st2client : Pack Install is hanging with HTTPS

[harishgopalan]

Hello Stackstorm team,

We're noticing an issue with "st2 pack install file://$PWD" command with HTTPS endpoints.

For eg: if we set the below environment variables and try to install a pack , it works without any issues.

export ST2_API_URL=http://127.0.0.1:9101
export ST2_STREAM_URL=http://127.0.0.1:9102
export ST2_AUTH_URL=http://127.0.0.1:9100
export ST2_BASE_URL=http://127.0.0.1

But when we try to install a pack with the below environment variables wherein we route every request via Nginx reverse proxy/load balancer, the st2client fails to show the progress.

export ST2_BASE_URL=https://127.0.0.1
export ST2_AUTH_URL=https://127.0.0.1/auth
export ST2_API_URL=https://127.0.0.1/api
export ST2_STREAM_URL=https://127.0.0.1/stream
export ST2_CACERT=/etc/ssl/st2/st2.crt

Basically the pack install will show the progress like but the client won't exit and it would simply hang forever. But the pack install action chain would have really executed and completed without any issues.

Appreciate if any pointers to resolved this issue.

Regards
Harish

[arm4b]

Try to run the CLI command with --debug flag on, see the API calls made, try to replicate the HTTP request via curl first.
How about other CLI commands, did they work with this ST2_CACERT?

[Kami]

Does the same issue happen if you don't use SSL / TLS on the load balancer?

It appears it's something related to the streaming API endpoint from which client consumes the events.

It could be related to some load balancer keep alive or similar mechanism, but I think client should still handle that and we can't rely on server (aka stream API endpoint) closing the connection since that API endpoint is long running.

In any case, as @armab pointed out, gistting the whole output of the command when you include --debug flag would help.

[harishgopalan]

Hi Kami,

No it doesn't happen with HTTP , it only hangs with HTTPS (Nginx : 443).

Below is the debug output. I suspect something to do with st2client streaming connection with st2stream where it is not properly getting closed.

Regards
Harish

[st2dev@st2-dev-1 ~ ]$ st2 --debug pack remove -d pack_install -t 1f3964cf767f4643a330269d5633dedc

-------- begin 140659860837776 request ----------

curl -X GET -H 'Connection: keep-alive' -H 'Accept-Encoding: gzip, deflate' -H 'Accept: /' -H 'User-Agent: python-requests/2.22.0' -H 'X-Auth-Token: 1f3964cf767f4643a330269d5633dedc' https://st2-dev-1/api/packs

