Bug 1315627

Summary: [RFE] pcsd should handle http proxy environment variables better
Product: Red Hat Enterprise Linux 7 Reporter: Tomas Jelinek <tojeline>
Component: pcsAssignee: Ondrej Mular <omular>
Status: CLOSED ERRATA QA Contact: cluster-qe <cluster-qe>
Severity: unspecified Docs Contact:
Priority: high    
Version: 7.2CC: cfeist, cluster-maint, dzmitryj, gethelponline.xyz, hoqhighlight, idevat, jpokorny, mlisik, omular, redhat-bugzilla, robert.scheck, royoung, rsteiger, smirrom, tojeline
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pcs-0.9.157-1.el7 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 18:22:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Jelinek 2016-03-08 09:30:35 UTC 
Ruby standard library takes http_proxy, https_proxy and no_proxy environment variables into account when connecting to HTTP servers. If there is a HTTP proxy set up, it may prevent pcsd to communicate with other cluster nodes. This is a part of pcsd debug log from when it happened:

Sending HTTP Request to: https://lv9027hb:2224/remote/check_auth
Data: None
Response Reason: Tunnel connection failed: 403 Forbidden

What user only gets when running without --debug is this, which is not helpful at all:
[root@lv9026 ~]# pcs cluster auth lv9026hb lv9027hb
Username: hacluster
Password: 
Error: Unable to communicate with lv9027hb
Error: Unable to communicate with lv9026hb

We cannot disable HTTP proxy environment variables in pcsd completely as there are users who use it in their intended manner and then pcsd works fine for them.

Pcs should print a warning if it is not able to connect to remote node and the reason for that might be HTTP proxy (or print a list of possible reasons every time a connection fails). Or it could try to connect without the proxy if there is a proxy configured and the first connection fails.

Fabio's idea:
try to connect via proxy, if it fails, try by unsetting those vars and
provide proper error report/warning in the process.
"attempting to connect to node foo via proxy XYZ .... FAILED"
"attempting to connect to node foo without proxy even if proxy XYZ is
configured"....

We could either not use https_proxy or add nodes to no_proxy.
Comment 4 Tomas Jelinek 2016-10-26 14:16:03 UTC 
From the duplicate bz1388934:

Robert Scheck 2016-10-26 09:46:11 EDT

Description of problem:
pcs(1) honors HTTP(S)_PROXY/http(s)_proxy by accident (I don't think there
is a proper scenario to let pcs speak through a proxy) and thus fails when
running "pcs cluster auth node1 node2". Example:

$ export http_proxy=http://proxy.example.net:8080
$ export HTTP_PROXY=http://proxy.example.net:8080
$ export https_proxy=http://proxy.example.net:8080
$ export HTTPS_PROXY=http://proxy.example.net:8080

$ pcs cluster auth node1.example.net node2.example.net
Username: hacluster
Password: ********
Error: Unable to communicate with node1.example.net
Error: Unable to communicate with node2.example.net
$ 

While debugging this via strace(1), I noticed that pcs(1) connects here
to http://proxy.example.net:8080 and receives a "HTTP/1.0 403 Forbidden"
by the Squid. This again leads to a hardly readable stack trace within
strace output. The stack trace makes me believing that proxy setups for
pcs(1)are not intended - while pcs(1) seems to honor proxy environment
variables by accident. If this is really intended, then there should be
proper error messages - and of course no stack trace on "403 Forbidden"
replies by the proxy server.

Version-Release number of selected component (if applicable):
pcs-0.9.143-15.el7.x86_64

How reproducible:
Always, see above.

Actual results:
pcs(1) honors HTTP(S)_PROXY/http(s)_proxy by accident and thus fails at
"pcs cluster auth node1 node2".

Expected results:
pcs(1) should not honor environment variables related to proxy servers,
or proxy servers should be properly handled, especially "403 Forbidden".

Additional info:
Aside of this, the documentation likely should be updated to document this
behaviour (or did I overlook existing documentation regarding this?).
Comment 5 Tomas Jelinek 2016-10-26 14:16:24 UTC 
*** Bug 1388934 has been marked as a duplicate of this bug. ***
Comment 9 Ondrej Mular 2017-02-03 16:24:49 UTC 
Upstream patch:
https://github.com/ClusterLabs/pcs/commit/3c4d8166ebb4dc43079c2f5aa6b3fd721590

Pcs will show warning about usage of proxy if it was unable to connect to a node.

