Xpra: Ticket #1022: Xpra Client in Listen Mode

It would be nice to have those two additional options (--listen, --client) e.g.

Xpra_cmd.exe attach [ssh/tcp]: EMPTY --listen=[IP:PORT] (Waits for server ready msg, with optional timeout. IP is provided in case a machine has more than 1 active address, otherwise not needed)

xpra --start :XX --start-child=CMD  --client=IP:PORT

Once server is initiated successfully, it sends a triggering tcp msg to the client containing USER@SERVER :XX to be used by the client to initiate ssh/tcp connection. One useful option with client listen mode is continues listing, so that it exec clients once server msg received and keeps listing for more servers as they become ready, instead of launching clients manually for each application

The main driver for this is to mimic the Xserver behavior where it listens and accepts connections from remote hosts
But another benefit of this listen option is that you can have servers that are NATed, unreachable from regular clients, since they will be the ones initiating the connection.

Thank you,

Tue, 03 Nov 2015 08:48:37 GMT - Antoine Martin: owner, type, description, milestone changed

owner changed from Antoine Martin to adarrab
type changed from task to enhancement
description modified (diff)
milestone changed from 0.16 to 0.17

As per this original mailing list thread: Xpra Client in Listen Mode Enquiry

I think it would be better, safer and more useful to simply reverse the connection so that the server connects to the client: no need for passing the user+host to connect to using a new magic message to trigger yet another connection. (with the inherent security risks every time - and new connections cannot traverse NAT back to the server).

The "listen" mode should probably be a new subcommand, rather than overloading "attach", ie:

xpra listen tcp:host:port

I really don't see much point at all in the listen via SSH option: if you can SSH to the client, you might as well start the client command via SSH, which is also much safer.

Pointers:

the Protocol is quite well abstracted and is used by both client and server, it does not care about which end initiates the connection
the client (and its subclasses / superclasses) will need a bit of work to be able to start:
- without timing out
- create a tray icon (or not?) and handle menus that are not meant to be used yet
- create the socket in listen mode (same code as the server) - when the connection is received, it just goes through the normal startup sequence: send hello and everything else should fall into place
the Server Base Class (and sub/super classes) will just need a new bit of code to create a new TCP connection and add it to its "sources" list. This should be available via "xpra control" and the dbus server so we can initiate new ones after the server is started if necessary. Think about timeouts, and retries..
authentication / encryption: the client should authenticate the server if the password option is used - and maybe we should be doing this anyway in all cases? (which we sort of do when you have encryption)

@adarrab: if you can take a look at the comments above and maybe even play with the code a little bit, I should be able to take a look at this for the next release

Tue, 03 Nov 2015 09:38:00 GMT - adarrab:

Sorry for the confusion, client doesn't listen through SSH, the [SSH/TCP] in the command line is to instruct the client to use [SSH/TCP] connection to the server (like attach [ssh/tcp]:....), once the server is ready. Listening is going to be always over tcp, since clients mostly do not run ssh server.

Wed, 16 Mar 2016 07:00:59 GMT - Antoine Martin: milestone changed

milestone changed from 0.17 to 0.18

Mon, 04 Apr 2016 06:19:08 GMT - Antoine Martin:

May be related / useful for #983 since vsock connections go from guest to host only. (AFAICT)

Edit: that was incorrect.

Tue, 12 Jul 2016 16:52:22 GMT - Antoine Martin: milestone changed

milestone changed from 0.18 to 1.0

Milestone renamed

Wed, 07 Sep 2016 10:13:06 GMT - Antoine Martin: milestone changed

milestone changed from 1.0 to future

I don't have time for this.

Sun, 26 Nov 2017 14:24:45 GMT - Antoine Martin: owner, status, milestone changed

owner changed from adarrab to Antoine Martin
status changed from new to assigned
milestone changed from future to 2.3

Should be easy enough to implement.

