SciStream at APS
SciStream Tunnel Setup Guide
This guide provides step-by-step instructions on how to tunnel a connection through SciStream using s2uc running from a container. This setup involves two endpoints, each running on separate hosts, to establish a secure tunnel(TLS) for forwarding packets.
Scistream's API TLS certificates are on the test servers at /local/scistream. Use the folder corresponding to the server -- i.e. on server1, always use /server1; on server2, use /server2.
How data flows through the tunnel
The tunnel consists of parts that work together:
Server side (Inbound Request): Destination that receives data. TCP server listens for connections. Client side (Outbound Request): Source that sends data. TCP client that actively creates new connections
- Your client application connects to the local port (5100) on the client machine
- The SciStream outbound request forwards this connection through the secure tunnel
- The SciStream inbound request receives the forwarded connection
- Data is delivered to your server application listening on the receiver port (5300)
Request Configuration
Inbound Request ("Server side": 192.168.150.1)
Purpose: Sets up the receiving end of the tunnel. This establishes a listener on the specified SciStream endpoint that waits for incoming connections from the outbound request (other SciStream endpoint) and it forwards this connection to the <remote_ip>:<receiver_ports>.
podman run --rm --net=host -v ./server1:/scistream --entrypoint=s2uc castroflaviojr/scistream:1.2.1 inbound-request --remote_ip 192.168.150.1 --s2cs 192.168.150.1:5000 --receiver_ports 5300 --num_conn 1 --server_cert=/scistream/server.crt
- Parameters:
--remote_ip: The address the user application is listening on.--s2cs: The IP and port for the local s2cs scistream control server.--receiver_ports: The port the user application is listening on (i.e. the user application is bound to {remote_ip:receiver_port}).--num_conn: Number of connections to establish.--server_cert: Path to the server certificate for TLS.
Note the UID:
After running the command, note the UID and listener port provided in the output. Example:
uid; s2cs; access_token; role bd9f1a7e-04d7-11f0-b44c-946dae415862 192.168.150.1:5000 INVALID_TOKEN PROD sending client request message started client request waiting for hello message sending for hello message Hello message sent successfully Listeners: ['192.168.150.1:5100']
Outbound Request ("Client side": 192.168.150.2)
Purpose: Sets up the sending end of the tunnel. This establishes a listener on the specified SciStream endpoint that waits for incoming connections from the client application and forwards that data to the other SciStream endpoint.
podman run --rm --net=host -v ./server2:/scistream --entrypoint=s2uc castroflaviojr/scistream:1.2.1 outbound-request --remote_ip 192.168.150.1 --s2cs 192.168.150.2:5000 --receiver_ports 5100 --num_conn 1 --server_cert=/scistream/server.crt bd9f1a7e-04d7-11f0-b44c-946dae415862 192.168.150.1:5100
- Parameters:
--remote_ip: The eventual destination IP address we want data to be forwarded to.--s2cs: The IP and port for the local s2cs scistream control server.--receiver_ports: Local port which the client application will connect to (i.e. client should connect to {s2cs_ip:receiver_port}).--num_conn: Number of connections to establish.--server_cert: Path to the server certificate for TLS.UID: Use the UID noted from the inbound request.IP:PORT: Use the IP and port noted from the inbound request.
Example output:
uid; s2cs; access_token; role bd9f1a7e-04d7-11f0-b44c-946dae415862 192.168.150.2:5000 INVALID_TOKEN CONS started client request waiting for hello message Hello message sent successfully Listeners: ['192.168.150.2:5100']
Verification
- Check Listening Ports:
On both hosts, verify that the stunnel processes are listening on the expected ports using:
ss -tlpn
- Test the Tunnel:
Use iperf3 to test the tunnel:
- Client Side (Host 192.168.150.2):
iperf3 -c 192.168.150.2 -p 5100
- Server Side (Host 192.168.150.1):
iperf3 -s -p 5300
Closing the Connection
To close a connection request, use the release option with s2uc:
s2uc release <uid>