Skip to content

/ go

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/crypto/ssh: client.NewSession can hang indefinitely #26643

Open
mborsz opened this issue Jul 27, 2018 · 5 comments
Open

x/crypto/ssh: client.NewSession can hang indefinitely #26643

mborsz opened this issue Jul 27, 2018 · 5 comments
Labels
NeedsInvestigation
Milestone
Unreleased

Comments

@mborsz
Copy link

@mborsz mborsz commented Jul 27, 2018

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?

1.9.3

Does this issue reproduce with the latest release?

I'm not able to verify this.

What operating system and processor architecture are you using (go env)?

linux, amd64

What did you do?

In kubernetes e2e we are using ssh to fetch logs from kubernetes nodes.
In kubernetes/kubernetes#66609 we see that it quite frequently hangs for ~90 minutes in client.NewSession call (the stacktrace is there).

Relevant code is available here: https://github.com/kubernetes/kubernetes/blob/master/test/e2e/framework/log_size_monitoring.go#L245

What did you expect to see?

Attempt to create NewSession should finish with error if node doesn't respond to ssh connection.

What did you see instead?

Attempt to create NewSession hung for ~90 minutes.

Relevant stacktraces are available in:
@gopherbot gopherbot added this to the Unreleased milestone Jul 27, 2018
@mborsz mborsz mentioned this issue Jul 27, 2018
Closed
ymmt2005 added a commit to cybozu-go/cke that referenced this issue Oct 24, 2018
@ymmt2005
[agent] set deadline for SSH connection
Loading status checks…
274b8c2 
golang.org/x/crypto/ssh has some known issues that block clients
indefinitely when SSH server dies.

Ref: golang/go#26643
     golang/go#21420

To workaround the problem, this commit creates TCP connection
to the server by itself then passes it to ssh.NewClientConn to
control the underlying TCP connection directly.

It adds deadlines against the TCP connection before any SSH
activity.  It also enables TCP keepalive with short period.
@ymmt2005 ymmt2005 mentioned this issue Oct 24, 2018
Merged
@agnivade
Copy link
Contributor

@agnivade agnivade commented Jan 7, 2019

/cc @hanwen
@hanwen
Copy link
Contributor

@hanwen hanwen commented Jan 7, 2019

What is the problem here? Your stack trace suggests it's waiting for the remote end to acknowledge the SSH session. If you want timeouts, you should implement them separately.

Arguably, the SSH package should support contexts to do this neatly, but I think it might be an invasive change, API wise.
@mborsz
Copy link
Author

@mborsz mborsz commented Jan 7, 2019

Thanks for the response!

What is the problem here? Your stack trace suggests it's waiting for the remote end to acknowledge the SSH session. If you want timeouts, you should implement them separately.
The problem is that there is no way (AFAIK) to prevent openChannel from blocking for hours in case the remote end never acks the SSH session.

I would like to see some timeout mechanism there. Could you hint how can I implement timeout there?

Arguably, the SSH package should support contexts to do this neatly, but I think it might be an invasive change, API wise.
@ymmt2005
Copy link

@ymmt2005 ymmt2005 commented Jan 7, 2019
edited

@mborsz
We could avoid the problem by making a raw TCP net.Conn first and wrapping it
with ssh.NewClientConn. You can set any deadline to the raw connection before
calling SSH methods.

https://github.com/cybozu-go/cke/pull/81/files is the fix.
@hanwen
Copy link
Contributor

@hanwen hanwen commented Jan 7, 2019

The SSH state machine doesn't support timeouts on a channel level. The only thing you can do is tear down the entire SSH connection if there is an error.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
NeedsInvestigation
Projects
None yet
Milestone
Unreleased
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants
@hanwen @ymmt2005 @agnivade @mborsz @gopherbot
You can’t perform that action at this time.