Bug 1414749

Summary: Add docker-registry.default.svc.cluster.local to NO_PROXY
Product: OpenShift Container Platform Reporter: Marko Myllynen <myllynen>
Component: InstallerAssignee: Scott Dodson <sdodson>
Status: CLOSED ERRATA QA Contact: Johnny Liu <jialiu>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 3.4.0CC: aos-bugs, jokerman, mmccomas, myllynen
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Image streams now reference the dns hostname of 'docker-registry.default.svc:5000' which allows the installer to ensure that the hostname is appended to NO_PROXY environment variables so that image pushes work properly in an environment that requires a proxy.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-10 05:17:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marko Myllynen 2017-01-19 11:15:06 UTC 
Description of problem:
With something like

openshift_http_proxy=http://10.10.10.10:8080
openshift_https_proxy=http://10.10.10.10:8080
openshift_no_proxy=10.1.0.0/16,172.30.0.0/16,test.example.com
openshift_generate_no_proxy_hosts=True

we see that the above list of CIDRs/FQDNs + node names + .cluster.local are configured in /etc/sysconfig/docker. However, since Docker NO_PROXY does not support CIDRs docker-registry.default.svc.cluster.local should be added as well.

Perhaps .cluster.local and docker-registry.default.svc.cluster.local should be added even if openshift_generate_no_proxy_hosts=True is not set.
Comment 1 Scott Dodson 2017-01-19 22:14:39 UTC 
(In reply to Marko Myllynen from comment #0)
> Description of problem:
> With something like
> 
> openshift_http_proxy=http://10.10.10.10:8080
> openshift_https_proxy=http://10.10.10.10:8080
> openshift_no_proxy=10.1.0.0/16,172.30.0.0/16,test.example.com
> openshift_generate_no_proxy_hosts=True
> 
> we see that the above list of CIDRs/FQDNs + node names + .cluster.local are
> configured in /etc/sysconfig/docker. However, since Docker NO_PROXY does not
> support CIDRs docker-registry.default.svc.cluster.local should be added as
> well.

Docker should match 'docker-registry.default.svc.cluster.local' to '.cluster.local'. Are you seeing that having '.cluster.local' isn't working as expected and preventing proxy use for the entire domain?
 
> Perhaps .cluster.local and docker-registry.default.svc.cluster.local should
> be added even if openshift_generate_no_proxy_hosts=True is not set.

I'm fine with adding .cluster.local no matter what.

Proposed fix https://github.com/openshift/openshift-ansible/pull/3131
Comment 2 Marko Myllynen 2017-01-24 14:42:15 UTC 
(In reply to Scott Dodson from comment #1)
> (In reply to Marko Myllynen from comment #0)
> > Description of problem:
> > With something like
> > 
> > openshift_http_proxy=http://10.10.10.10:8080
> > openshift_https_proxy=http://10.10.10.10:8080
> > openshift_no_proxy=10.1.0.0/16,172.30.0.0/16,test.example.com
> > openshift_generate_no_proxy_hosts=True
> > 
> > we see that the above list of CIDRs/FQDNs + node names + .cluster.local are
> > configured in /etc/sysconfig/docker. However, since Docker NO_PROXY does not
> > support CIDRs docker-registry.default.svc.cluster.local should be added as
> > well.
> 
> Docker should match 'docker-registry.default.svc.cluster.local' to
> '.cluster.local'. Are you seeing that having '.cluster.local' isn't working
> as expected and preventing proxy use for the entire domain?

You're right, adding docker-registry.default.svc.cluster.local would indeed be redundant, I've tested this again and .example.com does match test.example.com etc.

Thanks.
Comment 3 Scott Dodson 2017-06-09 03:38:06 UTC 
Looking at this again this appears to already be the case based on https://github.com/openshift/openshift-ansible/pull/2753

Can you confirm if that's true or not? That change should exist in all versions of openshift-ansible-3.4.18-1 and newer.
Comment 4 Marko Myllynen 2017-06-19 07:52:33 UTC 
(In reply to Scott Dodson from comment #3)
> Looking at this again this appears to already be the case based on
> https://github.com/openshift/openshift-ansible/pull/2753
> 
> Can you confirm if that's true or not? That change should exist in all
> versions of openshift-ansible-3.4.18-1 and newer.