-------- begin 140659860837776 response ----------

[
{
"files": [
"pack.yaml",
"README.md",
"CHANGES.md",
"icon.png",
"actions/match_and_execute.py",
"actions/format_execution_result.py",
"actions/match.yaml",
"actions/post_message.yaml",
"actions/post_result.yaml",
"actions/match.py",
"actions/run.yaml",
"actions/format_execution_result.yaml",
"actions/match_and_execute.yaml",
"actions/templates/default.j2",
"actions/workflows/post_result.yaml",
"actions/workflows/run.yaml",
"rules/notify_hubot.yaml",
"tests/test_format_result.py",
"tests/init.py",
"tests/fixtures/remote_cmd_execution.json",
"tests/fixtures/local_cmd_execution.json",
"tests/fixtures/python_action_execution.json",
"tests/fixtures/http_execution.json"
],
"uid": "pack:chatops",
"name": "chatops",
"contributors": [
"Anthony Shaw [email protected]",
"Carlos [email protected]"
],
"author": "StackStorm, Inc.",
"system": {},
"email": "[email protected]",
"version": "3.1.0",
"python_versions": [
"2",
"3"
],
"dependencies": [],
"keywords": [],
"path": "/opt/stackstorm/packs/chatops",
"ref": "chatops",
"id": "5e504a0a5577023884d3e88b",
"description": "ChatOps integration pack"
},
{
"files": [
"requirements-tests.txt",
"pack.yaml",
"README.md",
"CHANGES.md",
"icon.png",
"actions/http.yaml",
"actions/generate_uuid.py",
"actions/inject_trigger.yaml",
"actions/noop.yaml",
"actions/announcement.yaml",
"actions/remote_sudo.yaml",
"actions/local_sudo.yaml",
"actions/pause.yaml",
"actions/echo.yaml",
"actions/pause.py",
"actions/sendmail.yaml",
"actions/winrm_ps_cmd.yaml",
"actions/local.yaml",
"actions/ask.yaml",
"actions/uuid.yaml",
"actions/README.md",
"actions/winrm_cmd.yaml",
"actions/inject_trigger.py",
"actions/remote.yaml",
"actions/send_mail/send_mail",
"sensors/README.md",
"tests/test_action_inject_trigger.py",
"tests/test_action_sendmail.py",
"tests/test_action_uuid.py"
],
"uid": "pack:core",
"name": "core",
"contributors": [],
"author": "StackStorm, Inc.",
"system": {},
"email": "[email protected]",
"version": "3.1.0",
"python_versions": [
"2",
"3"
],
"dependencies": [],
"keywords": [],
"path": "/opt/stackstorm/packs/core",
"ref": "core",
"id": "5e504a0a5577023884d3e888",
"description": "Basic core actions."
},
{
"files": [
"pack.yaml",
"icon.png",
"actions/README.md",
"actions/workflows/README.md",
"sensors/README.md",
"rules/README.md"
],
"uid": "pack:default",
"name": "default",
"contributors": [],
"author": "StackStorm, Inc.",
"system": {},
"email": "[email protected]",
"version": "3.1.0",
"python_versions": [],
"dependencies": [],
"keywords": [],
"path": "/opt/stackstorm/packs/default",
"ref": "default",
"id": "5e504a0a5577023884d3e887",
"description": "Default pack where all resources created using the API with no pack specified get saved."
},
{
"files": [
"pack.yaml",
"README.md",
"requirements.txt",
"icon.png",
"actions/rm.yaml",
