Bug 1346417 - [RFE] Allow users to set socket timeout.
Summary: [RFE] Allow users to set socket timeout.
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: python-rhsm   
(Show other bugs)
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Alex Wood
QA Contact: John Sefler
Aneta Šteflová Petrová
URL:
Whiteboard:
Keywords: FutureFeature, Triaged
: 1343160 1483137 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-06-14 18:36 UTC by John Sefler
Modified: 2019-04-08 16:29 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
The socket timeout value for SSL connections of the *subscription-manager* client is now configurable Previously, the socket timeout value for SSL connections to an entitlement server was hard-coded. With this update, users can configure a custom SSL timeout value in the `/etc/rhsm/rhsm.conf` file. Setting a larger SSL timeout helps ensure that expensive operations involving many subscriptions have enough time to complete.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-11-03 20:29:35 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2592 normal SHIPPED_LIVE Moderate: subscription-manager security, bug fix, and enhancement update 2016-11-03 12:10:42 UTC
Red Hat Bugzilla 1346368 None CLOSED man rhsm.conf is missing a description for the server_timeout configuration 2019-04-05 18:27 UTC
Red Hat Bugzilla 1591399 None None None 2019-04-05 18:27 UTC
Red Hat Knowledge Base (Article) 4044461 None None None 2019-04-08 16:29 UTC

Internal Trackers: 1346368 1591399

Description John Sefler 2016-06-14 18:36:35 UTC
Description of problem:
Currently there is a hard-coded timeout against SSL connections to the candlepin server.  If a response in not received within this time, an "Unable to verify server's identity: timed out" occurs on the subscription-manager client.

This is a request to make the timeout configurable from the subscription-manager client.


Expected results:
After this is implemented, I expect a new config option for...
  subscription-manager config --server.server_timeout=123

...that will enable a user to create and save a configuration to rhsm.conf that will use this value when making an SSL connection to the candlepin server.

The man page for rhsm.conf should also describe the new option.

Comment 3 Shwetha Kallesh 2016-06-23 07:54:41 UTC
Moving bug to verified


[root@shwetha-workstation ~]# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: 0.9.51.11-1
subscription management rules: 5.15
subscription-manager: 1.17.8-1.el7
python-rhsm: 1.17.4-1.el7


[root@shwetha-workstation ~]# subscription-manager config --server.server_timeout=100
[root@shwetha-workstation ~]# cat /etc/rhsm/rhsm.conf | grep server_timeout
server_timeout = 100


[root@shwetha-workstation ~]# subscription-manager config --remove server.server_timeout
You have removed the value for section server and name server_timeout.
The default value for server_timeout will now be used.
[root@shwetha-workstation ~]# cat /etc/rhsm/rhsm.conf | grep server_timeout
server_timeout = 180

Comment 5 Alex Wood 2016-09-27 21:13:30 UTC
Doc text looks good to me!

Comment 6 Alex Wood 2016-10-10 15:10:36 UTC
Doc text looks good to me! (Commenting again to clear needinfo?)

Comment 10 errata-xmlrpc 2016-11-03 20:29:35 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2592.html

Comment 11 John Sefler 2016-11-21 19:55:37 UTC
Demonstrating that this new RFE actually works...

Our strategy for this demonstration is to use two machines. On machine 1 we will setup a port that will listen for incoming traffic, but will never respond (effectively simulating a broken entitlement server).  On machine 2 we will configure subscription-manager so that it's server settings point to machine 1 and then we will attempt to register with different socket timeouts to verify that subscription-manager will indeed timeout at the desired time when machine 1 fails to respond.

_____________________________________________________________________
Setting up machine 1 (a RHEL or Fedora system simulating a non-responsive entitlement server - one time setup):

[root@auto-services ~]# cat /etc/redhat-release; hostname
Fedora release 22 (Twenty Two)
auto-services.usersys.redhat.com
[root@auto-services ~]#
[root@auto-services ~]# pwd
/root
[root@auto-services ~]# mkdir ncat_listener
[root@auto-services ~]# cd ncat_listener/
[root@auto-services ncat_listener]# 
[root@auto-services ncat_listener]# dnf install openssl nmap-ncat
Last metadata expiration check performed 1:31:02 ago on Mon Nov 21 13:07:52 2016.
Package openssl-1:1.0.1k-11.fc22.x86_64 is already installed, skipping.
Package nmap-ncat-2:7.12-1.fc22.x86_64 is already installed, skipping.
Dependencies resolved.
Nothing to do.
Complete!

[root@auto-services ncat_listener]# openssl genrsa -out ncat_listener.key 4096
Generating RSA private key, 4096 bit long modulus
......++
........................................................................................................................................................................................................++
e is 65537 (0x10001)
[root@auto-services ncat_listener]# openssl req -new -x509 -key ncat_listener.key -out ncat_listener.pem -days 3650 -subj '/CN=auto-services.usersys.redhat.com/C=US/L=Raleigh'
[root@auto-services ncat_listener]# 

Now create a ncat_listener.sh file that contains...

