note
salva
The way to pass extra options to the underlying <c>ssh</c> process from [metamod://Net::OpenSSH] is using the constructor <c>master_opts</c> argument.
<p>The way to share the SSH connection is to pass around the path to the multiplexing socket (you can retrieve it calling method [https://metacpan.org/pod/Net::OpenSSH#$ssh-%3Eget_ctl_path|get_ctl_path]).
<p>You can also specify where you want to create the multiplexing socket explicitly (instead of letting the module pick a place for you) with the constructor argument [https://metacpan.org/pod/Net::OpenSSH#ctl_path-=%3E-$path|ctl_path]. Net::OpenSSH, by default, enforces some security policies for that path that you should obey.
<p>So, for every connection you want to keep open (in your case, four connections every one using a different account), you need a process that establishes the connection and runs the dummy command from time to time. For instance:
<c>
use Net::OpenSSH;
my $account_id = 1;
my $ctl_path = "/.../some/known/place/to/put/the/control/path-$account_id";
while (1) {
eval {
unlink $ctl_path;
my $ssh = Net::OpenSSH->new($host, ..., ctl_path => $ctl_path);
$ssh->die_on_error("Unable to connect to remote host");
while (1) {
# run the dummy command
$ssh->sftp->stat("/") or die "SFTP command failed";
sleep 10;
}
};
warn $@ if $@;
warn "delaying before restarting SSH connection\n";
sleep 5;
}
</c>
Then from the process where you want to do the SFTP operation:
<c>
...
my $ssh = Net::OpenSSH->new(external_master => 1, ctl_path => $ctl_path);
my $sftp = $ssh->sftp // $ssh->die_on_error("Unable to create SFTP session");
# at this point $sftp is a regular Net::SFTP::Foreign object you can use in any way you like.
...
</c>
<p>Most servers limit the number of channels open simultaneously in a single SSH session. For instance, it is 10 by default for OpenSSH. If you expect very many request coming in parallel, that could be a source of problems.
<p>Finally note that allowing direct connections between a web server and other services has some security implications. If the front end becomes compromised, intruders would be able to access those backend services and the data there freely. Because of that, sometimes using an intermediate layer as the queue mechanism proposed in my OP could still be the most sensible thing to do.
<p><b>Update</b>: Both [metamod://Net::OpenSSH] and [metamod://Net::SFTP::Foreign] allow you to set timeouts for connecting and/or running commands. You should adjust those, to ensure that if any connection becomes stalled, it is discarded and established again, so that services recover promptly.
11123604
11123690