Bug 1475954

Summary: Proxy configuration does not work in restricted IPV6 only environment
Product: Red Hat CloudForms Management Engine Reporter: Pavol Kotvan <pakotvan>
Component: ApplianceAssignee: Gregg Tanzillo <gtanzill>
Status: CLOSED CURRENTRELEASE QA Contact: Pavol Kotvan <pakotvan>
Severity: high Docs Contact:
Priority: high    
Version: 5.8.0CC: abellott, cpelland, dajohnso, jhardy, jkrocil, lcouzens, ncarboni, obarenbo, pakotvan, saali, simaishi, smallamp
Target Milestone: GAKeywords: TestOnly, ZStream
Target Release: 5.9.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: proxy
Fixed In Version: 5.9.0.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1496912 (view as bug list) Environment:
Last Closed: 2018-03-06 14:50:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: Bug
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: CFME Core Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1496912    

Comment 3 Bo Yao 2017-08-03 18:14:55 UTC 
A minor mistake, though quite clear from context:
The second "Steps to Reproduce - SOCKS5 proxy:" should be "Steps to Reproduce - squid proxy:"
Comment 4 Bo Yao 2017-08-03 21:16:30 UTC 
Pavol is right. I can prove his finding in another approach. By comparing ip address with different proxy setting I can confirm the proxy configuration is correct, it's a bug of cfme:

# in myappliance2 (10.16.4.131 / fc00:beef::1)
[root@myappliance2 ~]# http_proxy="" curl www.google.com
curl: (7) Failed to connect to 2607:f8b0:4004:80a::2004: Network is unreachable
[root@myappliance2 ~]# http_proxy="" curl ipecho.net/plain && echo;
curl: (7) Failed to connect to 146.255.36.1: Network is unreachable
[root@myappliance2 ~]# http_proxy="user:redhat@localhost:3128" curl ipecho.net/plain && echo;
66.187.233.202
[root@myappliance2 ~]# curl --socks5-hostname localhost:8081 ipecho.net/plain && echo;
66.187.233.206
[root@myappliance2 ~]# 

# in jumpbox (10.16.6.102 / fc00:beef::ffff)
[root@10-16-6-102 ~]# curl ipecho.net/plain && echo;
66.187.233.206


From above we can get a conclusion: without any proxy the pure ipv6 myappliance2 can not reach any network. With socks5 proxy from jumpbox, it "has" same ip address with jumpbox: 66.187.233.206.[*] With squid proxy it "has" another ipaddress, should be the one using in the squid server (66.187.233.202). As we can't clone repo in cfme ui, the proxy settings is not applied correctly in cfme.


[*]: this is, actually the router for jumpbox connecting to internet, but it doesn't affect we get this conclusion because without this proxy myappliance2 cannot reach internet and that router. Same for 66.187.233.202.
Comment 5 CFME Bot 2017-08-08 13:46:46 UTC 
https://github.com/ManageIQ/manageiq/pull/15762
Comment 6 Bo Yao 2017-08-09 18:15:00 UTC 
Hi Pavol,
How did you enable embedded ansible server roles before in? You've done that at fc00:beef::294. I tried to turn it on then save at fc00:beef::296 with help of cfme docs and some people in our team, but still can't get EmbeddedAnsible Worker running. Maybe I broke something. Can you help me turn on that and enable me to enter "Add new repository" page? Thanks. I'll look at add amazon or other provider part of this bug first.
Regards,
Bo
Comment 8 Bo Yao 2017-08-10 15:34:09 UTC 
Hi Pavol,
Thanks for your hint. I reset hostname then restart evm server. The problem for "bad component(expected host component)" disappeared but have problem in starting EmbeddedAnsibleWorker running on nginx:
[----] E, [2017-08-10T06:07:18.805790 #21319:601560c] ERROR -- : AwesomeSpawn: /bin/systemctl exit code: 1
[----] E, [2017-08-10T06:07:18.805879 #21319:601560c] ERROR -- : AwesomeSpawn: Job for nginx.service failed because the 
control process exited with error code. See "systemctl status nginx.service" and "journalctl -xe" for details.