"actions/check_processes.yaml",
"actions/file_touch.yaml",
"actions/mv.yaml",
"actions/netstat.yaml",
"actions/dig.py",
"actions/wait_for_ssh.yaml",
"actions/traceroute.yaml",
"actions/cp.yaml",
"actions/lsof.yaml",
"actions/wait_for_ssh.py",
"actions/lsof_pids.yaml",
"actions/check_loadavg.yaml",
"actions/service.yaml",
"actions/scp.yaml",
"actions/rsync.yaml",
"actions/traceroute.sh",
"actions/vmstat.yaml",
"actions/dig.yaml",
"actions/netstat_grep.yaml",
"actions/pkill.yaml",
"actions/service.py",
"actions/diag_loadavg.yaml",
"actions/checks/check_loadavg.py",
"actions/checks/check_processes.py",
"actions/workflows/diag_loadavg.yaml",
"actions/lib/init.py",
"sensors/file_watch_sensor.py",
"sensors/file_watch_sensor.yaml",
"sensors/README.md"
],
"uid": "pack:linux",
"name": "linux",
"contributors": [],
"author": "StackStorm, Inc.",
"system": {},
"email": "[email protected]",
"version": "3.1.0",
"python_versions": [
"2",
"3"
],
"dependencies": [],
"keywords": [
"linux",
"nmap",
"lsof",
"traceroute",
"loadavg",
"cp",
"scp",
"dig",
"netstat",
"rsync",
"vmstat",
"open ports",
"processes",
"ps"
],
"path": "/opt/stackstorm/packs/linux",
"ref": "linux",
"id": "5e504a0a5577023884d3e88c",
"description": "Generic Linux actions"
},
{
"files": [
"config.schema.yaml",
"pack.yaml",
"icon.png",
"actions/setup_virtualenv.yaml",
"actions/delete.yaml",
"actions/install.meta.yaml",
"actions/show.yaml",
"actions/search.yaml",
"actions/restart_component.yaml",
"actions/update_virtualenv.yaml",
"actions/virtualenv_prerun.yaml",
"actions/get_config.yaml",
"actions/unload.yaml",
"actions/uninstall.meta.yaml",
"actions/load.yaml",
"actions/get.yaml",
"actions/get_config.py",
"actions/download.yaml",
"actions/pack_mgmt/register.py",
"actions/pack_mgmt/delete.py",
"actions/pack_mgmt/get_installed.py",
"actions/pack_mgmt/show_remote.py",
"actions/pack_mgmt/search.py",
"actions/pack_mgmt/virtualenv_setup_prerun.py",
"actions/pack_mgmt/unload.py",
"actions/pack_mgmt/init.py",
"actions/pack_mgmt/setup_virtualenv.py",
"actions/pack_mgmt/download.py",
"actions/workflows/install.yaml",
"actions/workflows/uninstall.yaml",
"tests/test_action_unload.py",
"tests/test_action_download.py",
"tests/test_action_aliases.py",
"tests/fixtures/stackstorm-test3/pack.yaml",
"tests/fixtures/stackstorm-test/pack.yaml",
"tests/fixtures/stackstorm-test2/pack.yaml",
"tests/fixtures/stackstorm-test4/pack.yaml",
"aliases/pack_search.yaml",
"aliases/pack_get.yaml",
"aliases/pack_install.yaml",
"aliases/pack_show.yaml"
],
"uid": "pack:packs",
"name": "packs",
"contributors": [],
"author": "StackStorm, Inc.",
"system": {},
"email": "[email protected]",
"version": "3.1.0",
"python_versions": [
"2",
"3"
],
"dependencies": [],
"keywords": [],
"path": "/opt/stackstorm/packs/packs",
"ref": "packs",
"id": "5e504a0a5577023884d3e889",
"description": "Pack management functionality."
}
]

