Join Log in
Score:0
Halacs avatar Server

Is there a way to force duplicity to use IPv4 instead of IPv6?

us flag
Halacs

In the below command, example.com has both IPv4 and IPv6 addresses but SSH server listens only on the IPv4 address.

Is there a way to request duplicity to use IPv4 only?

duplicity --progress --ssh-options -oIdentityFile=./cloud.pem --encrypt-key=REDACTED --full-if-older-than 2W --include-filelist ./list.txt --exclude '**' --exclude /root/.cache/duplicity / sftp://example.com//mnt/duplicity/
116
2 + 2
anx avatar
fr flag
anx
What is the point? Why publish an address and then decide not to use it? Either its usable, then the client *should chose freely*, because the client preference is usually ideal. Or its not working, then it should not even be there, regardless of client configuration.
0
Reply
us flag
ede
probably a routerbox nat'ing some IPv4 port. surely resolving IPv4 to a different domain name would be cleaner, but maybe that is not wanted/possible?
0
Reply
Score:2
anx avatar Server
fr flag
anx

SSH defaults to AddressFamily=any - switch it to AddressFamily=inet (IPv4) or AddressFamily=inet6 (IPv6) when you want only one IP version attempted. You may need to put such ssh options in ~/.ssh/config, even though you already have -oIdentityFile= in your cmdline. At least my manual page still tells me:

If needed provide more host specific options via ssh_config file.

It would look something like this:

# cat ~/.ssh/config
Host example.com
  AddressFamily=inet
  IdentityFile=/path/to/certificate.pem

Verify your configuration is picked up by reviewing the effective configuration for that host:

ssh -G example.com | grep -i address
addressfamily inet

Mind warnings potentially emitted on duplicity startup, as I have seen its non-OpenSSH backend silently mistreat ssh options before.

+ 7
Halacs avatar
us flag
Halacs
It seems dupllicity ignore those arguments: both as a CLI and as ~/.ssh/config
0
Reply
anx avatar
fr flag
anx
@Halacs It works for me, my destination is `rsync://` though... Did you confirm your configuration works by manually calling `sftp -vv example.com` ? If that works, but duplicity does not, maybe it is because are not using OpenSSH, but a broken version of paramiko, which can silently pretend to be a drop-on-replacement even when it should know it is not. You can force duplicity revert to the legacy "just use the sftp binary" behaviour by specifying the destination with `pexpect+sftp://`.
0
Reply
us flag
ede
another option would be using `pexpect+sftp://` and adding `--ssh-options='AddressFamily=inet'` as a temporary overwrite of the `sftp` command call parameter.
0
Reply
Halacs avatar
us flag
Halacs
I checked `pxexpect+sftp://` and `sftp://` both with `--ssh-options` and with `~/.ssh/config` with no luck. To make sure, I checked with `ssh -G example.com | grep -i address` and it looks okay. Good news is, however, that `rsync://` with `--ssh-options='-oAddressFamily=inet'` argument works as expected so my problem is solved now. Thanks for all of you!
0
Reply
anx avatar
fr flag
anx
@Halacs Happy that you solved your immediate problem, but it got intriguing.. mind sharing your versions of OpenSSH, duplicity, python3-paramiko, ..? I wonder how rsync via ssh could possibly end up behaving different from sftp via ssh..
0
Reply
Halacs avatar
us flag
Halacs
@anx sure! duplicity/jammy,now 0.8.21-1build1 amd64; python3-paramiko/jammy,now 2.9.3-0ubuntu1 all; openssh-client/jammy-updates,now 1:8.9p1-3ubuntu0.1 amd64; Ubuntu 22.04.2 LTS
1
Reply
anx avatar
fr flag
anx
I tried and could not reproduce it on a matching Ubuntu jammy system. My remaining theories are inadvertent reuse of already-established connections (`ControlMaster`) or hostname canonicalization changing what configuration is applied, which should also be visible when using `-G` on the ssh cmdline mentioned in `duplicity --verbosity debug` output.
0
Reply
Score:0
avatar Server
us flag
ede

while the answer above sounds like a perfectly good solution i just want to add this.

There is no global Python switch for this, ...

Another would be to use an underlying way to get your C library to prefer IPv4 or disable IPv6. This will vary by platform, but on Linux using glibc you could edit /etc/gai.conf to always prefer IPv4 over IPv6:

precedence ::ffff:0:0/96  100

as described on https://serverfault.com/a/1134818/493381

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.