[root@auto-services ncat_listener]# cat ncat_listener.sh 
#! /bin/bash
PORT=8884; # assumes this port is available, you can check by calling netstat -an | grep <port_number>
echo "Listening on $PORT forever.  Ctrl-C to cancel."
nc --ssl --ssl-key ./ncat_listener.key --ssl-cert ./ncat_listener.pem --listen --keep-open $PORT
[root@auto-services ncat_listener]# 
[root@auto-services ncat_listener]# chmod 744 ncat_listener.sh
[root@auto-services ncat_listener]# 

Now create a ncat_listener.service file in directory /etc/systemd/system/ that contains...

[root@auto-services ncat_listener]# cat /etc/systemd/system/ncat_listener.service
[Unit]
Description=Socket listener for testing network timeouts
After=network.target
[Service]
Type=simple
ExecStart=/root/ncat_listener/ncat_listener.sh
WorkingDirectory=/root/ncat_listener
Restart=always
[Install]
WantedBy=default.target
[root@auto-services ncat_listener]# 

Now enable and start the ncat_listener...

[root@auto-services ncat_listener]# systemctl enable ncat_listener
Created symlink from /etc/systemd/system/default.target.wants/ncat_listener.service to /etc/systemd/system/ncat_listener.service.
[root@auto-services ncat_listener]# systemctl start ncat_listener
[root@auto-services ncat_listener]# systemctl is-active ncat_listener.service
active
[root@auto-services ncat_listener]# 

Now we know that machine 1 has been setup to simulate a non-responsive entitlement server

_____________________________________________________________________
Setting up machine 2 (a RHEL system where we will configure subscription-manager to connect to the non-responsive server):

[root@jsefler-rhel7 ~]# cat /etc/redhat-release; hostname
Red Hat Enterprise Linux Server release 7.3 (Maipo)
jsefler-rhel7.usersys.redhat.com
[root@jsefler-rhel7 ~]# 
[root@jsefler-rhel7 ~]# subscription-manager version
server type: This system is currently not registered.
subscription management server: 0.9.51.11-1
subscription management rules: 5.15
subscription-manager: 1.17.15-1.el7
python-rhsm: 1.17.9-1.el7
[root@jsefler-rhel7 ~]# 
[root@jsefler-rhel7 ~]# scp root@auto-services.usersys.redhat.com:/root/ncat_listener/ncat_listener.pem /etc/rhsm/ca/
root@auto-services.usersys.redhat.com's password: 
ncat_listener.pem                            100% 1935     1.9KB/s   00:00    
[root@jsefler-rhel7 ~]# chmod 0644 /etc/rhsm/ca/ncat_listener.pem
[root@jsefler-rhel7 ~]# 
[root@jsefler-rhel7 ~]# subscription-manager config --server.hostname=auto-services.usersys.redhat.com --server.port=8884
[root@jsefler-rhel7 ~]# 
_____________________________________________________________________
Now let's test a server_timeout configuration of 20 seconds:

[root@jsefler-rhel7 ~]# subscription-manager config --server.server_timeout=20
[root@jsefler-rhel7 ~]# 
[root@jsefler-rhel7 ~]# time subscription-manager register --username=foo --password=bar
Registering to: auto-services.usersys.redhat.com:8884/subscription
Unable to verify server's identity: timed out

real	0m20.795s
user	0m0.277s
sys	0m0.093s
[root@jsefler-rhel7 ~]# 

VERIFIED: After a real time of 20.795s, subscription-manager timed out waiting for a response from server auto-services.usersys.redhat.com:8884
_____________________________________________________________________
Now let's test the default server_timeout (which the developers have hard-coded to 180 seconds = 3 minutues):

[root@jsefler-rhel7 ~]# subscription-manager config --remove=server.server_timeout
You have removed the value for section server and name server_timeout.
The default value for server_timeout will now be used.
[root@jsefler-rhel7 ~]# 
[root@jsefler-rhel7 ~]# time subscription-manager register --username=foo --password=bar
Registering to: auto-services.usersys.redhat.com:8884/subscription
Unable to verify server's identity: timed out

real	3m1.023s
user	0m0.274s
sys	0m0.089s
[root@jsefler-rhel7 ~]# 

VERIFIED: After a real time of 3m1.023s, subscription-manager timed out waiting for a response from server auto-services.usersys.redhat.com:8884



Final Note: As demonstrated above, machine 1 is now configured to keep listening on port 8884 forever and will sustain a reboot for future testing.

Comment 12 Barnaby Court 2017-01-11 18:25:41 UTC
*** Bug 1343160 has been marked as a duplicate of this bug. ***

Comment 13 sthirugn@redhat.com 2017-08-18 20:19:17 UTC
*** Bug 1483137 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.