-------- end 140659860837776 response ------------

-------- begin 140659860837776 request ----------

curl -X POST -H 'Connection: keep-alive' -H 'Accept-Encoding: gzip, deflate' -H 'Accept: /' -H 'User-Agent: python-requests/2.22.0' -H 'content-type: application/json' -H 'X-Auth-Token: 1f3964cf767f4643a330269d5633dedc' -H 'Content-Length: 27' --data-binary '{"packs": ["pack_install"]}' https://st2-dev-1/api/packs/uninstall

-------- begin 140659860837776 response ----------

{
"execution_id": "5e56d08b13e950536c774ac5"
}

-------- end 140659860837776 response ------------

No handlers could be found for logger "sseclient"

    [ succeeded ] unregister packs
    [ succeeded ] delete packs^C

Traceback (most recent call last):
File "/usr/bin/st2", line 10, in
sys.exit(main())
File "/opt/stackstorm/st2/lib/python2.7/site-packages/st2client/shell.py", line 490, in main
return Shell().run(argv)
File "/opt/stackstorm/st2/lib/python2.7/site-packages/st2client/shell.py", line 410, in run
func(args)
File "/opt/stackstorm/st2/lib/python2.7/site-packages/st2client/commands/resource.py", line 47, in decorate
return func(*args, **kwargs)
File "/opt/stackstorm/st2/lib/python2.7/site-packages/st2client/commands/pack.py", line 300, in run_and_print
super(PackRemoveCommand, self).run_and_print(args, **kwargs)
File "/opt/stackstorm/st2/lib/python2.7/site-packages/st2client/commands/resource.py", line 47, in decorate
return func(*args, **kwargs)
File "/opt/stackstorm/st2/lib/python2.7/site-packages/st2client/commands/pack.py", line 120, in run_and_print
for event in stream_mgr.listen(events, **kwargs):
File "/opt/stackstorm/st2/lib/python2.7/site-packages/st2client/models/core.py", line 639, in listen
for message in client.events():
File "/opt/stackstorm/st2/lib/python2.7/site-packages/sseclient/init.py", line 58, in events
for chunk in self._read():
File "/opt/stackstorm/st2/lib/python2.7/site-packages/sseclient/init.py", line 48, in _read
for chunk in self._event_source:
File "/opt/stackstorm/st2/lib/python2.7/site-packages/requests/models.py", line 750, in generate
for chunk in self.raw.stream(chunk_size, decode_content=True):
File "/opt/stackstorm/st2/lib/python2.7/site-packages/urllib3/response.py", line 531, in stream
data = self.read(amt=amt, decode_content=decode_content)
File "/opt/stackstorm/st2/lib/python2.7/site-packages/urllib3/response.py", line 479, in read
data = self._fp.read(amt)
File "/usr/lib64/python2.7/httplib.py", line 611, in read
s = self.fp.read(amt)
File "/usr/lib64/python2.7/socket.py", line 380, in read
data = self._sock.recv(left)
File "/opt/stackstorm/st2/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.py", line 279, in recv
data = self.connection.recv(*args, **kwargs)
File "/opt/stackstorm/st2/lib/python2.7/site-packages/OpenSSL/SSL.py", line 1790, in recv
result = _lib.SSL_read(self._ssl, buf, bufsiz)
KeyboardInterrupt

[kedare]

Same issue here,
I only have a nginx in front (on the same server, afaik the config was on the setup instruction)

[punkrokk]

I also just saw this just now. Here's my --debug output:

Installation may take a while for packs with many items.
# -------- begin 139967075538448 request ----------
curl -X POST -H  'Connection: keep-alive' -H  'Accept-Encoding: gzip, deflate' -H  'Accept: */*' -H  'User-Agent: python-requests/2.22.0' -H  'content-type: application/json' -H  'X-Auth-Token: ********' -H  'Content-Length: 54' --data-binary '{"force": false, "python3": false, "packs": ["email"]}' http://127.0.0.1:9101/v1/packs/install
# -------- begin 139967075538448 response ----------
{
    "execution_id": "5e73b22b12eab625c0e4d465"
}
# -------- end 139967075538448 response ------------

No handlers could be found for logger "sseclient"

	[ succeeded ] download pack
	[ succeeded ] make a prerun
	[  failed   ] install pack dependencies

[guzzijones]

I also have this issue. It also affect st2 execution tail.
It doesn't happen if i don't use the nginx endpoint.
Also interesting is if I run another action the stalled one finishes outputting from stream.

[punkrokk]

Has this cleared up for everyone? I wonder if the internet had a hiccups, for example, unable to check Cert Revocations...

[guzzijones]

No this is still an issue. It has to do with ssl and how nginx handles it.

…

On Wed, Apr 22, 2020, 00:41 JP Bourget ***@***.***> wrote: Has this cleared up for everyone? I wonder if the internet had a hiccups, for example, unable to check Cert Revocations... — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#4842 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACZ5TIKXJJIJ7DRUHB2R4ELRNZYN7ANCNFSM4KGQL75A> .

[guzzijones]

So it looks like SSL does not respect the proxy_buffering = off
stackoverflow post sse and nginx

The solution appears to be for us to set this header in the request which should be respected by nginx:
tldr:

Apparently (see the comments) adding response.addHeader("X-Accel-Buffering", "no"); (i.e. to the server-side process, not to the proxy config) fixes the problem. This makes sense, as that was added specifically for SSE and similar HTTP streaming, see the nginx documentation. It does imply the above Nginx configuration should also work (the OP has reported that it does not). But, on the other hand, using a header to disable buffering on a per-connection basis feels like a better solution anyway.

[guzzijones]

correction i need to add the header "X-Accel-Buffering", "no"
st2stream.controllers.v1.executions ; line 137

[stale]

Thanks for contributing to this issue. As it has been 90 days since the last activity, we are automatically marking is as stale. If this issue is not relevant or applicable anymore (problem has been fixed in a new version or similar), please close the issue or let us know so we can close it. On the contrary, if the issue is still relevant, there is nothing you need to do, but if you have any additional details or context which would help us when working on this issue, please include it as a comment to this issue.

