Bug 1346417

Summary: [RFE] Allow users to set socket timeout.
Product: Red Hat Enterprise Linux 7 Reporter: John Sefler <jsefler>
Component: python-rhsmAssignee: Alex Wood <awood>
Status: CLOSED ERRATA QA Contact: John Sefler <jsefler>
Severity: unspecified Docs Contact: Aneta Šteflová Petrová <apetrova>
Priority: unspecified    
Version: 7.3CC: awood, bkearney, redakkan, rjerrido, skallesh, sthirugn, vrjain
Target Milestone: rcKeywords: FutureFeature, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
The socket timeout value for SSL connections of the *subscription-manager* client is now configurable Previously, the socket timeout value for SSL connections to an entitlement server was hard-coded. With this update, users can configure a custom SSL timeout value in the `/etc/rhsm/rhsm.conf` file. Setting a larger SSL timeout helps ensure that expensive operations involving many subscriptions have enough time to complete.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-03 20:29:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description John Sefler 2016-06-14 18:36:35 UTC 
Description of problem:
Currently there is a hard-coded timeout against SSL connections to the candlepin server.  If a response in not received within this time, an "Unable to verify server's identity: timed out" occurs on the subscription-manager client.

This is a request to make the timeout configurable from the subscription-manager client.


Expected results:
After this is implemented, I expect a new config option for...
  subscription-manager config --server.server_timeout=123

...that will enable a user to create and save a configuration to rhsm.conf that will use this value when making an SSL connection to the candlepin server.

The man page for rhsm.conf should also describe the new option.
Comment 3 Shwetha Kallesh 2016-06-23 07:54:41 UTC 
Moving bug to verified


[root@shwetha-workstation ~]# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: 0.9.51.11-1
subscription management rules: 5.15
subscription-manager: 1.17.8-1.el7
python-rhsm: 1.17.4-1.el7


[root@shwetha-workstation ~]# subscription-manager config --server.server_timeout=100
[root@shwetha-workstation ~]# cat /etc/rhsm/rhsm.conf | grep server_timeout
server_timeout = 100


[root@shwetha-workstation ~]# subscription-manager config --remove server.server_timeout
You have removed the value for section server and name server_timeout.
The default value for server_timeout will now be used.
[root@shwetha-workstation ~]# cat /etc/rhsm/rhsm.conf | grep server_timeout
server_timeout = 180
Comment 5 Alex Wood 2016-09-27 21:13:30 UTC 
Doc text looks good to me!
Comment 6 Alex Wood 2016-10-10 15:10:36 UTC 
Doc text looks good to me! (Commenting again to clear needinfo?)
Comment 10 errata-xmlrpc 2016-11-03 20:29:35 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2592.html
Comment 11 John Sefler 2016-11-21 19:55:37 UTC 
Demonstrating that this new RFE actually works...

Our strategy for this demonstration is to use two machines. On machine 1 we will setup a port that will listen for incoming traffic, but will never respond (effectively simulating a broken entitlement server).  On machine 2 we will configure subscription-manager so that it's server settings point to machine 1 and then we will attempt to register with different socket timeouts to verify that subscription-manager will indeed timeout at the desired time when machine 1 fails to respond.

_____________________________________________________________________
Setting up machine 1 (a RHEL or Fedora system simulating a non-responsive entitlement server - one time setup):

[root@auto-services ~]# cat /etc/redhat-release; hostname
Fedora release 22 (Twenty Two)
auto-services.usersys.redhat.com
[root@auto-services ~]#
[root@auto-services ~]# pwd
/root
[root@auto-services ~]# mkdir ncat_listener
[root@auto-services ~]# cd ncat_listener/
[root@auto-services ncat_listener]# 
[root@auto-services ncat_listener]# dnf install openssl nmap-ncat
Last metadata expiration check performed 1:31:02 ago on Mon Nov 21 13:07:52 2016.
Package openssl-1:1.0.1k-11.fc22.x86_64 is already installed, skipping.
Package nmap-ncat-2:7.12-1.fc22.x86_64 is already installed, skipping.
Dependencies resolved.
Nothing to do.
Complete!

[root@auto-services ncat_listener]# openssl genrsa -out ncat_listener.key 4096
Generating RSA private key, 4096 bit long modulus
......++
........................................................................................................................................................................................................++
e is 65537 (0x10001)
[root@auto-services ncat_listener]# openssl req -new -x509 -key ncat_listener.key -out ncat_listener.pem -days 3650 -subj '/CN=auto-services.usersys.redhat.com/C=US/L=Raleigh'
[root@auto-services ncat_listener]# 

Now create a ncat_listener.sh file that contains...

