Bug 953088 - OpenSSH adding ControlPersist patch to enable full usage of SSH control options
Summary: OpenSSH adding ControlPersist patch to enable full usage of SSH control options
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: openssh
Version: 6.4
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Petr Lautrbach
QA Contact: Stanislav Zidek
URL:
Whiteboard:
: 953087 (view as bug list)
Depends On:
Blocks: 994246 1056252 1070830
TreeView+ depends on / blocked
 
Reported: 2013-04-17 10:35 UTC by Toshaan Bharvani
Modified: 2019-04-16 14:02 UTC (History)
21 users (show)

Fixed In Version: openssh-5.3p1-100.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-10-14 07:38:56 UTC
Target Upstream Version:


Attachments (Terms of Use)
Patch file for RPM package as found on the Red Hat rhel6 ftp (2.22 KB, patch)
2013-04-17 10:37 UTC, Toshaan Bharvani
no flags Details | Diff
backport ControlPersist option (96.86 KB, patch)
2014-06-11 14:22 UTC, Petr Lautrbach
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:1552 normal SHIPPED_LIVE Moderate: openssh security, bug fix, and enhancement update 2014-10-14 01:21:23 UTC

Description Toshaan Bharvani 2013-04-17 10:35:11 UTC
Description of problem:
Adding the ControlPersist option to enable ControlMaster to shutdown without losing all sessions, as currently implemented in OpenSSH version 

Version-Release number of selected component (if applicable):
OpenSSH 5.3p1-84.1

How reproducible:
- Rebuild rpm with patch it seems to work on all my systems
http://repo.vantosh.com/yum/testing/el6/x86_64/openssh-5.3p1-84.2.el6.x86_64.rpm
http://repo.vantosh.com/yum/testing/el6/x86_64/openssh-clients-5.3p1-84.2.el6.x86_64.rpm

Steps to Reproduce:
1. rebuild openssh rpm with patch
2. install new rpm
3. add ControlPersist option to ssh config
  
Actual results:
- ControlPersist works

Expected results:
- ControlPersist works

Additional info:
- patch to rpm added in attachment

Comment 1 Toshaan Bharvani 2013-04-17 10:37:29 UTC
Created attachment 736790 [details]
Patch file for RPM package as found on the Red Hat rhel6 ftp

Comment 2 Petr Lautrbach 2013-04-22 14:22:21 UTC
*** Bug 953087 has been marked as a duplicate of this bug. ***

Comment 3 Petr Lautrbach 2013-04-22 14:22:58 UTC
    Thank you for taking the time to enter a bug report with us. We appreciate the feedback and look to use reports such as this to guide our efforts at improving our products. That being said, this bug tracking system is not a mechanism for requesting support, and we are not able to  guarantee the timeliness or suitability of a resolution.

     

    If this issue is critical or in any way time sensitive, please raise a ticket through your regular Red Hat support channels to make certain  it receives the proper attention and prioritization to assure a timely resolution. 

     

    For information on how to contact the Red Hat production support team, please visit:

    https://www.redhat.com/support/process/production/#howto

Comment 4 Toshaan Bharvani 2013-04-22 14:28:41 UTC
This is not a critical issue, I already have applied the patch for myself, however given that Red Hat backported ControlMaster and ControlPath, it seemed to me necessary to also include ControlPersist, otherwise if your master connection goes all of your slaves also go

Comment 6 Jesse Keating 2013-07-15 22:03:54 UTC
This would be extremely helpful to us at Rackspace too.

Comment 7 Toshaan Bharvani 2013-07-17 09:42:18 UTC
@Jesse Keating
Maybe test and use my package, till Red Hat decides to patch it
Take a look at http://yum.vantosh.com/ , it is in the testing repo.

Comment 8 RHEL Program Management 2013-10-14 03:48:21 UTC
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

Comment 9 Tim G 2013-11-01 06:03:17 UTC
ControlPersist support is required for Ansible "accelerated" mode (new in Ansible 1.3).

  http://www.ansibleworks.com/docs/playbooks_acceleration.html

Would be great if this could be considered for RHEL6.5.

Comment 10 Kevin Fenzi 2013-11-01 16:01:11 UTC
Ansibles accelerated mode does not require ControlPersist that I know of. ;)

It does need python-keyczar installed on each node, but thats it.

Comment 11 Tim G 2013-11-04 00:52:55 UTC
My apologies, Kevin you are absolutely correct. CP is not required for Ansible's new accelerated mode.