[kingsleyadam]

Also running into this exact same issue. I have two different setups.

Stackstorm - nginx SSL termination - Hangs on the finish
Stackstorm - AWS elb ssl termination - Does NOT hang on the finish.

Not sure what I can do to help, I've tried what I can from the cli and my nginx configuration. But nothing seems to work. Walking through (debugging) the st2client it seems to continue to loop on socket.py --> readinto()

Traceback (most recent call last):
  File "/Users/akingsle/glint/st2/st2client/st2client/shell.py", line 474, in <module>
    sys.exit(main(sys.argv[1:]))
  File "/Users/akingsle/glint/st2/st2client/st2client/shell.py", line 470, in main
    return Shell().run(argv)
  File "/Users/akingsle/glint/st2/st2client/st2client/shell.py", line 408, in run
    func(args)
  File "/Users/akingsle/glint/venv/st2/lib/python3.7/site-packages/st2client/commands/resource.py", line 48, in decorate
    return func(*args, **kwargs)
  File "/Users/akingsle/glint/venv/st2/lib/python3.7/site-packages/st2client/commands/action.py", line 1460, in run_and_print
    **kwargs)
  File "/Users/akingsle/glint/venv/st2/lib/python3.7/site-packages/st2client/commands/action.py", line 1508, in tail_execution
    for event in stream_manager.listen(events, **kwargs):
  File "/Users/akingsle/glint/venv/st2/lib/python3.7/site-packages/st2client/models/core.py", line 654, in listen
    for message in client.events():
  File "/Users/akingsle/glint/venv/st2/lib/python3.7/site-packages/sseclient/__init__.py", line 58, in events
    for chunk in self._read():
  File "/Users/akingsle/glint/venv/st2/lib/python3.7/site-packages/sseclient/__init__.py", line 48, in _read
    for chunk in self._event_source:
  File "/Users/akingsle/glint/venv/st2/lib/python3.7/site-packages/requests/models.py", line 751, in generate
    for chunk in self.raw.stream(chunk_size, decode_content=True):
  File "/Users/akingsle/glint/venv/st2/lib/python3.7/site-packages/urllib3/response.py", line 575, in stream
    data = self.read(amt=amt, decode_content=decode_content)
  File "/Users/akingsle/glint/venv/st2/lib/python3.7/site-packages/urllib3/response.py", line 518, in read
    data = self._fp.read(amt) if not fp_closed else b""
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/http/client.py", line 457, in read
    n = self.readinto(b)
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/http/client.py", line 501, in readinto
    n = self.fp.readinto(b)
KeyboardInterrupt

Process finished with exit code 1

Originating from

Traceback (most recent call last):
  File "/Library/Frameworks/Python.framework/Versions/3.7/bin/st2", line 8, in <module>
    sys.exit(main())
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/st2client/shell.py", line 470, in main
    return Shell().run(argv)
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/st2client/shell.py", line 408, in run
    func(args)
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/st2client/commands/resource.py", line 48, in decorate
    return func(*args, **kwargs)
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/st2client/commands/action.py", line 1460, in run_and_print
    **kwargs)
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/st2client/commands/action.py", line 1508, in tail_execution
    for event in stream_manager.listen(events, **kwargs):
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/st2client/models/core.py", line 654, in listen
    for message in client.events():
  File "/Users/akingsle/Library/Python/3.7/lib/python/site-packages/sseclient/__init__.py", line 58, in events
    for chunk in self._read():
  File "/Users/akingsle/Library/Python/3.7/lib/python/site-packages/sseclient/__init__.py", line 48, in _read
    for chunk in self._event_source:
  File "/Users/akingsle/Library/Python/3.7/lib/python/site-packages/requests/models.py", line 751, in generate
    for chunk in self.raw.stream(chunk_size, decode_content=True):
  File "/Users/akingsle/Library/Python/3.7/lib/python/site-packages/urllib3/response.py", line 575, in stream
    data = self.read(amt=amt, decode_content=decode_content)
  File "/Users/akingsle/Library/Python/3.7/lib/python/site-packages/urllib3/response.py", line 518, in read
    data = self._fp.read(amt) if not fp_closed else b""
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/http/client.py", line 457, in read
    n = self.readinto(b)
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/http/client.py", line 501, in readinto
    n = self.fp.readinto(b)
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/socket.py", line 589, in readinto
    return self._sock.recv_into(b)
  File "/Users/akingsle/Library/Python/3.7/lib/python/site-packages/urllib3/contrib/pyopenssl.py", line 313, in recv_into
    return self.connection.recv_into(*args, **kwargs)
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/OpenSSL/SSL.py", line 1839, in recv_into
    result = _lib.SSL_read(self._ssl, buf, nbytes)