[root@auto-services ncat_listener]# cat ncat_listener.sh 
#! /bin/bash
PORT=8884; # assumes this port is available, you can check by calling netstat -an | grep <port_number>
echo "Listening on $PORT forever.  Ctrl-C to cancel."
nc --ssl --ssl-key ./ncat_listener.key --ssl-cert ./ncat_listener.pem --listen --keep-open $PORT
[root@auto-services ncat_listener]# 
[root@auto-services ncat_listener]# chmod 744 ncat_listener.sh
[root@auto-services ncat_listener]# 

Now create a ncat_listener.service file in directory /etc/systemd/system/ that contains...

[root@auto-services ncat_listener]# cat /etc/systemd/system/ncat_listener.service
[Unit]
Description=Socket listener for testing network timeouts
After=network.target
[Service]
Type=simple
ExecStart=/root/ncat_listener/ncat_listener.sh
WorkingDirectory=/root/ncat_listener
Restart=always
[Install]
WantedBy=default.target
[root@auto-services ncat_listener]# 

Now enable and start the ncat_listener...

[root@auto-services ncat_listener]# systemctl enable ncat_listener
Created symlink from /etc/systemd/system/default.target.wants/ncat_listener.service to /etc/systemd/system/ncat_listener.service.
[root@auto-services ncat_listener]# systemctl start ncat_listener
[root@auto-services ncat_listener]# systemctl is-active ncat_listener.service
active
[root@auto-services ncat_listener]# 

Now we know that machine 1 has been setup to simulate a non-responsive entitlement server

_____________________________________________________________________
Setting up machine 2 (a RHEL system where we will configure subscription-manager to connect to the non-responsive server):

[root@jsefler-rhel7 ~]# cat /etc/redhat-release; hostname
Red Hat Enterprise Linux Server release 7.3 (Maipo)
jsefler-rhel7.usersys.redhat.com
[root@jsefler-rhel7 ~]# 
[root@jsefler-rhel7 ~]# subscription-manager version
server type: This system is currently not registered.
subscription management server: 0.9.51.11-1
subscription management rules: 5.15
subscription-manager: 1.17.15-1.el7
python-rhsm: 1.17.9-1.el7
[root@jsefler-rhel7 ~]# 
[root@jsefler-rhel7 ~]# scp root.redhat.com:/root/ncat_listener/ncat_listener.pem /etc/rhsm/ca/
root.redhat.com's password: 
ncat_listener.pem                            100% 1935     1.9KB/s   00:00    
[root@jsefler-rhel7 ~]# chmod 0644 /etc/rhsm/ca/ncat_listener.pem
[root@jsefler-rhel7 ~]# 
[root@jsefler-rhel7 ~]# subscription-manager config --server.hostname=auto-services.usersys.redhat.com --server.port=8884
[root@jsefler-rhel7 ~]# 
_____________________________________________________________________
Now let's test a server_timeout configuration of 20 seconds:

[root@jsefler-rhel7 ~]# subscription-manager config --server.server_timeout=20
[root@jsefler-rhel7 ~]# 
[root@jsefler-rhel7 ~]# time subscription-manager register --username=foo --password=bar
Registering to: auto-services.usersys.redhat.com:8884/subscription
Unable to verify server's identity: timed out

real	0m20.795s
user	0m0.277s
sys	0m0.093s
[root@jsefler-rhel7 ~]# 

VERIFIED: After a real time of 20.795s, subscription-manager timed out waiting for a response from server auto-services.usersys.redhat.com:8884
_____________________________________________________________________
Now let's test the default server_timeout (which the developers have hard-coded to 180 seconds = 3 minutues):

[root@jsefler-rhel7 ~]# subscription-manager config --remove=server.server_timeout
You have removed the value for section server and name server_timeout.
The default value for server_timeout will now be used.
[root@jsefler-rhel7 ~]# 
[root@jsefler-rhel7 ~]# time subscription-manager register --username=foo --password=bar
Registering to: auto-services.usersys.redhat.com:8884/subscription
Unable to verify server's identity: timed out

real	3m1.023s
user	0m0.274s
sys	0m0.089s
[root@jsefler-rhel7 ~]# 

VERIFIED: After a real time of 3m1.023s, subscription-manager timed out waiting for a response from server auto-services.usersys.redhat.com:8884



Final Note: As demonstrated above, machine 1 is now configured to keep listening on port 8884 forever and will sustain a reboot for future testing.
Comment 12 Barnaby Court 2017-01-11 18:25:41 UTC 
*** Bug 1343160 has been marked as a duplicate of this bug. ***
Comment 13 sthirugn@redhat.com 2017-08-18 20:19:17 UTC 
*** Bug 1483137 has been marked as a duplicate of this bug. ***