Bug 1346417
Summary: | [RFE] Allow users to set socket timeout. | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | John Sefler <jsefler> |
Component: | python-rhsm | Assignee: | Alex Wood <awood> |
Status: | CLOSED ERRATA | QA Contact: | John Sefler <jsefler> |
Severity: | unspecified | Docs Contact: | Aneta Šteflová Petrová <apetrova> |
Priority: | unspecified | ||
Version: | 7.3 | CC: | awood, bkearney, redakkan, rjerrido, skallesh, sthirugn, vrjain |
Target Milestone: | rc | Keywords: | FutureFeature, Triaged |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Enhancement | |
Doc Text: |
The socket timeout value for SSL connections of the *subscription-manager* client is now configurable
Previously, the socket timeout value for SSL connections to an entitlement server was hard-coded. With this update, users can configure a custom SSL timeout value in the `/etc/rhsm/rhsm.conf` file. Setting a larger SSL timeout helps ensure that expensive operations involving many subscriptions have enough time to complete.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2016-11-03 20:29:35 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
John Sefler
2016-06-14 18:36:35 UTC
Moving bug to verified [root@shwetha-workstation ~]# subscription-manager version server type: Red Hat Subscription Management subscription management server: 0.9.51.11-1 subscription management rules: 5.15 subscription-manager: 1.17.8-1.el7 python-rhsm: 1.17.4-1.el7 [root@shwetha-workstation ~]# subscription-manager config --server.server_timeout=100 [root@shwetha-workstation ~]# cat /etc/rhsm/rhsm.conf | grep server_timeout server_timeout = 100 [root@shwetha-workstation ~]# subscription-manager config --remove server.server_timeout You have removed the value for section server and name server_timeout. The default value for server_timeout will now be used. [root@shwetha-workstation ~]# cat /etc/rhsm/rhsm.conf | grep server_timeout server_timeout = 180 Doc text looks good to me! Doc text looks good to me! (Commenting again to clear needinfo?) Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-2592.html Demonstrating that this new RFE actually works... Our strategy for this demonstration is to use two machines. On machine 1 we will setup a port that will listen for incoming traffic, but will never respond (effectively simulating a broken entitlement server). On machine 2 we will configure subscription-manager so that it's server settings point to machine 1 and then we will attempt to register with different socket timeouts to verify that subscription-manager will indeed timeout at the desired time when machine 1 fails to respond. _____________________________________________________________________ Setting up machine 1 (a RHEL or Fedora system simulating a non-responsive entitlement server - one time setup): [root@auto-services ~]# cat /etc/redhat-release; hostname Fedora release 22 (Twenty Two) auto-services.usersys.redhat.com [root@auto-services ~]# [root@auto-services ~]# pwd /root [root@auto-services ~]# mkdir ncat_listener [root@auto-services ~]# cd ncat_listener/ [root@auto-services ncat_listener]# [root@auto-services ncat_listener]# dnf install openssl nmap-ncat Last metadata expiration check performed 1:31:02 ago on Mon Nov 21 13:07:52 2016. Package openssl-1:1.0.1k-11.fc22.x86_64 is already installed, skipping. Package nmap-ncat-2:7.12-1.fc22.x86_64 is already installed, skipping. Dependencies resolved. Nothing to do. Complete! [root@auto-services ncat_listener]# openssl genrsa -out ncat_listener.key 4096 Generating RSA private key, 4096 bit long modulus ......++ ........................................................................................................................................................................................................