[guzzijones]

I submitted #5042 but i still see the hang. I will leave it WIP.

[guzzijones]

I found the magic setting.
add the following to your st2.conf nginx under the stream location

    proxy_read_timeout     10;
    proxy_connect_timeout  90;

This way after 10 seconds of inactivity the connection will be flushed by nginx.

[kingsleyadam]

I found the magic setting.
add the following to your st2.conf nginx under the stream location

    proxy_read_timeout     10;
    proxy_connect_timeout  90;

This way after 10 seconds of inactivity the connection will be flushed by nginx.

This doesn't actually work. I have some actions that run longer than 10 seconds without streaming any output. Within 10 seconds my terminal returns, but my execution is actually still running on the server.

[guzzijones]

setting the proxy_read_timeout causes some client side issues. I just experienced the same issue.

[guzzijones]

Here is some more info:
https://stackoverflow.com/questions/26813594/flush-nginxs-ssl-buffer-during-long-polling

[guzzijones]

The only solution we are left with is to just pad the response with extra bytes so it flushes.

[guzzijones]

Here they did set the read timeout to a larger number: http://docs.cuepublishing.com/ece-install-guide/7.2/sse_proxy_configuration__https.html

[guzzijones]

for now i set the following. It at least will drop the connection after the timeout period.

   proxy_read_timeout     90;

[guzzijones]

I spent some more time on this. The timeout won't help here. every 30 seconds a pack is sent back anyway. The issue is in this part of the code.

st2/st2common/st2common/stream/listener.py

Line 81 in cb3c9be

def generator(self, events=None, action_refs=None, execution_ids=None):

self._stopped is never equal to True but that isn't the problem since this appears to be a singleton class anyway.
Only one instance will ever exist.

the generator function doesn't specify what the final message is so it can stop generating events to send back to the client.
Thus if it times out it just sends back a "\n"

st2/st2common/st2common/stream/listener.py

Line 93 in cb3c9be

yield message

Gunicorn must drop the connection for stackstorm thus why it works via http pointed at the stream port.

I think I need to find the event that is fired when a workflow is completed or failed and trigger a break out of the while loop.

[guzzijones]

I did a hack where i wait for the message body to be "Successfully installed pack" and exit the loop. That worked. But we need a solid solution.

[guzzijones]

the call also is not filtering based on execution_id so presumably you just get every pack installation if 2 are run at the same time

GET /v1/stream?x-auth-token=&events=st2.execution__create%2Cst2.execution__update%2Cst2.execution__update

[kingsleyadam]

I also found out that if you have a hung tail in one terminal window, and you kick-off another execution in stackstorm, then the hung tail event closes successfully.

[guzzijones]

Updated PR #5042 with a potential fix.
I tested locally against my personal nginx and it closed the connection after the last event was sent back.

[guzzijones]

I also found out that if you have a hung tail in one terminal window, and you kick-off another execution in stackstorm, then the hung tail event closes successfully.

ah. ok so the tail command has the same issue.