[----] E, [2017-08-10T06:07:18.806024 #21319:601560c] ERROR -- : [AwesomeSpawn::CommandResultError]: /bin/systemctl exit
 code: 1  Method:[rescue in do_before_work_loop]
[----] E, [2017-08-10T06:07:18.806123 #21319:601560c] ERROR -- : /opt/rh/cfme-gemset/gems/awesome_spawn-1.4.1/lib/awesom
e_spawn.rb:105:in `run!'
/opt/rh/cfme-gemset/gems/linux_admin-0.20.2/lib/linux_admin/common.rb:24:in `run!'
/opt/rh/cfme-gemset/gems/linux_admin-0.20.2/lib/linux_admin/service/systemd_service.rb:18:in `start'
/var/www/miq/vmdb/lib/embedded_ansible.rb:53:in `block in start'
/var/www/miq/vmdb/lib/embedded_ansible.rb:53:in `each'
/var/www/miq/vmdb/lib/embedded_ansible.rb:53:in `start'
/var/www/miq/vmdb/app/models/embedded_ansible_worker/runner.rb:36:in `setup_ansible'
/var/www/miq/vmdb/app/models/embedded_ansible_worker/runner.rb:13:in `do_before_work_loop'
/var/www/miq/vmdb/app/models/embedded_ansible_worker/runner.rb:7:in `prepare'
/var/www/miq/vmdb/app/models/miq_worker/runner.rb:133:in `start'
/var/www/miq/vmdb/app/models/miq_worker/runner.rb:21:in `start_worker'

And systemctl status nginx.service got:
● nginx.service - The nginx HTTP and reverse proxy server
   Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Thu 2017-08-10 06:13:55 EDT; 12s ago

Aug 10 06:13:55 test-proxy systemd[1]: Starting The nginx HTTP and reverse proxy server...
Aug 10 06:13:55 test-proxy nginx[13700]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
Aug 10 06:13:55 test-proxy nginx[13700]: nginx: [emerg] open() "/var/log/nginx/access.log" failed (28: No space left on device)
Aug 10 06:13:55 test-proxy nginx[13700]: nginx: configuration file /etc/nginx/nginx.conf test failed
Aug 10 06:13:55 test-proxy systemd[1]: nginx.service: control process exited, code=exited status=1
Aug 10 06:13:55 test-proxy systemd[1]: Failed to start The nginx HTTP and reverse proxy server.
Aug 10 06:13:55 test-proxy systemd[1]: Unit nginx.service entered failed state.
Aug 10 06:13:55 test-proxy systemd[1]: nginx.service failed.

And when I try to locate code for EmbeddedAnsibleWorker::Runner locally (a daily  pulled from manageiq repo), I found this file has changed a lot since 5.8.1.4, does it make sense to setting up a vm running more recent version of cfme and I make changes there?

Thanks.
Comment 9 Yuri Rudman 2017-08-10 17:42:21 UTC 
*** Bug 1478582 has been marked as a duplicate of this bug. ***
Comment 12 Nick Carboni 2017-09-18 18:34:03 UTC 
Bo and Pavol,

Can you try out the solution in https://access.redhat.com/solutions/3127941?

If that works we can set up a way to propagate the settings configured for the cfme proxy programatically.

Additionally if an ssh bastion host is require (not sure if that's what this bug is about) we may need to set something up similar to what is described here [1], but I'm hoping the config changes in settings.py will do the trick.


[1] http://blog.dualspark.com/ansible/configuration-management/aws/ssh/2014/12/19/ansible-tower-ssh-agent-forwarding.html
Comment 16 CFME Bot 2017-09-25 13:51:31 UTC 
New commit detected on ManageIQ/manageiq/master:
https://github.com/ManageIQ/manageiq/commit/c9ca903e343ab9a0930ba8a87a5e5a44fbc11753

commit c9ca903e343ab9a0930ba8a87a5e5a44fbc11753
Author:     Bo Yao <icerove>
AuthorDate: Fri Sep 22 13:40:33 2017 -0400
Commit:     Bo Yao <icerove>
CommitDate: Fri Sep 22 21:34:11 2017 -0400

    add http proxy support for embedded ansible tower
    https://bugzilla.redhat.com/show_bug.cgi?id=1475954

 lib/embedded_ansible.rb | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)