Thanks, verified with openshift-ansible-playbooks-3.5.78-1.git.0.f7be576.el7.noarch, .cluster.local is added as described.

While testing this, I found two related issues which can be discussed elsewhere:

https://bugzilla.redhat.com/show_bug.cgi?id=1462651 - cosmetic
https://bugzilla.redhat.com/show_bug.cgi?id=1462652 - serious

Thanks,
Comment 5 Scott Dodson 2017-06-28 17:40:48 UTC 
.svc and .cluster.local are now added to the no_proxy list which effectively ensures that docker-registry.default.svc as configured in 3.6 and docker-registry.default.svc.cluster.local should not be proxied. 

Moving this ON_QA
Comment 7 Johnny Liu 2017-06-29 02:45:44 UTC 
Verified this bug with openshift-ansible-3.6.123.1002-1.git.0.506cfa7.el7.noarch, and PASS.


# docker info
<--snip-->
Http Proxy: http://file.rdu.redhat.com:3128
Https Proxy: http://file.rdu.redhat.com:3128
No Proxy: .cluster.local,.svc,169.254.169.254,openshift-102.lab.sjc.redhat.com,openshift-106.lab.sjc.redhat.com,openshift-136.lab.sjc.redhat.com,openshift-137.lab.sjc.redhat.com,openshift-139.lab.sjc.redhat.com,openshift-141.lab.sjc.redhat.com,openshift-154.lab.sjc.redhat.com
<--snip-->

# cat /etc/sysconfig/atomic-openshift-master-api
OPTIONS=--loglevel=5 --listen=https://0.0.0.0:443 --master=https://openshift-154.lab.sjc.redhat.com
CONFIG_FILE=/etc/origin/master/master-config.yaml
OPENSHIFT_DEFAULT_REGISTRY=docker-registry.default.svc:5000
IMAGE_VERSION=v3.6.126


# Proxy configuration
# See https://docs.openshift.com/enterprise/latest/install_config/install/advanced_install.html#configuring-global-proxy
HTTP_PROXY=http://file.rdu.redhat.com:3128
HTTPS_PROXY=http://file.rdu.redhat.com:3128
NO_PROXY=.cluster.local,.svc,169.254.169.254,openshift-102.lab.sjc.redhat.com,openshift-106.lab.sjc.redhat.com,openshift-136.lab.sjc.redhat.com,openshift-137.lab.sjc.redhat.com,openshift-139.lab.sjc.redhat.com,openshift-141.lab.sjc.redhat.com,openshift-154.lab.sjc.redhat.com,172.31.0.0/16,10.2.0.0/16


# cat /etc/sysconfig/atomic-openshift-master-controllers
OPTIONS=--loglevel=5 --listen=https://0.0.0.0:8444
CONFIG_FILE=/etc/origin/master/master-config.yaml
OPENSHIFT_DEFAULT_REGISTRY=docker-registry.default.svc:5000
IMAGE_VERSION=v3.6.126


# Proxy configuration
# See https://docs.openshift.com/enterprise/latest/install_config/install/advanced_install.html#configuring-global-proxy
HTTP_PROXY=http://file.rdu.redhat.com:3128
HTTPS_PROXY=http://file.rdu.redhat.com:3128
NO_PROXY=.cluster.local,.svc,169.254.169.254,openshift-102.lab.sjc.redhat.com,openshift-106.lab.sjc.redhat.com,openshift-136.lab.sjc.redhat.com,openshift-137.lab.sjc.redhat.com,openshift-139.lab.sjc.redhat.com,openshift-141.lab.sjc.redhat.com,openshift-154.lab.sjc.redhat.com,172.31.0.0/16,10.2.0.0/16
Comment 9 errata-xmlrpc 2017-08-10 05:17:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1716