Path: csiph.com!fu-berlin.de!uni-berlin.de!not-for-mail
From: Matt Ruffalo <matt.ruffalo@gmail.com>
Newsgroups: comp.lang.python
Subject: Using SSL socket as stdin for subprocess.Popen
Date: Sat, 19 Mar 2016 13:44:58 -0400
Lines: 59
Message-ID: <mailman.435.1458559693.12893.python-list@python.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Trace: news.uni-berlin.de y/S7IJ/93jyndVeLKOHHjwMtwKKKweFr/GfC3glaxyuw==
Return-Path: <matt.ruffalo@gmail.com>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
X-Spam-Status: OK 0.001
X-Spam-Evidence: '*H*': 1.00; '*S*': 0.00; 'static': 0.03; 'essentially': 0.04; 'subject:skip:s 10': 0.05; '*not*': 0.07; 'exit': 0.07; 'method,': 0.07; 'socket': 0.07; 'attempted': 0.09; 'expectation': 0.09; 'machines.': 0.09; 'read()': 0.09; 'through,': 0.09; 'tracker,': 0.09; 'url:github': 0.09; 'bug': 0.10; 'python': 0.10; 'output': 0.13; 'do,': 0.15; 'argument': 0.15; 'server,': 0.15; 'conceivably': 0.16; 'describing': 0.16; 'makefile()': 0.16; 'port"': 0.16; 'receive.': 0.16; 'received:io': 0.16; 'received:psf.io': 0.16; 'report?': 0.16; 'socket.': 0.16; 'subject:SSL': 0.16; 'wrappers': 0.16; 'implementing': 0.18; 'ssl': 0.18; 'network,': 0.18; 'runs': 0.18; 'machine': 0.21; 'file.': 0.22; 'code,': 0.23; 'code.': 0.23; 'seems': 0.23; 'replacing': 0.23; "haven't": 0.24; "i've": 0.25; 'header:User-Agent:1': 0.26; 'this.': 0.28; 'attempting': 0.29; 'selecting': 0.29; 'allows': 0.30; "i'm": 0.30; 'connection': 0.30; 'server.': 0.30; 'code': 0.30; 'call.': 0.30; 'checks': 0.30; 'e.g.': 0.30; 'anyone': 0.32; 'implement': 0.32; 'google,': 0.32; 'getting': 0.33; 'run': 0.33; 'common': 0.33; 'ca,': 0.33; 'though.': 0.33; "i'll": 0.33; 'message-id:@gmail.com': 0.34; 'file': 0.34; 'running': 0.34; 'gives': 0.35; 'received:google.com': 0.35; 'could': 0.35; 'configured': 0.35; 'machines': 0.35; 'quite': 0.35; 'something': 0.35; 'remote': 0.35; 'but': 0.36; 'should': 0.36; 'instead': 0.36; 'received:209.85': 0.36; 'assigned': 0.36; 'to:addr:python-list': 0.36; 'expect': 0.37; 'client': 0.37; 'things': 0.38; 'doing': 0.38; 'received:209': 0.38; 'thank': 0.38; 'data': 0.39; 'sure': 0.39; 'does': 0.39; "didn't": 0.39; 'to:addr:python.org': 0.40; 'some': 0.40; 'back': 0.62; 'skip:n 10': 0.62; 'more': 0.63; 'trusted': 0.64; 'between': 0.65; 'backup': 0.66; 'encrypted': 0.66; 'home': 0.67; 'hour': 0.69; 'sound': 0.72; '"most': 0.84; "'test'": 0.84; '3.5.1': 0.84; 'battery': 0.84; 'piping': 0.84; 'snapshot': 0.84; 'snapshots': 0.84; 'subject:Using': 0.84; 'url:master': 0.84; 'verifying': 0.84; 'working,': 0.84; 'certificates': 0.91
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=to:from:subject:message-id:date:user-agent:mime-version :content-transfer-encoding; bh=KVC7t6LPOzosWAflqcax8SWbLS2C6pQIDW2bh5SjAoQ=; b=0px85H2jJGlt6GgiPC2/z+brog9dUDI2KFNXWZWdBUPbOM6ybMJZhcxVRTqnuf7bfq s/EPX1grea2L79A/HJ6qHUyYWswCAywMqNJab2IuKot0zu9LUM15RlX13tc0acJwXR9M riy+ovPSt/oKnfG/8WTVZid55FPciVV/g2of0DyBBYBbUvEnbHeWoz6RALiHe5rI3yhJ lhKsS8Ej2O34hjaklzBLdDGYITeNkNixytVWGOvfqaamEihRpV6M4YS7JlgVGU0xzTmB quFCCWS10eU8B4ucX8e2I1I7ndZ/nmbC4RuaJTw3vy3HKwNHzA30vOYjGc2S+X6BOYgB 7auQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-transfer-encoding; bh=KVC7t6LPOzosWAflqcax8SWbLS2C6pQIDW2bh5SjAoQ=; b=F4c3aKRimLBa9N6sxEyvarHUDNIN0Ydm7eVxAx4eMiLRqsW+lms/kKf6vgzQT0Kb0f LCb/NFDN58JD/D/G/QESPSa1Ufq/NusnZ0FzuIHoLj3wzIL79MyBpwUnw2F5r67VX3fB m7ifrk0BxOE6iTxSnbe/OiaurLqNJBmjrFZF18A3X0xEfwAWfNheyqsVsoxVKu9sy8Ur CJeVTtmz3CxbjJ1CSQj7GRk93TJ/G35VKX1agtQAZ711fmlcSSJXxtcF23gsANNftJZh z08v5Qbk37MAmT3XLs1AzLO7kk29vGQzoH2GcWSFCRzKi0T4Zwc+iliIllX6IIPg6Q50 6Aew==
X-Gm-Message-State: AD7BkJI+dpt9HZKPI4ZgeOC1VC6/NAJEzNdoH+fC1LGRUEVV+G9OHYKNInaaWVnoGhcCUg==
X-Received: by 10.140.86.213 with SMTP id p79mr30028358qgd.76.1458409499539; Sat, 19 Mar 2016 10:44:59 -0700 (PDT)
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0
X-Mailman-Approved-At: Mon, 21 Mar 2016 07:28:12 -0400
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe: <https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Xref: csiph.com comp.lang.python:105348

