g.raphaelli's webloghttp://g.raphaelli.com/tags/security/feed.atom2009-01-12T10:45:44ZZineCircumventing security policy with gearmantag:g.raphaelli.com,2009-01-09/entry:2009/1/9/defeating-firewalls-with-gearmand2009-01-12T10:45:44Z2009-01-12T10:42:00Zg<p>Gearman can be handy for defeating security in situations like the one pictured:
</p><div style="text-align: center;"><img src="http://static.g.raphaelli.com/images/2009/01/12/host-setup.png"></div>
Here, Host A can initiate connections to Host B but Host B is blocked by a firewall/router ACL/etc from initiating communications with Host A.<p></p>
<p>With gearman, you can call a service on Host A from Host B with a setup like this:
</p><div style="text-align: center;"><img src="http://static.g.raphaelli.com/images/2009/01/12/gearman-rpc.png"></div>
<ol>
<li>Run a gearmand job server on host B (or any host that A and B can both reach).</li>
<li>Register a gearman worker running on Host A with that job server.</li>
<li>Submit work from a client running on Host B to that job server.</li>
</ol>
<p></p>
<p>This idea can be taken another step by chaining workers together such that calling abc() as depicted above creates a job that Host C, which can't reach or be reached by Host B at all, can ultimately execute. That kind of setup makes it increasingly difficult to track an individual task's real status but it can be handy in a pinch.</p>Gearmand Rewrite Releasedtag:g.raphaelli.com,2009-01-09/entry:2009/1/9/gearmand2009-01-11T01:57:53Z2009-01-09T07:43:00Zg<p>There is some big news for <a href="http://www.gearmanproject.org/">Gearman</a> fans out today - the first release of the C-rewrite of the gearmand job server has been <a href="http://www.oddments.org/?p=30">announced</a>.</p>
<p>Gearman is an excellent framework for farming out tasks to pools of machines, parallelizing tasks, and making calls between programming languages that speak gearman. Like memcached, it's extremely easy to get started using it. Once you do start using it, you'll never understand how you lived without it.</p>
<p>The new release does not provide python bindings but the code in <a href="http://code.sixapart.com/svn/gearman/trunk/api/python/">sixapart's svn</a> should be compatible with the new server*. The sample code provided with the both the perl and C versions is pretty trivial as they simply echo or reverse some strings. To pass interesting data between client and worker you'll need to create your own convention. YAML or simply JSON is very handy for this.</p>
<p>Let's take a contrived example. Of course, error handling will be omitted for clarity.</p>
<p>This is a gearman worker that expects a list of urls and will do something to each of them.</p>
<div class="syntax"><pre><span class="sd">""" A Sample Gearman Worker """</span>
<span class="kn">import</span> <span class="nn">logging</span>
<span class="kn">from</span> <span class="nn">functools</span> <span class="kn">import</span> <span class="n">wraps</span>
<span class="kn">import</span> <span class="nn">os</span>
<span class="kn">import</span> <span class="nn">simplejson</span> <span class="kn">as</span> <span class="nn">json</span>
<span class="kn">import</span> <span class="nn">urllib</span>
<span class="kn">from</span> <span class="nn">gearman</span> <span class="kn">import</span> <span class="n">GearmanWorker</span>
<span class="k">def</span> <span class="nf">job_in</span><span class="p">(</span><span class="n">fn</span><span class="p">):</span>
<span class="sd">""" Decorates worker functions by calling them with a job's arguments """</span>
<span class="nd">@wraps</span><span class="p">(</span><span class="n">fn</span><span class="p">)</span>
<span class="k">def</span> <span class="nf">new</span><span class="p">(</span><span class="n">job</span><span class="p">):</span>
<span class="c"># do something with the job object</span>
<span class="k">return</span> <span class="n">fn</span><span class="p">(</span><span class="n">job</span><span class="o">.</span><span class="n">arg</span><span class="p">)</span>
<span class="k">return</span> <span class="n">new</span>
<span class="k">def</span> <span class="nf">json_in</span><span class="p">(</span><span class="n">fn</span><span class="p">):</span>
<span class="sd">""" Decorates a function that may be called with a</span>
<span class="sd"> JSON-formatted string but expects a python object """</span>
<span class="nd">@wraps</span><span class="p">(</span><span class="n">fn</span><span class="p">)</span>
<span class="k">def</span> <span class="nf">new</span><span class="p">(</span><span class="n">arg</span><span class="p">):</span>
