Hide Forgot
Description of problem: Currently there is a hard-coded timeout against SSL connections to the candlepin server. If a response in not received within this time, an "Unable to verify server's identity: timed out" occurs on the subscription-manager client. This is a request to make the timeout configurable from the subscription-manager client. Expected results: After this is implemented, I expect a new config option for... subscription-manager config --server.server_timeout=123 ...that will enable a user to create and save a configuration to rhsm.conf that will use this value when making an SSL connection to the candlepin server. The man page for rhsm.conf should also describe the new option.
Moving bug to verified [root@shwetha-workstation ~]# subscription-manager version server type: Red Hat Subscription Management subscription management server: 0.9.51.11-1 subscription management rules: 5.15 subscription-manager: 1.17.8-1.el7 python-rhsm: 1.17.4-1.el7 [root@shwetha-workstation ~]# subscription-manager config --server.server_timeout=100 [root@shwetha-workstation ~]# cat /etc/rhsm/rhsm.conf | grep server_timeout server_timeout = 100 [root@shwetha-workstation ~]# subscription-manager config --remove server.server_timeout You have removed the value for section server and name server_timeout. The default value for server_timeout will now be used. [root@shwetha-workstation ~]# cat /etc/rhsm/rhsm.conf | grep server_timeout server_timeout = 180
Doc text looks good to me!
Doc text looks good to me! (Commenting again to clear needinfo?)
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-2592.html
Demonstrating that this new RFE actually works... Our strategy for this demonstration is to use two machines. On machine 1 we will setup a port that will listen for incoming traffic, but will never respond (effectively simulating a broken entitlement server). On machine 2 we will configure subscription-manager so that it's server settings point to machine 1 and then we will attempt to register with different socket timeouts to verify that subscription-manager will indeed timeout at the desired time when machine 1 fails to respond. _____________________________________________________________________ Setting up machine 1 (a RHEL or Fedora system simulating a non-responsive entitlement server - one time setup): [root@auto-services ~]# cat /etc/redhat-release; hostname Fedora release 22 (Twenty Two) auto-services.usersys.redhat.com [root@auto-services ~]# [root@auto-services ~]# pwd /root [root@auto-services ~]# mkdir ncat_listener [root@auto-services ~]# cd ncat_listener/ [root@auto-services ncat_listener]# [root@auto-services ncat_listener]# dnf install openssl nmap-ncat Last metadata expiration check performed 1:31:02 ago on Mon Nov 21 13:07:52 2016. Package openssl-1:1.0.1k-11.fc22.x86_64 is already installed, skipping. Package nmap-ncat-2:7.12-1.fc22.x86_64 is already installed, skipping. Dependencies resolved. Nothing to do. Complete! [root@auto-services ncat_listener]# openssl genrsa -out ncat_listener.key 4096 Generating RSA private key, 4096 bit long modulus ......++ ........................................................................................................................................................................................................++ e is 65537 (0x10001) [root@auto-services ncat_listener]# openssl req -new -x509 -key ncat_listener.key -out ncat_listener.pem -days 3650 -subj '/CN=auto-services.usersys.redhat.com/C=US/L=Raleigh' [root@auto-services ncat_listener]# Now create a ncat_listener.sh file that contains... [root@auto-services ncat_listener]# cat ncat_listener.sh #! /bin/bash PORT=8884; # assumes this port is available, you can check by calling netstat -an | grep <port_number> echo "Listening on $PORT forever. Ctrl-C to cancel." nc --ssl --ssl-key ./ncat_listener.key --ssl-cert ./ncat_listener.pem --listen --keep-open $PORT [root@auto-services ncat_listener]# [root@auto-services ncat_listener]# chmod 744 ncat_listener.sh [root@auto-services ncat_listener]# Now create a ncat_listener.service file in directory /etc/systemd/system/ that contains... [root@auto-services ncat_listener]# cat /etc/systemd/system/ncat_listener.service [Unit] Description=Socket listener for testing network timeouts After=network.target [Service] Type=simple ExecStart=/root/ncat_listener/ncat_listener.sh WorkingDirectory=/root/ncat_listener Restart=always [Install] WantedBy=default.target [root@auto-services ncat_listener]# Now enable and start the ncat_listener... [root@auto-services ncat_listener]# systemctl enable ncat_listener Created symlink from /etc/systemd/system/default.target.wants/ncat_listener.service to /etc/systemd/system/ncat_listener.service. [root@auto-services ncat_listener]# systemctl start ncat_listener [root@auto-services ncat_listener]# systemctl is-active ncat_listener.service active [root@auto-services ncat_listener]# Now we know that machine 1 has been setup to simulate a non-responsive entitlement server _____________________________________________________________________ Setting up machine 2 (a RHEL system where we will configure subscription-manager to connect to the non-responsive server): [root@jsefler-rhel7 ~]# cat /etc/redhat-release; hostname Red Hat Enterprise Linux Server release 7.3 (Maipo) jsefler-rhel7.usersys.redhat.com [root@jsefler-rhel7 ~]# [root@jsefler-rhel7 ~]# subscription-manager version server type: This system is currently not registered. subscription management server: 0.9.51.11-1 subscription management rules: 5.15 subscription-manager: 1.17.15-1.el7 python-rhsm: 1.17.9-1.el7 [root@jsefler-rhel7 ~]# [root@jsefler-rhel7 ~]# scp root@auto-services.usersys.redhat.com:/root/ncat_listener/ncat_listener.pem /etc/rhsm/ca/ root@auto-services.usersys.redhat.com's password: ncat_listener.pem 100% 1935 1.9KB/s 00:00 [root@jsefler-rhel7 ~]# chmod 0644 /etc/rhsm/ca/ncat_listener.pem [root@jsefler-rhel7 ~]# [root@jsefler-rhel7 ~]# subscription-manager config --server.hostname=auto-services.usersys.redhat.com --server.port=8884 [root@jsefler-rhel7 ~]# _____________________________________________________________________ Now let's test a server_timeout configuration of 20 seconds: [root@jsefler-rhel7 ~]# subscription-manager config --server.server_timeout=20 [root@jsefler-rhel7 ~]# [root@jsefler-rhel7 ~]# time subscription-manager register --username=foo --password=bar Registering to: auto-services.usersys.redhat.com:8884/subscription Unable to verify server's identity: timed out real 0m20.795s user 0m0.277s sys 0m0.093s [root@jsefler-rhel7 ~]# VERIFIED: After a real time of 20.795s, subscription-manager timed out waiting for a response from server auto-services.usersys.redhat.com:8884 _____________________________________________________________________ Now let's test the default server_timeout (which the developers have hard-coded to 180 seconds = 3 minutues): [root@jsefler-rhel7 ~]# subscription-manager config --remove=server.server_timeout You have removed the value for section server and name server_timeout. The default value for server_timeout will now be used. [root@jsefler-rhel7 ~]# [root@jsefler-rhel7 ~]# time subscription-manager register --username=foo --password=bar Registering to: auto-services.usersys.redhat.com:8884/subscription Unable to verify server's identity: timed out real 3m1.023s user 0m0.274s sys 0m0.089s [root@jsefler-rhel7 ~]# VERIFIED: After a real time of 3m1.023s, subscription-manager timed out waiting for a response from server auto-services.usersys.redhat.com:8884 Final Note: As demonstrated above, machine 1 is now configured to keep listening on port 8884 forever and will sustain a reboot for future testing.
*** Bug 1343160 has been marked as a duplicate of this bug. ***
*** Bug 1483137 has been marked as a duplicate of this bug. ***