There are security implications.. I don't think we want to resurrect #1660

Sun, 07 Jan 2018 05:49:51 GMT - Antoine Martin: milestone changed

milestone changed from 2.3 to future

Actually not that easy to implement, and no real need for it. Re-scheduling.

Sun, 27 Jan 2019 15:17:14 GMT - Antoine Martin:

Sun, 08 Sep 2019 17:50:51 GMT - Antoine Martin: attachment set

attachment set to client-listen.patch

add listen mode for client

Sun, 08 Sep 2019 17:51:49 GMT - Antoine Martin:

Helped by the refactoring from ticket:2125#comment:11, the patch above makes it possible for the client to wait for a connection on sockets specified using the usual --bind-tcp syntax.

Sun, 08 Sep 2019 18:24:51 GMT - Antoine Martin:

See #2406 for generic client bind options.

Tue, 10 Sep 2019 06:30:15 GMT - Antoine Martin: attachment set

attachment set to client-listen-v2.patch

working patch

Tue, 10 Sep 2019 06:31:58 GMT - Antoine Martin: milestone changed

milestone changed from future to 3.0

The patch above works as long as one uses "socat" to join the server and client socket together:

server:

xpra start --start="xterm" --bind-tcp=0.0.0.0:10000

client:
```
xpra listen --bind-tcp=0.0.0.0:10001
```

socat:

socat TCP:localhost:10000 TCP:localhost:10001

I may still merge this just as a POC.

Tue, 10 Sep 2019 12:23:22 GMT - Antoine Martin: owner, status changed

owner changed from Antoine Martin to adarrab
status changed from assigned to new

Merged in r23767. As of r23770, the client can also be told where to connect, instead of just expecting a server connection:

xpra listen --bind-tcp=0.0.0.0:10001

echo tcp://192.168.1.10:10000 | socat - TCP:localhost:10001

The client will print:

closing tcp socket 0.0.0.0:10001
connecting to tcp://192.168.1.10:10000

Then proceeds as if it had been started with attach tcp://192.168.1.10:10000.

Caveats:

only the first connection will be used, after that the sockets are closed.

(so if the connection fails at that point, the client will just exit)

the client doesn't do any socket wrapping, so tcp sockets can't be upgraded to ssl, ssh or ws(s).

Will follow up in #2412

@adarrab: does that work for you?

Tue, 10 Sep 2019 17:23:33 GMT - adarrab:

@adarrab: does that work for you?

First of all, many thanks for putting the time to implement this feature, really appreciated!

The very basic scenario does work, but you would need a port for each client, which makes it annoying in situations where firewall is restricted to limited number of opened ports (which is the case in many places). I was hoping to have the client in listening mode acts like a proxy server where it listens on a single port, and upon receiving a connection from xpra servers, it spawns clients and forward traffic to them.

At least this is what I ended up doing couple of years ago: a listener service on a specific port which spawns xpra clients (ssh connection & key authentication) to the ready server (once server is ready it sends a message similar to your approach). The only downfall to this is that the client takes up to 5 seconds to initialize and establish the ssh connection, despite disabling many of the features like speaker, microphone, tray ...etc. Your approach with tcp binding (when the client is ready in listening mode) it shows the received application almost instantaneous upon receiving the signal from the server.

Wed, 11 Sep 2019 03:33:05 GMT - Antoine Martin: status changed; resolution set

status changed from new to closed
resolution set to fixed

I was hoping to have the client in listening mode acts like a proxy server where it listens on a single port, and upon receiving a connection from xpra servers, it spawns clients and forward traffic to them.

You should be able to achieve this with minimal code by spawning enough clients in advance in listen mode on a unix domain socket, then have a very simple tcp listener that dispatches to them. This could be helped by #2406: by creating your unix domain sockets in a pre-defined location, the dispatcher could just use xpra info on them to know which ones are still free. (and potentially pre-spawn more as needed)

Sat, 23 Jan 2021 05:12:45 GMT - migration script:

this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/1022