security: increase keystore setup/import timeout (#3076)

This increases and uses a default 15mins timeout for VR scripts and for KVM agent increases timeout from 60s to 5mins. The timeout can specifically occur when keystore does not get enough entropy from CPU and script gets killed due to timeout. This is a very specific corner case and generally should not happen on baremetal/prod environment, but sometimes seen in nested/test environments. Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com> (cherry picked from commit 89c567add8) Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
2018-12-04 01:28:24 +05:30 · 2018-12-04 01:28:24 +05:30 · db6cf82d8c
parent 5aae410dfc
commit db6cf82d8c
2 changed files with 4 additions and 4 deletions
--- a/agent/src/com/cloud/agent/Agent.java
+++ b/agent/src/com/cloud/agent/Agent.java
@ -729,7 +729,7 @@ public class Agent implements HandlerFactory, IAgentControl {
            _shell.setPersistentProperty(null, KeyStoreUtils.KS_PASSPHRASE_PROPERTY, storedPassword);
        }

-        Script script = new Script(_keystoreSetupPath, 60000, s_logger);
+        Script script = new Script(_keystoreSetupPath, 300000, s_logger);
        script.add(agentFile.getAbsolutePath());
        script.add(keyStoreFile);
        script.add(storedPassword);
@ -773,7 +773,7 @@ public class Agent implements HandlerFactory, IAgentControl {
            throw new CloudRuntimeException("Unable to save received agent client and ca certificates", e);
        }

-        Script script = new Script(_keystoreCertImportPath, 60000, s_logger);
+        Script script = new Script(_keystoreCertImportPath, 300000, s_logger);
        script.add(agentFile.getAbsolutePath());
        script.add(keyStoreFile);
        script.add(KeyStoreUtils.AGENT_MODE);
--- a/core/src/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResource.java
+++ b/core/src/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResource.java
@ -161,7 +161,7 @@ public class VirtualRoutingResource {
                cmd.getKeystorePassword(),
                cmd.getValidityDays(),
                KeyStoreUtils.CSR_FILENAME);
-        ExecutionResult result = _vrDeployer.executeInVR(cmd.getRouterAccessIp(), KeyStoreUtils.KS_SETUP_SCRIPT, args);
+        ExecutionResult result = _vrDeployer.executeInVR(cmd.getRouterAccessIp(), KeyStoreUtils.KS_SETUP_SCRIPT, args, Duration.standardMinutes(15));
        return new SetupKeystoreAnswer(result.getDetails());
    }

@ -179,7 +179,7 @@ public class VirtualRoutingResource {
                cmd.getEncodedCaCertificates(),
                KeyStoreUtils.PKEY_FILENAME,
                cmd.getEncodedPrivateKey());
-        ExecutionResult result = _vrDeployer.executeInVR(cmd.getRouterAccessIp(), KeyStoreUtils.KS_IMPORT_SCRIPT, args);
+        ExecutionResult result = _vrDeployer.executeInVR(cmd.getRouterAccessIp(), KeyStoreUtils.KS_IMPORT_SCRIPT, args, Duration.standardMinutes(15));
        return new SetupCertificateAnswer(result.isSuccess());
    }