[systemd-devel] [RFC/PATCH] journal over the network

Zbigniew Jędrzejewski-Szmek zbyszek at in.waw.pl
Tue Nov 20 03:46:19 PST 2012 

On Tue, Nov 20, 2012 at 10:02:39AM +0000, "Jóhann B. Guðmundsson" wrote:
> On 11/20/2012 09:02 AM, Adam Spragg wrote:
> >On Tuesday 20 Nov 2012 01:21:54 Lennart Poettering wrote:
> >>My intention was to speak only HTTP for all of this, so that we can
> >>nicely work through firewalls.
> >Wait, I thought one of the guiding principles of systemd was to do things The
> >Right Way, and not use ugly workarounds for other people's brokenness.
> >
> >If admins want to send network traffic over a port, and their firewall is
> >preventing them, surely the problem is in the firewall, and the firewall
> >should be fixed? Making everything HTTP-friendly to get around broken firewall
> >policies is an ugly workaround which just helps perpetuate the problem.
> 
> Agreed + you dont want to use ssh to do this ether
I think that firewalls are just one of the reasons... I think that we
want to have SSL-encrypted communciations by default, and then the
specific protocol used above that is invisible to the firewall anyway.

Having multiple "transports" isn't really a problem -- it is mostly a matter
of hooking into some library.

HTTP is already spoken by systemd-journal-gatewayd, and SSH is useful
because everybody already has it set up.

> >Not to mention the fact that HTTP is a horrible protocol for almost anything
> >except serving up web pages. It's effectively implements a basic
> >request/response datagram protocol (albeit with arbitrarily large "packets"),
> >which can only be initiated from one side, but with the overhead of HTTP
> >headers and the creation of a TCP connection.
If encryption is used, TCP connection overhead is negligible. And we
only want mostly one-way communication anyway.

> I somehow always imagined remote systemd and systemd journal
> integration being handle in similar manner as func [1] and
> certmaster[2] are doing.
> 
> 1. https://fedorahosted.org/func/
> 2. https://fedorahosted.org/certmaster/
Certmaster looks great: maybe it can be used to solve the problem of
certificate distribution.

Zbyszek

More information about the systemd-devel mailing list