Ironic

Socat console de-activates without close active SOL connections

Bug #1611279 reported by Andrey Shestakov
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ironic
Fix Released
Medium
Andrey Shestakov

Bug Description

Currently socat console allows multiple connections to one listener.
Each new connection de-activates previous one, but old connections remains open and proxy processes running.
Reason is IPMI server do not send EOF when de-activate SOL connection.
ipmitool has timeout check for data messages (30 sec), but if no data transmitting session will be open forever.
Connections from client to socat has no timeout checks at all (open but inactive sessions is never expires).

Possible security issue when user can connect to socat socket directly (not via nova-serialproxy) and make unlimit connections.
For each client connection runs 2 forks socat+ipmitool.

Another issue can be related:
_stop_console kills only socat parent process and not child forks.

Andrey Shestakov (ashestakov)
Changed in ironic:
assignee: nobody → Andrey Shestakov (ashestakov)
Sam Betts (sambetts)
Changed in ironic:
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Dao Cong Tien (tiendc) wrote :

Andrey: Thanks for reporting the bug. I am the author of part of Socat console source code that relates to this issue.

I want to propose an idea for fixing it. The below code in ironic/drivers/modules/console_utils.py should be considered:

// Line 289 and 291 (def start_socat_console())
arg = 'TCP6-LISTEN:%(port)s,bind=[%(host)s],reuseaddr,fork

Because IPMI SoL doesnot support multi-connection, then the use of the config value 'fork' here is redundant and causes the issue. My idea is to remove that config value from the command. Please recheck the solution and upload your fix to gerrit if you are happy with it. Thanks.

Revision history for this message
Andrey Shestakov (ashestakov) wrote :

Sorry for long delay in answer.

Remove option 'fork' can solve issues with de-activating and unlimit forks number.
socat will accept only one connection, and will terminates after that connection end.
But, when use direct telnet connection to socat, user will need to re-activate console before connection.
This may be not problem when user requests console via nova virt driver (it activates new console process for each new request)

Maybe is possible to re-execute socat command, when it finished (when single connection was closed)
Also will nice to add timeout checks for each connection.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ironic (master)

Fix proposed to branch: master
Review: https://review.openstack.org/389125

Changed in ironic:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ironic (master)

Reviewed: https://review.openstack.org/389125
Committed: https://git.openstack.org/cgit/openstack/ironic/commit/?id=cc88ce14dbbcb59a5644274b3e4e451dbe2351a2
Submitter: Jenkins
Branch: master

commit cc88ce14dbbcb59a5644274b3e4e451dbe2351a2
Author: Andrey Shestakov <email address hidden>
Date: Thu Oct 20 14:15:44 2016 +0300

    Remove 'fork' option from socat command

    socat should not forks for each new connection.
    After this change socat console will be available only for single user
    connection and will be closed after user connection close.
    To connect again, user should re-activate console.
    This already covered in nova virt driver.

    Also added timeout check for 600 sec for user's connection.

    Change-Id: If92b3a9cff2d0fc1280f8e9dfc4bc8fa100c91ec
    Closes-bug: #1611279

Changed in ironic:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/ironic 7.0.0

This issue was fixed in the openstack/ironic 7.0.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.