CernVM-FS through SSH tunnel

Hello,

Do you know if it’s possible to reach a basic install of CernVM-FS (stratum 0) throught a ssh tunnel ?
Ours is not reachable directly.
I’ve redirected the remote port to a local with $ssh -f myuser@myfrontend.mydomain.com -L 8080:mycvmfsserver:80 -N
Then set 127.0.0.1:8080 in my config.g .conf file.
I’m able to get the content of http://127.0.0.1:8080/cvmfs/imas.iter.org/.cvmfspublished
But no mount, and probe result is “… Failed!”
Manual mount (-t cvmfs) is asking for PROXY variable. If empty, or set, it parse files, then fail to initialize root catalog;

Thank you for your advices.

Regards.

Tunneling should certainly be possible. The proxy error is unrelated, I think. Have you tried setting
CVMFS_HTTP_PROXY=DIRECT in the config.d conf file?

Hi,
yes CVMFS_HTTP_PROXY=DIRECT is set.

Please find bellow a manual mount try:

image1020×705 113 KB

Best regards.

It may be the repository public key then. I’d recommend to store it in a subdirectory of /etc/cvmfs/keys and to set CVMFS_KEYS_DIR=<path> in the config.d conf file.

The syslog should contain more information why the root file catalog cannot be loaded.

Thanks, but it’s already set:

I’ ll dig in the logs.

Jakob, I sent you the debug log in MP

Thanks! I got the debug logs. It’s certainly an issue with the public key, according to the logs. Are you sure that the key (/etc/cmvfs/keys/<reponame>.pub) on the client and the key used on the server are identical?

Yes, and to be sure the key was scp from the server.

Hm, then my only other explanation is that the whitelist got corrupted. You can try running cvmfs_server resign on the publisher. You can also send me the result of

• curl http://127.0.0.1:8080/cvmfs/<reponame>/.cvmfswhitelist
• curl http://127.0.0.1:8080/cvmfs/<reponame>/.cvmfspublished
• and the public key

in a private message.

Ok thanks I’ll check that,
but the resign is done regularly via a cron job. And local/direct users don’t have any problem.

Regards