Comment 12 Toshaan Bharvani 2013-12-02 10:04:59 UTC
As of release 6.5 this patch has been included.
Thank you for mentioning this in the Changelog and you're welcome

And for the Ansible users, not ControlPersist is not required, but it does speed up to process. And remember to adjust your ~/.ansible.cfg for more options when using ssh

Comment 13 Toshaan Bharvani 2013-12-02 11:03:01 UTC
(In reply to Toshaan Bharvani from comment #12)
> As of release 6.5 this patch has been included.
> Thank you for mentioning this in the Changelog and you're welcome
Apparently my last comment is wrong, sorry but my own rpm builder did patch it again, so the official Red Hat openssh client still does NOT support Control Persist

Comment 16 Christian Horn 2014-01-02 09:22:21 UTC
Every party interested in getting this into RHEL, please
- open a case with Red Hat support, i.e. customer portal or via your TAM
- state the reasoning behind the request.

This is the proper way to get focus on requests, and to get an overview here to properly prioritize.

Comment 18 cove_s 2014-01-02 09:40:44 UTC
What if we're using a downstream distro, such as CentOS, and aren't direct customers of RH; how can we help prioritize updating OpenSSH?

Comment 19 Christian Horn 2014-01-02 12:26:10 UTC
(In reply to cove_s from comment #18)
> What if we're using a downstream distro, such as CentOS, and aren't direct
> customers of RH; how can we help prioritize updating OpenSSH?
Offering a tested patch and offering QA (so verifying that a patch we looked at works) are also of help.

Comment 26 Petr Lautrbach 2014-06-11 14:22:59 UTC
Created attachment 907685 [details]
backport ControlPersist option

This patch backports  ControlPersist option with few other upstream fixes. I've done some sanity testing but if you are able to test that it works for you as expected, it would be great.

Comment 27 Kevin Fenzi 2014-06-12 03:45:11 UTC
What version of the source/package is the patch against? 

I can't get it to apply cleanly off hand on openssh-5.3p1-94.el6.src.rpm

Any chance for a scratch build or src.rpm? ;)

Comment 28 Petr Lautrbach 2014-06-12 10:31:52 UTC
I'm sorry. It's based on a development sources with several other patches applied (like backported ecdsa and so). You can try this scratch build http://koji.fedoraproject.org/koji/taskinfo?taskID=7038939

Comment 29 Kevin Fenzi 2014-06-12 21:44:17 UTC
Just tested the scratch build here. Seems to work fine... takes an ansible playbook that takes about 4.5minutes with paramiko down to about 1min with ssh/controlpersist. :)

Comment 30 Todd Zullinger 2014-06-13 02:22:15 UTC
Ansible was the use case for me as well.  I built from the source rpm on CentOS 6.5 and in testing with ansible the results are wonderful.  Actions that took 20 seconds when ansible fell back to paramiko now take under a second. :)

I haven't used ControlPersist directly so I don't know if there are any bugs with things like cleaning up the ControlMaster sockets or anything like that.  If not, this would be fantastic to have rolled into official RHEL packages at some point.

Thanks Petr, and Toshaan for getting the ball rolling on this!

Comment 32 Stanislav Zidek 2014-06-30 13:56:13 UTC
There is a problem that with ControlPersist option with timeout specified, it is actually ignored (listens for connections indefinitely).

Also there is one other issue - without setting ControlPersist, the socket file is not removed after the connection ends.

According to Petr Lauterbach, these issues are connected and will be fixed shortly.

Comment 33 Petr Lautrbach 2014-07-01 07:24:13 UTC
There was doubled muxserver_listen() in ssh.c and I've also backported code fixing race between bind and listen on unix a socket.

Comment 35 Kevin Fenzi 2014-07-01 15:13:08 UTC
Cool. Any chance you could fire off another scratch build for testing? :)

Comment 36 Petr Lautrbach 2014-07-02 07:31:46 UTC
Here you are http://koji.fedoraproject.org/koji/taskinfo?taskID=7098603

Comment 39 Rob K 2014-09-05 04:32:14 UTC
Any chance this can be pushed as a RHEL6 update sometime this century?

Comment 40 Richard Schick 2014-10-07 16:50:10 UTC
Seconded for a push to RHEL6, this drastically affects performance for ansible users.

Comment 41 errata-xmlrpc 2014-10-14 07:38:56 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2014-1552.html


Note You need to log in before you can comment on or make changes to this bug.