Bug 2043314 - `oc debug node` does not meet compliance requirement
Summary: `oc debug node` does not meet compliance requirement
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: oc
Version: 4.8
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.11.0
Assignee: Maciej Szulik
QA Contact: zhou ying
URL:
Whiteboard:
Depends On:
Blocks: 2060888
TreeView+ depends on / blocked
 
Reported: 2022-01-21 00:55 UTC by Vincent Shen
Modified: 2022-08-10 10:43 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: No timeout was specified after invoking oc debug node. Consequence: User was never logged out of cluster. Fix: Add TMOUT environment variable for debug pod to have a inactivity timeout counter. Result: After TMOUT inactivity the session will be automatically terminated.
Clone Of:
Environment:
Last Closed: 2022-08-10 10:43:12 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift oc pull 1048 0 None Merged Add TMOUT env to debug node pod 2022-02-24 20:46:44 UTC
Red Hat Issue Tracker RFE-2567 0 None None None 2022-02-24 20:54:34 UTC
Red Hat Product Errata RHSA-2022:5069 0 None None None 2022-08-10 10:43:28 UTC

Comment 4 Lance Bragstad 2022-01-21 16:41:54 UTC 
Adding some more context here that is particular issue is related to SRG-OS-000279-GPOS-00109 and SRG-OS-000126-GPOS-00066, where the operating system must terminate all sessions and network connections related to nonlocal maintenance when nonlocal maintenance is complete. The `oc debug` command doesn't allow us to set a connection timeout.
Comment 7 Daniel Del Ciancio 2022-03-04 15:47:04 UTC 
@Maciej, 

Do we know which 4.8.z release this PR will land or can you provide an update where things are at?  

This has been defined as a gating security requirement/dependency for an upcoming customer go-live.

Please treat this backport request as urgent.


Thanks!
Daniel.
Comment 8 Maciej Szulik 2022-03-04 16:05:05 UTC 
(In reply to Daniel Del Ciancio from comment #7)
> @Maciej, 
> 
> Do we know which 4.8.z release this PR will land or can you provide an
> update where things are at?  
> 
> This has been defined as a gating security requirement/dependency for an
> upcoming customer go-live.
> 
> Please treat this backport request as urgent.

It has to go through all previous versions before it will reach 4.8, so it'll take a few weeks, I can't say for sure which exact .z version it'll be.
Comment 9 Daniel Del Ciancio 2022-03-04 17:36:07 UTC 
As discussed in Slack, can we ask QE to prioritize testing of the backport request for 4.8?

Your help to expedite this would be much appreciated.

This backport request has already been tagged and added to the Telco 5g priority list.

Thanks!
Daniel.
Comment 19 errata-xmlrpc 2022-08-10 10:43:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5069
Note You need to log in before you can comment on or make changes to this bug.