SCAP full report generation time out

tedevil · October 13, 2020, 4:44pm

I noticed when I select the “Full report” action from the SCAP “Compliance Reports” page that if the generation of the full report takes more then 60 seconds it seems to time out since exactly after 60 seconds this page shows up:

# Proxy Error

The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request GET /compliance/arf_reports/5937/parse_html .

Reason: Error reading from remote server

Looking on the proxy one core are under 100% load when it tries to generate the report so does not help giving the proxy more cores.

Process is:
ruby /usr/bin/smart-proxy-arf-html /var/lib/foreman-proxy/openscap/reports/arf/12c60597-38ff-42fe-8c5a-0582f959f648/6169/1602465172/06ac38c639fefdab08c6c770f82d35339d4681aa62ce584ebf884ac56269eb0c /var/tmp/bcafa6b5-2419-47c5-8bdb-5533d4cae433-12c60597-38ff-42fe-8c5a-0582f959f648-6169-1602465172-06ac38c639fefdab08c6c770f82d35339d4681aa62ce584ebf884ac56269eb0c-20201013-1317-47luln

I changed the “Smart Proxy request timeout” from 60 to 120 seconds and also changed “# Timeout to send ARF reports to Foreman, in seconds” from 60 to 120 seconds in /etc/foreman-proxy/settings.d/openscap.yml" but did not help, Same error after after exactly 60 seconds. Sometimes I manage to generate a report if it is completed within 60 seconds. Is there a time out setting I have missed?

Ondrej_Prazak · October 19, 2020, 1:07pm

I think you are hitting a known bug. The timeout is not used on this page so changing settings does not have any effects. A workaround is to download the report and view it outside of Foreman.

tedevil · October 19, 2020, 4:44pm

I do feel like it is a timeout, it does not crash. Can it be that the ruby command that generate the report has a timeout set by default to 60 seconds? ruby is unknown to me so not sure if I can prove it somehow.
Would be cool to be able to be able to run the same command using cli but unsure how. the process is owned by foreman-proxy anyway.

Ondrej_Prazak · October 20, 2020, 6:32am

If you fell like this is a different problem, please file a new issue in redmine. Hammer CLI has a configurable timeout and there is a command to download the report html. Still, the request goes through Foreman. You could also try calling the endpoint on smart-proxy responsible for generating HTML report directly - it is located under compliance namespace.