Bug 2100464
| Summary: | RFE: mechanism and logind.conf option to terminate idle sessions | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Jan Pazdziora (Red Hat) <jpazdziora> | ||||
| Component: | systemd | Assignee: | Michal Sekletar <msekleta> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Frantisek Sumsal <fsumsal> | ||||
| Severity: | medium | Docs Contact: | Šárka Jana <sjanderk> | ||||
| Priority: | medium | ||||||
| Version: | 9.0 | CC: | ccheney, ggasparb, jgamba, jpazdziora, kanderso, mhaicman, msekleta, peter.vreman, rmetrich, sjanderk, systemd-maint-list, tscherf, vpolasek | ||||
| Target Milestone: | rc | Keywords: | FutureFeature, Triaged, ZStream | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | systemd-250-12.el9_1 | Doc Type: | Release Note | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | |||||||
| : | 2125240 (view as bug list) | Environment: | |||||
| Last Closed: | 2022-11-15 11:18:19 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 2125240 | ||||||
| Attachments: |
|
||||||
|
Description
Jan Pazdziora (Red Hat)
2022-06-23 12:43:53 UTC
Hello Michal, I have a proof of concept patch that seems to work reasonably well on RHEL 9's systemd 250. If you feel that it might make the discussion about the approach easier, I'd be happy to attach it -- I just did not want to kick off with it in case you wanted to discuss the requirement in general first. Please let me know what approach you'd prefer. Thank you, Jan Created attachment 1893169 [details]
My POC patch to add support for the SessionIdleTerminateSec parameter.
I reviewed the PoC patch and it seems generally OK (and big parts of it could be used mostly w/o modification). However, there of couple of nitpicks, e.g. proposed option name should probably read "TerminateIdleSessionSec=" as other similar logind.conf options start with verb (e.g. KillUser, CleanIPC). Bikeshedding aside, the more substential technical problem I see is reuse of existing timer that is used to dispatch idle system action. Accuracy of that timer is 30 seconds (meaning, timer is scheduled on "timeout + accuracy" where accuracy is selected from 0-30 seconds interval and stable afterwards). Hence maximum timer accuracy delay is 30 seconds. I think that is fine for current system wide timer that is set by default to 30 minutes. However, potential of up to 30 seconds delay is probably not OK as session timeout timer, moreover, if use of this newly proposed feature will be part of the RHEL's security posture/story and undergo evaluation as part of Common Criteria certification process. I propose we introduce new timer with higher accuracy and dispatch routine scheduled with higher priority in the event loop. Also, I think it would make sense to have more generic option, i.e. not hardcode the behavior in the option name itself. I propose we add "IdleSessionAction=(ignore|terminate|lock)" and "IdleSessionTimeout=". At this point I think we should discuss this upstream, hence I will file Github issue for this RFE and will bring this topic in the meeting we have with other upstream stakeholders. Thanks for the review and initial thought, Michal. As for the accuracy, having second timer would certainly help ... but I wonder if a quick way to handle things could be to set accuracy to 0 in case the TerminateIdleSessionSec set. I don't have specific opinion about the option name. However, I specifically aimed to have that "Terminate" in the option name rather than use IdleSessionAction=(ignore|terminate|lock)" because I envisioned in the future you could have different actions enabled at the same time, at different timeouts -- something like LockIdleSessionSec=5min together with TerminateIdleSessionSec=60min. I've discussed this with upstream stakeholders and consensus was that such feature would be very welcome and it should be introduced as a separate option, i.e. as originally proposed by Jan. I will start working on the patch, based on PoC patch provided by Jan. First version of the PR that implements this RFE was posted upstream. https://github.com/systemd/systemd/pull/24242 *** Bug 2022064 has been marked as a duplicate of this bug. *** fix merged to github main branch -> https://github.com/redhat-plumbers/systemd-rhel9/pull/105 fix merged to github rhel-9.1.0 branch -> https://github.com/redhat-plumbers/systemd-rhel9/pull/111 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (systemd bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:8327 |