Bug 1659324
Summary: | While executing insights remediation playbooks via satellite it does not honour HTTP Proxy configured | |||
---|---|---|---|---|
Product: | Red Hat Satellite | Reporter: | Ashish Humbe <ahumbe> | |
Component: | Ansible - Configuration Management | Assignee: | satellite6-bugs <satellite6-bugs> | |
Status: | CLOSED ERRATA | QA Contact: | Lukas Pramuk <lpramuk> | |
Severity: | medium | Docs Contact: | ||
Priority: | high | |||
Version: | 6.4.0 | CC: | ahumbe, bkearney, egolov, hyu, mayadav, mhulan, omankame, patalber, qguo, sellis, sgraessl | |
Target Milestone: | 6.5.0 | Keywords: | Triaged | |
Target Release: | Unused | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | tfm-rubygem-foreman_ansible-2.2.12 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1712375 (view as bug list) | Environment: | ||
Last Closed: | 2019-05-14 12:39:36 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: |
Description
Ashish Humbe
2018-12-14 05:11:27 UTC
Ashish, can you elaborate how the proxy is configured for Satillite? Is the "http_proxy" setting under "General" properly configured with the BlueCoat proxy? (In reply to Sebastian Gräßl from comment #4) > Ashish, can you elaborate how the proxy is configured for Satillite? > Is the "http_proxy" setting under "General" properly configured with the > BlueCoat proxy? Hi Sebastian, Proxy was configured on the satellite server using: # satellite-installer --scenario satellite --katello-proxy-url http://XX.XX.XX.XX --katello-proxy-port 3128 --katello-proxy-username 'username' --katello-proxy-password 'password' We confirmed proxy details in : /etc/pulp/server/plugins.conf.d/yum_importer.json We have not confirmed the proxy details in satellite WebUI Settings -> "General" -> http_proxy One strange thing we had noticed was that : at the customer end, I can see log entries with "Proxying request to cert-api.access.redhat.com via " but on local satellite with proxy configured, we do not see such logs. Any thoughts on this? Hej Ashish, the above command does only configure proxy for components used by katello, but not for requests of the foreman application itself. To configure the a HTTP proxy for all requests either append "--http-proxy"-flag and ensure that the correct value is set under Settings -> General in the WebUI. (In reply to Sebastian Gräßl from comment #6) > Hej Ashish, > > the above command does only configure proxy for components used by katello, > but not for requests of the foreman application itself. > To configure the a HTTP proxy for all requests either append > "--http-proxy"-flag and ensure that the correct value is set under Settings > -> General in the WebUI. Okay, sure. We will ask the customer to try it. For the authenticated proxy servers do we need to set the URL as: http://user:password@proxyserver:proxyport ? or need to use any different syntax? Hi Ashish, did you hear back from customer about using generic http proxy setting? I think the format you suggested would work. So my understanding is, there are two settings that need to be set, cdn_proxy and generic http_proxy. If that's the case and it works, what's left for resolving the issue? Thank you. Hi Marek, We do not have confirmation from the customer yet because the proxy username they are using also include " @ " in it, so still working with the customer to get simple username/password or get an unauthenticated connection for testing purpose. It seems that when the username also has @ in it, the satellite might not be able to read the proxy URL correctly. Thanks! VERIFIED. @satellite-6.5.0-11.el7sat.noarch tfm-rubygem-foreman_ansible-2.2.14-2.el7sat.noarch by the following manual reproducer: 1) Have a host registered to Satellite and set up for remote execution @HOST: # curl -k https://$SAT:9090/ssh/pubkey >> /root/.ssh/authorized_keys 2) Assign "RedHatInsights.insights-client" ansible role to the host and click "Run Ansible roles" for the host 3) Setup Satellite so that Katello plugin uses HTTP proxy # satellite-installer --katello-proxy-url http://proxy.example.com --katello-proxy-port 3128 4) Pretend the host suffers from security vulnerability where its remediation rule has ansible support @HOST: # sed -i 's/while read -r opt/while read opt/' /etc/NetworkManager/dispatcher.d/11-dhclient 5) Create new remediation plan for specific system (the host) with the rule "NetworkManager DHCP script vulnerable to remote code execution (CVE-2018-1111)" 6) Start watching active connections being made to the http proxy # watch "netstat -pnt | grep :3128" 7) Click "Run Playbook" and check new connections being created to the http proxy >>> remediation playbook is fetched thru (katello) http proxy Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:1222 |