From af5bd733729666f4baacdd2f4f41ee93ffc6c095 Mon Sep 17 00:00:00 2001 From: Rohit Yadav Date: Mon, 3 Dec 2018 16:58:54 +0530 Subject: [PATCH] security: increase keystore setup/import timeout This increases and uses a default 15mins timeout for VR scripts and for KVM agent increases timeout from 60s to 5mins. The timeout can specifically occur when keystore does not get enough entropy from CPU and script gets killed due to timeout. This is a very specific corner case and generally should not happen on baremetal/prod environment, but sometimes seen in nested/test environments. Signed-off-by: Rohit Yadav --- agent/src/com/cloud/agent/Agent.java | 4 ++-- .../agent/resource/virtualnetwork/VirtualRoutingResource.java | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/agent/src/com/cloud/agent/Agent.java b/agent/src/com/cloud/agent/Agent.java index f1f2116ffae1..df0448dab224 100644 --- a/agent/src/com/cloud/agent/Agent.java +++ b/agent/src/com/cloud/agent/Agent.java @@ -729,7 +729,7 @@ public Answer setupAgentKeystore(final SetupKeyStoreCommand cmd) { _shell.setPersistentProperty(null, KeyStoreUtils.KS_PASSPHRASE_PROPERTY, storedPassword); } - Script script = new Script(_keystoreSetupPath, 60000, s_logger); + Script script = new Script(_keystoreSetupPath, 300000, s_logger); script.add(agentFile.getAbsolutePath()); script.add(keyStoreFile); script.add(storedPassword); @@ -773,7 +773,7 @@ private Answer setupAgentCertificate(final SetupCertificateCommand cmd) { throw new CloudRuntimeException("Unable to save received agent client and ca certificates", e); } - Script script = new Script(_keystoreCertImportPath, 60000, s_logger); + Script script = new Script(_keystoreCertImportPath, 300000, s_logger); script.add(agentFile.getAbsolutePath()); script.add(keyStoreFile); script.add(KeyStoreUtils.AGENT_MODE); diff --git a/core/src/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResource.java b/core/src/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResource.java index 0ffe8cc0ea2f..136721866531 100644 --- a/core/src/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResource.java +++ b/core/src/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResource.java @@ -161,7 +161,7 @@ private Answer execute(final SetupKeyStoreCommand cmd) { cmd.getKeystorePassword(), cmd.getValidityDays(), KeyStoreUtils.CSR_FILENAME); - ExecutionResult result = _vrDeployer.executeInVR(cmd.getRouterAccessIp(), KeyStoreUtils.KS_SETUP_SCRIPT, args); + ExecutionResult result = _vrDeployer.executeInVR(cmd.getRouterAccessIp(), KeyStoreUtils.KS_SETUP_SCRIPT, args, Duration.standardMinutes(15)); return new SetupKeystoreAnswer(result.getDetails()); } @@ -179,7 +179,7 @@ private Answer execute(final SetupCertificateCommand cmd) { cmd.getEncodedCaCertificates(), KeyStoreUtils.PKEY_FILENAME, cmd.getEncodedPrivateKey()); - ExecutionResult result = _vrDeployer.executeInVR(cmd.getRouterAccessIp(), KeyStoreUtils.KS_IMPORT_SCRIPT, args); + ExecutionResult result = _vrDeployer.executeInVR(cmd.getRouterAccessIp(), KeyStoreUtils.KS_IMPORT_SCRIPT, args, Duration.standardMinutes(15)); return new SetupCertificateAnswer(result.isSuccess()); }