Skip to content

security: increase keystore setup/import timeout#3076

Merged
yadvr merged 1 commit intoapache:4.11from
shapeblue:ks-timeout-fix
Dec 3, 2018
Merged

security: increase keystore setup/import timeout#3076
yadvr merged 1 commit intoapache:4.11from
shapeblue:ks-timeout-fix

Conversation

@yadvr
Copy link
Member

@yadvr yadvr commented Dec 3, 2018

This increases and uses a default 15mins timeout for VR scripts and for
KVM agent increases timeout from 60s to 5mins. The timeout can
specifically occur when keystore does not get enough entropy from CPU
and script gets killed due to timeout. This is a very specific corner
case and generally should not happen on baremetal/prod environment, but
sometimes seen in nested/test environments.

/cc @PaulAngus @dagsonstebo

Types of changes

  • Breaking change (fix or feature that would cause existing functionality to change)
  • New feature (non-breaking change which adds functionality)
  • Bug fix (non-breaking change which fixes an issue)
  • Enhancement (improves an existing feature and functionality)
  • Cleanup (Code refactoring and cleanup, that may add test cases)

@yadvr
security: increase keystore setup/import timeout
af5bd73 
This increases and uses a default 15mins timeout for VR scripts and for
KVM agent increases timeout from 60s to 5mins. The timeout can
specifically occur when keystore does not get enough entropy from CPU
and script gets killed due to timeout. This is a very specific corner
case and generally should not happen on baremetal/prod environment, but
sometimes seen in nested/test environments.

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
@yadvr yadvr added this to the 4.11.3.0 milestone Dec 3, 2018
@yadvr
Copy link
Member Author

yadvr commented Dec 3, 2018

@blueorangutan package

@blueorangutan
Copy link

blueorangutan commented Dec 3, 2018

@rhtyd a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress.

wido
wido approved these changes Dec 3, 2018
View reviewed changes
Copy link
Contributor

@wido wido left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I observed this as well during testing.

Changes LGTM

@blueorangutan
Copy link

blueorangutan commented Dec 3, 2018

Packaging result: ✔centos6 ✔centos7 ✔debian. JID-2480

@yadvr
Copy link
Member Author

yadvr commented Dec 3, 2018

@blueorangutan test

@blueorangutan
Copy link

blueorangutan commented Dec 3, 2018

@rhtyd a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests

nvazquez
nvazquez approved these changes Dec 3, 2018
View reviewed changes
Copy link
Contributor

@nvazquez nvazquez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Just minor suggestion/question, could these be configurable?

@blueorangutan
Copy link

blueorangutan commented Dec 3, 2018

Trillian test result (tid-3244)
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 20678 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr3076-t3244-kvm-centos7.zip
Intermittent failure detected: /marvin/tests/smoke/test_vpc_redundant.py
Smoke tests completed. 68 look OK, 0 have error(s)
Only failed tests results shown below:

Test Result Time (s) Test File

@yadvr
Copy link
Member Author

yadvr commented Dec 3, 2018

@nvazquez yes they can be made configurable, however it may make it slightly complex on how we propagate the settings in case of KVM agent and in case of systemvm (cpvm/ssvm). I've used a very high number to be on safe side, generally they should complete within 60s.

@yadvr yadvr merged commit 89c567a into apache:4.11 Dec 3, 2018
nvazquez pushed a commit to shapeblue/cloudstack that referenced this pull request Jul 24, 2019
@yadvr
security: increase keystore setup/import timeout (apache#3076)
db6cf82 
This increases and uses a default 15mins timeout for VR scripts and for
KVM agent increases timeout from 60s to 5mins. The timeout can
specifically occur when keystore does not get enough entropy from CPU
and script gets killed due to timeout. This is a very specific corner
case and generally should not happen on baremetal/prod environment, but
sometimes seen in nested/test environments.

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
(cherry picked from commit 89c567a)
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wido wido wido approved these changes

@nvazquez nvazquez nvazquez approved these changes

@PaulAngus PaulAngus Awaiting requested review from PaulAngus

@GabrielBrascher GabrielBrascher Awaiting requested review from GabrielBrascher

@rafaelweingartner rafaelweingartner Awaiting requested review from rafaelweingartner

Assignees

No one assigned

Labels

component:kvm type:security

Projects

None yet

Milestone

4.11.3.0

Development

Successfully merging this pull request may close these issues.

4 participants

@yadvr @blueorangutan @wido @nvazquez