<span class="c"># convert the args in JSON to a python object</span>
<span class="n">arg</span> <span class="o">=</span> <span class="n">json</span><span class="o">.</span><span class="n">loads</span><span class="p">(</span><span class="n">arg</span><span class="p">)</span>
<span class="k">return</span> <span class="n">fn</span><span class="p">(</span><span class="n">arg</span><span class="p">)</span>
<span class="k">return</span> <span class="n">new</span>
<span class="nd">@job_in</span>
<span class="nd">@json_in</span>
<span class="k">def</span> <span class="nf">fetch</span><span class="p">(</span><span class="n">urls</span><span class="p">):</span>
<span class="n">success</span> <span class="o">=</span> <span class="mf">0</span>
<span class="k">for</span> <span class="n">url</span> <span class="ow">in</span> <span class="n">urls</span><span class="p">:</span>
<span class="n">logging</span><span class="o">.</span><span class="n">debug</span><span class="p">(</span><span class="s">"fetching </span><span class="si">%s</span><span class="s">"</span> <span class="o">%</span> <span class="n">url</span><span class="p">)</span>
<span class="c"># do something with the url</span>
<span class="n">success</span> <span class="o">+=</span> <span class="mf">1</span>
<span class="k">return</span> <span class="n">json</span><span class="o">.</span><span class="n">dumps</span><span class="p">({</span><span class="s">'fetched'</span><span class="p">:</span> <span class="n">success</span><span class="p">})</span>
<span class="n">worker</span> <span class="o">=</span> <span class="n">GearmanWorker</span><span class="p">(</span><span class="n">jobservers</span><span class="p">)</span>
<span class="n">worker</span><span class="o">.</span><span class="n">register_function</span><span class="p">(</span><span class="s">"fetch"</span><span class="p">,</span> <span class="n">fetch</span><span class="p">)</span>
<span class="n">worker</span><span class="o">.</span><span class="n">work</span><span class="p">()</span>
</pre></div>
<p>
A client for this worker can look like:
</p><div class="syntax"><pre><span class="kn">import</span> <span class="nn">simplejson</span> <span class="kn">as</span> <span class="nn">json</span>
<span class="kn">from</span> <span class="nn">gearman</span> <span class="kn">import</span> <span class="n">GearmanClient</span><span class="p">,</span> <span class="n">Task</span>
<span class="n">urls</span> <span class="o">=</span> <span class="p">[</span><span class="s">'http://www.flickr.com'</span><span class="p">,</span> <span class="s">'http://www.yahoo.com'</span><span class="p">]</span>
<span class="n">client</span> <span class="o">=</span> <span class="n">GearmanClient</span><span class="p">(</span><span class="n">jobservers</span><span class="p">)</span>
<span class="n">response</span> <span class="o">=</span> <span class="n">client</span><span class="o">.</span><span class="n">do_task</span><span class="p">(</span><span class="n">Task</span><span class="p">(</span><span class="s">"fetch"</span><span class="p">,</span> <span class="n">arg</span><span class="o">=</span><span class="n">json</span><span class="o">.</span><span class="n">dumps</span><span class="p">(</span><span class="n">urls</span><span class="p">)))</span>
<span class="k">print</span> <span class="s">"</span><span class="si">%i</span><span class="s"> urls fetched successfully"</span> <span class="o">%</span> <span class="n">json</span><span class="o">.</span><span class="n">loads</span><span class="p">(</span><span class="n">response</span><span class="p">)[</span><span class="s">'fetched'</span><span class="p">]</span>
</pre></div>
<p>While this example is still quite simple, it does illustrate the idea of the convention necessary for passing real information between clients and workers. The python libraries for gearman also support tasksets which are a set of tasks submitted at once to a job server for parallel execution. This is a simple yet powerful way to speed up work and make the most of hardware investments.</p>
<p>I hope that this rewrite of gearmand renews interest in the python community to enhance the current bindings. I'd be very interested in a gearman protocol implementation for twisted (and might just start working on it soon).</p>
<p>* on Mac OSX 10.4.11 I'm getting a bus error from gearmand after successfully running a job. I haven't tracked it down or submitted a bug yet. <b>update:</b> <a href="https://bugs.launchpad.net/gearmand/+bug/315652">bug</a> reported via IRC (yes, I'm gilad on freenode) and fixed with a two line patch. A new release should be announced shortly.</p>