1346417 – [RFE] Allow users to set socket timeout.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1346417 - [RFE] Allow users to set socket timeout.

Summary: [RFE] Allow users to set socket timeout.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	python-rhsm
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Alex Wood
QA Contact:	John Sefler
Docs Contact:	Aneta Šteflová Petrová
URL:
Whiteboard:
Duplicates (2):	1343160 1483137 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-06-14 18:36 UTC by John Sefler
Modified:	2019-04-08 16:29 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:	The socket timeout value for SSL connections of the subscription-manager client is now configurable Previously, the socket timeout value for SSL connections to an entitlement server was hard-coded. With this update, users can configure a custom SSL timeout value in the `/etc/rhsm/rhsm.conf` file. Setting a larger SSL timeout helps ensure that expensive operations involving many subscriptions have enough time to complete.
Clone Of:
Environment:
Last Closed:	2016-11-03 20:29:35 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1346368	0	medium	CLOSED	man rhsm.conf is missing a description for the server_timeout configuration	2021-02-22 00:41:40 UTC
Red Hat Bugzilla	1591399	1	None	None	None	2021-01-20 06:05:38 UTC
Red Hat Knowledge Base (Article)	4044461	0	None	None	None	2019-04-08 16:29:43 UTC
Red Hat Product Errata	RHSA-2016:2592	0	normal	SHIPPED_LIVE	Moderate: subscription-manager security, bug fix, and enhancement update	2016-11-03 12:10:42 UTC

Internal Links: 1346368 1591399

Description John Sefler 2016-06-14 18:36:35 UTC

Description of problem:
Currently there is a hard-coded timeout against SSL connections to the candlepin server.  If a response in not received within this time, an "Unable to verify server's identity: timed out" occurs on the subscription-manager client.

This is a request to make the timeout configurable from the subscription-manager client.


Expected results:
After this is implemented, I expect a new config option for...
  subscription-manager config --server.server_timeout=123

...that will enable a user to create and save a configuration to rhsm.conf that will use this value when making an SSL connection to the candlepin server.

The man page for rhsm.conf should also describe the new option.

Comment 3 Shwetha Kallesh 2016-06-23 07:54:41 UTC

Moving bug to verified


[root@shwetha-workstation ~]# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: 0.9.51.11-1
subscription management rules: 5.15
subscription-manager: 1.17.8-1.el7
python-rhsm: 1.17.4-1.el7


[root@shwetha-workstation ~]# subscription-manager config --server.server_timeout=100
[root@shwetha-workstation ~]# cat /etc/rhsm/rhsm.conf | grep server_timeout
server_timeout = 100


[root@shwetha-workstation ~]# subscription-manager config --remove server.server_timeout
You have removed the value for section server and name server_timeout.
The default value for server_timeout will now be used.
[root@shwetha-workstation ~]# cat /etc/rhsm/rhsm.conf | grep server_timeout
server_timeout = 180

Comment 5 Alex Wood 2016-09-27 21:13:30 UTC

Doc text looks good to me!

Comment 6 Alex Wood 2016-10-10 15:10:36 UTC

Doc text looks good to me! (Commenting again to clear needinfo?)

Comment 10 errata-xmlrpc 2016-11-03 20:29:35 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2592.html

Comment 11 John Sefler 2016-11-21 19:55:37 UTC

Demonstrating that this new RFE actually works...

Our strategy for this demonstration is to use two machines. On machine 1 we will setup a port that will listen for incoming traffic, but will never respond (effectively simulating a broken entitlement server).  On machine 2 we will configure subscription-manager so that it's server settings point to machine 1 and then we will attempt to register with different socket timeouts to verify that subscription-manager will indeed timeout at the desired time when machine 1 fails to respond.

_____________________________________________________________________
Setting up machine 1 (a RHEL or Fedora system simulating a non-responsive entitlement server - one time setup):

[root@auto-services ~]# cat /etc/redhat-release; hostname
Fedora release 22 (Twenty Two)
auto-services.usersys.redhat.com
[root@auto-services ~]#
[root@auto-services ~]# pwd
/root
[root@auto-services ~]# mkdir ncat_listener
[root@auto-services ~]# cd ncat_listener/
[root@auto-services ncat_listener]# 
[root@auto-services ncat_listener]# dnf install openssl nmap-ncat
Last metadata expiration check performed 1:31:02 ago on Mon Nov 21 13:07:52 2016.
Package openssl-1:1.0.1k-11.fc22.x86_64 is already installed, skipping.
Package nmap-ncat-2:7.12-1.fc22.x86_64 is already installed, skipping.
Dependencies resolved.
Nothing to do.
Complete!

[root@auto-services ncat_listener]# openssl genrsa -out ncat_listener.key 4096
Generating RSA private key, 4096 bit long modulus
......++
........................................................................................................................................................................................................++
e is 65537 (0x10001)
[root@auto-services ncat_listener]# openssl req -new -x509 -key ncat_listener.key -out ncat_listener.pem -days 3650 -subj '/CN=auto-services.usersys.redhat.com/C=US/L=Raleigh'
[root@auto-services ncat_listener]# 

Now create a ncat_listener.sh file that contains...

