMEONE MAY BE DOING SOMETHING NASTY!" and its little
>>   friends. Still, in the event this module would start to have its small
>>   user base, I might kind of feel bad about this and something would
>>   preferably have to be done... if that can possibly be practical.
>>   
>> * I think it can only do point-to-point tunnels, that is to say tun
>>   devices. Ssh documentation says it also can do tap devices, what they
>>   call layer 2, which can support DHCP, but in trials I never could get
>>   it to spit out a working tap tunnel... By using ssh for the network
>>   side of the tunnel and tunctl or POSIX or whatever applicable system
>>   calls from a program for the host sides of the tunnel, maybe it's
>>   possible to do tap devices. It's hard, probably.
>> 
>> * No documentation as of yet. The author also still has to learn how to
>>   write actual Texinfo docstrings for procedures, sorry about that.
>
> Any updates regarding these items?

No update as of yet on any of these items.

I've been working on a VPN on top of the ssh tunneler. For which I have
obtained basic functionality, but it's still not quite ready even for my
personal use. While I'm gradually improving the VPN I'm reluctant to add
features to the underlying ssh tunneler services.

Still, I can focus on documenting the services I submitted right now,
and make clean docstrings for the procedures.

>
>> * I have a test script (not shared here) but it does not plug into the
>>   build system. Also, it deploys multiples VMs to test forwardings in
>>   situation, which means it can do some very strong testing but it's too
>>   heavy for a routine build. And the script does other things which are
>>   either crazy and/or very badly written. I could never have pulled this
>>   without my horrible shell script, but still, a simple script which
>>   plugs into the build system would be more desirable.
>
> Can you adapt it or write a test suite for this service? (see gnu/tests/…
> for inspiration)
> It makes it easier for everyone to test/review and maintain this addition.

There's facilities that are used in the test suite of gdm to create a
"marionette" operating system, probably this is what I should look into.

So I'll stop working on my VPN for a little while and do 2 things:
* Document the ssh-tunneler.scm service file which I previously submitted.
* Try to create a scheme test suite for the services in ssh-tunneler.scm.

I have to learn a few things to do this. Hopefully I can get back to you
at the end of this month with a submission.