Bug 2043314

Summary: `oc debug node` does not meet compliance requirement
Product: OpenShift Container Platform Reporter: Vincent Shen <wenshen>
Component: ocAssignee: Maciej Szulik <maszulik>
oc sub component: oc QA Contact: zhou ying <yinzhou>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: high CC: aos-bugs, augol, bzvonar, ddelcian, ealcaniz, lbragsta, maszulik, mfojtik, scuppett
Version: 4.8   
Target Milestone: ---   
Target Release: 4.11.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: No timeout was specified after invoking oc debug node. Consequence: User was never logged out of cluster. Fix: Add TMOUT environment variable for debug pod to have a inactivity timeout counter. Result: After TMOUT inactivity the session will be automatically terminated.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-08-10 10:43:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2060888    

Comment 4 Lance Bragstad 2022-01-21 16:41:54 UTC 
Adding some more context here that is particular issue is related to SRG-OS-000279-GPOS-00109 and SRG-OS-000126-GPOS-00066, where the operating system must terminate all sessions and network connections related to nonlocal maintenance when nonlocal maintenance is complete. The `oc debug` command doesn't allow us to set a connection timeout.
Comment 7 Daniel Del Ciancio 2022-03-04 15:47:04 UTC 
@Maciej, 

Do we know which 4.8.z release this PR will land or can you provide an update where things are at?  

This has been defined as a gating security requirement/dependency for an upcoming customer go-live.

Please treat this backport request as urgent.


Thanks!
Daniel.
Comment 8 Maciej Szulik 2022-03-04 16:05:05 UTC 
(In reply to Daniel Del Ciancio from comment #7)
> @Maciej, 
> 
> Do we know which 4.8.z release this PR will land or can you provide an
> update where things are at?  
> 
> This has been defined as a gating security requirement/dependency for an
> upcoming customer go-live.
> 
> Please treat this backport request as urgent.

It has to go through all previous versions before it will reach 4.8, so it'll take a few weeks, I can't say for sure which exact .z version it'll be.
Comment 9 Daniel Del Ciancio 2022-03-04 17:36:07 UTC 
As discussed in Slack, can we ask QE to prioritize testing of the backport request for 4.8?

Your help to expedite this would be much appreciated.

This backport request has already been tagged and added to the Telco 5g priority list.

Thanks!
Daniel.
Comment 19 errata-xmlrpc 2022-08-10 10:43:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5069