TEST:
[root@rhel7-node1 ~]# https_proxy=test.proxy pcs cluster auth rhel7-node2 -uhacluster
Password: 
Warning: Proxy is set in environment variables, try disabling it
Error: Unable to communicate with rhel7-node2
Comment 11 Tomas Jelinek 2017-02-23 11:46:34 UTC 
Upstream patch:
https://github.com/ClusterLabs/pcs/commit/f26981e27dc8c4e5e9383c0acc8149525f4ade4f
Comment 12 Ivan Devat 2017-04-10 15:49:37 UTC 
After Fix:

[vm-rhel72-1 ~] $ rpm -q pcs
pcs-0.9.157-1.el7.x86_64

Pcs will show warning about usage of proxy if it was unable to connect to a node.
[vm-rhel72-1 ~] $ https_proxy=test.proxy pcs cluster auth vm-rhel72-3 -uhacluster
Password:
Warning: Proxy is set in environment variables, try disabling it
Error: Unable to communicate with vm-rhel72-3
Comment 18 errata-xmlrpc 2017-08-01 18:22:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1958
Comment 19 Dzmitryj 2018-02-16 15:38:11 UTC 
The  same error still exist in  pcs-0.9.158-6.el7_4.1.x86_64


[root@new-mgs-mds-01 M]# ./configure_cluster.sh
Setting Production Environment...

Creating the HA-cluster...
Authorizing pcs cluster auth -u  -p  new-mgs-mds-01 new-mgs-mds-02
Warning: Proxy is set in environment variables, try disabling it
Error: Unable to communicate with new-mgs-mds-02
Error: Unable to communicate with new-mgs-mds-01

[root@new-mgs-mds-01 M]# ping new-mgs-mds-01
PING new-mgs-mds-01  56(84) bytes of data.
64 bytes from new-mgs-mds-01: icmp_seq=1 ttl=64 time=0.013 ms
64 bytes from new-mgs-mds-01: icmp_seq=2 ttl=64 time=0.008 ms
64 bytes from new-mgs-mds-01: icmp_seq=3 ttl=64 time=0.007 ms
64 bytes from new-mgs-mds-01: icmp_seq=4 ttl=64 time=0.018 ms
^C
--- new-mgs-mds-01 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 0.007/0.011/0.018/0.005 ms
[root@new-mgs-mds-01 M]# ping new-mgs-mds-02
PING new-mgs-mds-02  56(84) bytes of data.
64 bytes from new-mgs-mds-02 : icmp_seq=1 ttl=64 time=0.090 ms
^C
--- new-mgs-mds-02 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.090/0.090/0.090/0.000 ms
[root@new-mgs-mds-01 M]# cc

Can  you please check
Comment 20 Tomas Jelinek 2018-02-19 15:33:14 UTC 
Dzmitryj,

This is expected. It is up to you to configure your proxy / network / environment. Pcs can not and will not do that for you.
Comment 21 Roman Smirnov 2019-10-22 13:44:20 UTC 
(In reply to Dzmitryj from comment #19)
> The  same error still exist in  pcs-0.9.158-6.el7_4.1.x86_64
> 
> 
> [root@new-mgs-mds-01 M]# ./configure_cluster.sh
> Setting Production Environment...
> 
> Creating the HA-cluster...
> Authorizing pcs cluster auth -u  -p  new-mgs-mds-01 new-mgs-mds-02
> Warning: Proxy is set in environment variables, try disabling it
> Error: Unable to communicate with new-mgs-mds-02
> Error: Unable to communicate with new-mgs-mds-01

in version 0.9.167 can set on all nodes env variable NO_PROXY with hosts to ignore proxy. 
Example:
export NO_PROXY="new-mgs-mds-01,new-mgs-mds-02"
Comment 22 hoqbet 2020-04-24 20:52:07 UTC 
https://www.caradaftarsbobetterbaru.com/
Comment 23 Veit Geiger 2021-02-02 13:44:31 UTC 
http://gethelponline.xyz
http://solution-archive.com
http://gammenia.xyz