Hi all-

I'm writing a backup client for automating the synchronization of btrfs
snapshots between machines -- essentially piping the output of `btrfs
send` on my laptop/desktop to `btrfs receive` on a server. I've been
doing this manually for quite a while, and something automated would be
much more convenient.

I've started implementing this in terms of a daemon that will run on a
server, and client code that will be invoked every hour or so on client
machines. Every machine I use is configured to take btrfs snapshots of
all available subvolumes on every boot, so it's my expectation that most
of the time the client code runs it will see that it has nothing to do,
and exit with a message like "most recent snapshot is already on remote
server". I'll also implement some checks like "skip backups if running
on battery power" and "only back up over Ethernet instead of wifi", but
one thing at a time.

I've been using SSL for the communication between the client and server,
both in a static "control port" and a dynamic data port that is assigned
for each individual call to btrfs send | btrfs receive. In addition to
verifying the client certificates against a trusted CA, this also allows
things like selecting the backup destination based on the common name in
the client cert.

I've hit an issue that I'm not sure how to work through, though. I'm
attempting to use a SSL socket (and/or the result of its 'makefile'
method) directly as the `stdin` argument to subprocess.Popen, but it
seems that the *encrypted* data is used by the subprocess.

The WIP code is at https://github.com/mruffalo/btrfs-sync-daemon , and
the specific functionality that I'm describing is at
https://github.com/mruffalo/btrfs-sync-daemon/blob/master/server.py#L64
. The SSL socket behaves exactly as I expect in most cases, e.g. calling
its read() method, or calling ssl_sock.makefile('rb') and then read()ing
the result of the makefile() call. This gives me the decrypted data that
I send in the client code.

What seems to be consistently malfunctioning is the usage of the SSL
socket wrappers as `stdin` in a Popen call. While I'm getting all of
this working, I'm replacing the `btrfs receive` call with effectively
`cat > test` in the working directory of the code, and the 'test' file
seems to contain encrypted data instead of the b'hello' I'm sending over
the SSL socket. In addition to using `conn` as `stdin`, I also attempted
using conn.makefile('rb') with the same results: encrypted data in the
output file.

I could conceivably just use a non-encrypted socket for the data
connection since I don't intend this to be used outside of a home
network, but after implementing SSL communication for the control
connection I didn't see a reason *not* to use it for everything.

At the moment I'm running this under Python 3.5.1 on Kubuntu 16.04. I
did some searching in the Python documentation, on Google, and in the
Python bug tracker, but haven't seen anyone else report an issue like
this. Does this sound like a bug I should report?

Thank you,
MMR...