Socat console de-activates without close active SOL connections
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ironic |
Fix Released
|
Medium
|
Andrey Shestakov |
Bug Description
Currently socat console allows multiple connections to one listener.
Each new connection de-activates previous one, but old connections remains open and proxy processes running.
Reason is IPMI server do not send EOF when de-activate SOL connection.
ipmitool has timeout check for data messages (30 sec), but if no data transmitting session will be open forever.
Connections from client to socat has no timeout checks at all (open but inactive sessions is never expires).
Possible security issue when user can connect to socat socket directly (not via nova-serialproxy) and make unlimit connections.
For each client connection runs 2 forks socat+ipmitool.
Another issue can be related:
_stop_console kills only socat parent process and not child forks.
Changed in ironic: | |
assignee: | nobody → Andrey Shestakov (ashestakov) |
Changed in ironic: | |
status: | New → Confirmed |
importance: | Undecided → Medium |
Andrey: Thanks for reporting the bug. I am the author of part of Socat console source code that relates to this issue.
I want to propose an idea for fixing it. The below code in ironic/ drivers/ modules/ console_ utils.py should be considered:
// Line 289 and 291 (def start_socat_ console( )) %(port) s,bind= [%(host) s],reuseaddr, fork
arg = 'TCP6-LISTEN:
Because IPMI SoL doesnot support multi-connection, then the use of the config value 'fork' here is redundant and causes the issue. My idea is to remove that config value from the command. Please recheck the solution and upload your fix to gerrit if you are happy with it. Thanks.