[root@auto-services ncat_listener]# cat ncat_listener.sh 
#! /bin/bash
PORT=8884; # assumes this port is available, you can check by calling netstat -an | grep <port_number>
echo "Listening on $PORT forever.  Ctrl-C to cancel."
nc --ssl --ssl-key ./ncat_listener.key --ssl-cert ./ncat_listener.pem --listen --keep-open $PORT
[root@auto-services ncat_listener]# 
[root@auto-services ncat_listener]# chmod 744 ncat_listener.sh
[root@auto-services ncat_listener]# 

Now create a ncat_listener.service file in directory /etc/systemd/system/ that contains...

[root@auto-services ncat_listener]# cat /etc/systemd/system/ncat_listener.service
[Unit]
Description=Socket listener for testing network timeouts
After=network.target
[Service]
Type=simple
ExecStart=/root/ncat_listener/ncat_listener.sh
WorkingDirectory=/root/ncat_listener
Restart=always
[Install]
WantedBy=default.target
[root@auto-services ncat_listener]# 

Now enable and start the ncat_listener...

[root@auto-services ncat_listener]# systemctl enable ncat_listener
Created symlink from /etc/systemd/system/default.target.wants/ncat_listener.service to /etc/systemd/system/ncat_listener.service.
[root@auto-services ncat_listener]# systemctl start ncat_listener
[root@auto-services ncat_listener]# systemctl is-active ncat_listener.service
active
[root@auto-services ncat_listener]# 

Now we know that machine 1 has been setup to simulate a non-responsive entitlement server

_____________________________________________________________________
Setting up machine 2 (a RHEL system where we will configure subscription-manager to connect to the non-responsive server):

[root@jsefler-rhel7 ~]# cat /etc/redhat-release; hostname
Red Hat Enterprise Linux Server release 7.3 (Maipo)
jsefler-rhel7.usersys.redhat.com
[root@jsefler-rhel7 ~]# 
[root@jsefler-rhel7 ~]# subscription-manager version
server type: This system is currently not registered.
subscription management server: 0.9.51.11-1
subscription management rules: 5.15
subscription-manager: 1.17.15-1.el7
python-rhsm: 1.17.9-1.el7
[root@jsefler-rhel7 ~]# 
[root@jsefler-rhel7 ~]# scp root.redhat.com:/root/ncat_listener/ncat_listener.pem /etc/rhsm/ca/
root.redhat.com's password: 
ncat_listener.pem                            100% 1935     1.9KB/s   00:00    
[root@jsefler-rhel7 ~]# chmod 0644 /etc/rhsm/ca/ncat_listener.pem
[root@jsefler-rhel7 ~]# 
[root@jsefler-rhel7 ~]# subscription-manager config --server.hostname=auto-services.usersys.redhat.com --server.port=8884
[root@jsefler-rhel7 ~]# 
_____________________________________________________________________
Now let's test a server_timeout configuration of 20 seconds:

[root@jsefler-rhel7 ~]# subscription-manager config --server.server_timeout=20
[root@jsefler-rhel7 ~]# 
[root@jsefler-rhel7 ~]# time subscription-manager register --username=foo --password=bar
Registering to: auto-services.usersys.redhat.com:8884/subscription
Unable to verify server's identity: timed out

real	0m20.795s
user	0m0.277s
sys	0m0.093s
[root@jsefler-rhel7 ~]# 

VERIFIED: After a real time of 20.795s, subscription-manager timed out waiting for a response from server auto-services.usersys.redhat.com:8884
_____________________________________________________________________
Now let's test the default server_timeout (which the developers have hard-coded to 180 seconds = 3 minutues):

[root@jsefler-rhel7 ~]# subscription-manager config --remove=server.server_timeout
You have removed the value for section server and name server_timeout.
The default value for server_timeout will now be used.
[root@jsefler-rhel7 ~]# 
[root@jsefler-rhel7 ~]# time subscription-manager register --username=foo --password=bar
Registering to: auto-services.usersys.redhat.com:8884/subscription
Unable to verify server's identity: timed out

real	3m1.023s
user	0m0.274s
sys	0m0.089s
[root@jsefler-rhel7 ~]# 

VERIFIED: After a real time of 3m1.023s, subscription-manager timed out waiting for a response from server auto-services.usersys.redhat.com:8884



Final Note: As demonstrated above, machine 1 is now configured to keep listening on port 8884 forever and will sustain a reboot for future testing.

Comment 12 Barnaby Court 2017-01-11 18:25:41 UTC

*** Bug 1343160 has been marked as a duplicate of this bug. ***

Comment 13 sthirugn@redhat.com 2017-08-18 20:19:17 UTC

*** Bug 1483137 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.