++ e is 65537 (0x10001) [root@auto-services ncat_listener]# openssl req -new -x509 -key ncat_listener.key -out ncat_listener.pem -days 3650 -subj '/CN=auto-services.usersys.redhat.com/C=US/L=Raleigh' [root@auto-services ncat_listener]# Now create a ncat_listener.sh file that contains... [root@auto-services ncat_listener]# cat ncat_listener.sh #! /bin/bash PORT=8884; # assumes this port is available, you can check by calling netstat -an | grep <port_number> echo "Listening on $PORT forever. Ctrl-C to cancel." nc --ssl --ssl-key ./ncat_listener.key --ssl-cert ./ncat_listener.pem --listen --keep-open $PORT [root@auto-services ncat_listener]# [root@auto-services ncat_listener]# chmod 744 ncat_listener.sh [root@auto-services ncat_listener]# Now create a ncat_listener.service file in directory /etc/systemd/system/ that contains... [root@auto-services ncat_listener]# cat /etc/systemd/system/ncat_listener.service [Unit] Description=Socket listener for testing network timeouts After=network.target [Service] Type=simple ExecStart=/root/ncat_listener/ncat_listener.sh WorkingDirectory=/root/ncat_listener Restart=always [Install] WantedBy=default.target [root@auto-services ncat_listener]# Now enable and start the ncat_listener... [root@auto-services ncat_listener]# systemctl enable ncat_listener Created symlink from /etc/systemd/system/default.target.wants/ncat_listener.service to /etc/systemd/system/ncat_listener.service. [root@auto-services ncat_listener]# systemctl start ncat_listener [root@auto-services ncat_listener]# systemctl is-active ncat_listener.service active [root@auto-services ncat_listener]# Now we know that machine 1 has been setup to simulate a non-responsive entitlement server _____________________________________________________________________ Setting up machine 2 (a RHEL system where we will configure subscription-manager to connect to the non-responsive server): [root@jsefler-rhel7 ~]# cat /etc/redhat-release; hostname Red Hat Enterprise Linux Server release 7.3 (Maipo) jsefler-rhel7.usersys.redhat.com [root@jsefler-rhel7 ~]# [root@jsefler-rhel7 ~]# subscription-manager version server type: This system is currently not registered. subscription management server: 0.9.51.11-1 subscription management rules: 5.15 subscription-manager: 1.17.15-1.el7 python-rhsm: 1.17.9-1.el7 [root@jsefler-rhel7 ~]# [root@jsefler-rhel7 ~]# scp root.redhat.com:/root/ncat_listener/ncat_listener.pem /etc/rhsm/ca/ root.redhat.com's password: ncat_listener.pem 100% 1935 1.9KB/s 00:00 [root@jsefler-rhel7 ~]# chmod 0644 /etc/rhsm/ca/ncat_listener.pem [root@jsefler-rhel7 ~]# [root@jsefler-rhel7 ~]# subscription-manager config --server.hostname=auto-services.usersys.redhat.com --server.port=8884 [root@jsefler-rhel7 ~]# _____________________________________________________________________ Now let's test a server_timeout configuration of 20 seconds: [root@jsefler-rhel7 ~]# subscription-manager config --server.server_timeout=20 [root@jsefler-rhel7 ~]# [root@jsefler-rhel7 ~]# time subscription-manager register --username=foo --password=bar Registering to: auto-services.usersys.redhat.com:8884/subscription Unable to verify server's identity: timed out real 0m20.795s user 0m0.277s sys 0m0.093s [root@jsefler-rhel7 ~]# VERIFIED: After a real time of 20.795s, subscription-manager timed out waiting for a response from server auto-services.usersys.redhat.com:8884 _____________________________________________________________________ Now let's test the default server_timeout (which the developers have hard-coded to 180 seconds = 3 minutues): [root@jsefler-rhel7 ~]# subscription-manager config --remove=server.server_timeout You have removed the value for section server and name server_timeout. The default value for server_timeout will now be used. [root@jsefler-rhel7 ~]# [root@jsefler-rhel7 ~]# time subscription-manager register --username=foo --password=bar Registering to: auto-services.usersys.redhat.com:8884/subscription Unable to verify server's identity: timed out real 3m1.023s user 0m0.274s sys 0m0.089s [root@jsefler-rhel7 ~]# VERIFIED: After a real time of 3m1.023s, subscription-manager timed out waiting for a response from server auto-services.usersys.redhat.com:8884 Final Note: As demonstrated above, machine 1 is now configured to keep listening on port 8884 forever and will sustain a reboot for future testing. *** Bug 1343160 has been marked as a duplicate of this bug. *** *** Bug 1483137 has been marked as a duplicate of this bug. *** |