Bug 2127955

Summary:	When CNAME is used, it is not excluded from the proxy communication by default unlike "localhost" or the "fqdn" of satellite itself.
Product:	Red Hat Satellite	Reporter:	Sayan Das <saydas>
Component:	Networking	Assignee:	satellite6-bugs <satellite6-bugs>
Status:	CLOSED WONTFIX	QA Contact:	Satellite QE Team <sat-qe-bz-list>
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	6.11.2	CC:	iballou, peter.vreman, rlavi
Target Milestone:	Unspecified	Keywords:	EasyFix, Triaged, WorkAround
Target Release:	Unused
Hardware:	All
OS:	All
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2024-05-13 10:04:06 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Sayan Das 2022-09-19 13:05:57 UTC

Description of problem:

When CNAME is used, it is not excluded from the proxy communication by default unlike "localhost" or the "fqdn" of the satellite itself. 


Version-Release number of selected component (if applicable):

Satellite 6.11.2

How reproducible:

Always ( but under very specific circumstances )


Steps to Reproduce:

1. Identify an IP that has an A record and a CNAME record e.g.

# nslookup 10.XX.XXX.XX
XX.XXX.XX.10.in-addr.arpa	name = sat611.example.com.
XX.XXX.XX.10.in-addr.arpa	name = mysatellite.example.com.

2. Have a squid proxy configured. ( assuming http://10.XX.XXX.YY:3128 )

3. Install an RHEL 8 VM having that IP and hostname set to sat611.example.com

# hostname -f
sat611.example.com

4. Enable required repos to install Satellite 6.11 and proceed with "yum install satellite".

5. Run the installer with the following options ( where the use of cname can be noticed ).

satellite-installer --scenario=satellite \
--foreman-initial-organization RedHat --foreman-initial-location Pune \
--foreman-initial-admin-username admin --foreman-initial-admin-password RedHat1! \
--certs-cname=mysatellite.example.com \
--foreman-servername=mysatellite.example.com \
--foreman-foreman-url=https://mysatellite.example.com \
--foreman-unattended-url=https://mysatellite.example.com \
--foreman-proxy-foreman-base-url=https://mysatellite.example.com \
--foreman-proxy-template-url=http://mysatellite.example.com:8000 --foreman-plugin-tasks-automatic-cleanup=true \
--enable-foreman-plugin-puppet --enable-foreman-cli-puppet --foreman-proxy-puppet=true --foreman-proxy-puppetca=true \
--foreman-proxy-content-puppet=true --enable-puppet --puppet-server=true \
--puppet-server-foreman-url=https://mysatellite.example.com \
--puppet-server-foreman-ssl-ca /etc/pki/katello/puppet/puppet_client_ca.crt \
--puppet-server-foreman-ssl-cert /etc/pki/katello/puppet/puppet_client.crt \
--puppet-server-foreman-ssl-key /etc/pki/katello/puppet/puppet_client.key \
--puppet-server-certname=mysatellite.example.com \
--foreman-proxy-puppet-ssl-cert=/etc/puppetlabs/puppet/ssl/certs/mysatellite.example.com.pem \
--foreman-proxy-puppet-ssl-key=/etc/puppetlabs/puppet/ssl/private_keys/mysatellite.example.com.pem \
--foreman-proxy-puppet-url=https://mysatellite.example.com:8140 \
--enable-foreman-plugin-remote-execution --enable-foreman-proxy-plugin-remote-execution-ssh \
--foreman-proxy-tftp=true --foreman-proxy-dhcp=false --foreman-proxy-dns=false


6. Check "hammer capsule list" and "hammer ping" to confirm the health of satellite and see the name of the internal smart-proxy.  Make sure firewalld is configured to allow necessary access to Satellite.

7. Check "/etc/pulp/settings.py" and notice that It also got configured with the CNAME mysatellite.example.com.

8. Confirm that the foreman knows the fqdn as sat611.example.com.

# echo "SETTINGS[:fqdn]" | foreman-rake console

"sat611.example.com"

9. Import a manifest in satellite.

10. Go to Administer --> Settings --> General --> HTTP(s) Proxy --> set "http://10.XX.XXX.YY:3128" as the value there for the proxy server.

11. Log in to the squid server and tail the log files:

# tail -f -v -n0  /var/log/squid/*log

12. Go to Content --> Red Hat Repositories --> Expand any repos and try enabling it while monitor the /var/log/foreman/production.log file of satellite as well as log files on squid server.



Actual results:

During the repo enabling task itself, we will be able to see following entries in satellite's production.log multiple times. 

2022-09-19T17:53:37 [I|app|3dd40cb3] (Excon) Proxying request to mysatellite.example.com via http://10.XX.XXX.YY:3128

Which means, Satellite tried to connect to pulp via the CNAME and that connection was established via proxy.

The squid proxy logs will also convey the same message. 

The same problem will happen during repo sync or any tasks that requires communication from foreman -> foreman-proxy via the CNAME. 



Expected results:

Satellite should not try to connect to it's own CNAME via the proxy configured or else the proxy server would get overloaded very frequently. 


Additional info:

When I check the code from https://github.com/theforeman/foreman/blob/3.1-stable/lib/foreman/http_proxy.rb#L33-L38 , That function includes the fqdn of the satellite as well.

    def local_request?(request_host)
      request_host.starts_with?('127.') ||
      request_host == 'localhost' ||
      request_host == '::1' ||
      request_host == SETTINGS[:fqdn]
    end

And whenever a request via proxy is initiated, any ip\fqdn defined in the local_request function should be excluded:

https://github.com/theforeman/foreman/blob/3.1-stable/lib/foreman/http_proxy.rb#L16-L23

Now, The problem in our case is that the code of the satellite works simply as expected i.e. it excludes SETTINGS[:fqdn] when it comes to communication via proxy.

SETTINGS[:fqdn] here is sat611.example.com but not mysatellite.example.com. So as long as that is true but the satellite internally uses mysatellite.example.com for communication, the same issue will continue to exist. 

WORKAROUND: Put the CNAME into the "HTTP(S) proxy except hosts" list from Administer --> Settings --> General page.

IMPROVEMENT REQUEST: If "--certs-cname" is used with the installer, then the CNAME FQDN should get set as a value of :cname object, so that it can be queried via SETTINGS[:cname] and then perhaps improve the function here:

    def local_request?(request_host)
      request_host.starts_with?('127.') ||
      request_host == 'localhost' ||
      request_host == '::1' ||
      request_host == SETTINGS[:fqdn] ||
      request_host == SETTINGS[:cname]
    end

Any other ideas are always welcome as long as it can clearly address the concern

Comment 6 Brad Buckingham 2024-03-21 21:07:37 UTC

Upon review of our valid but aging backlog the Satellite Team has concluded that this Bugzilla does not meet the criteria for a resolution in the near term, and are planning to close in a month. This message may be a repeat of a previous update and the bug is again being considered to be closed. If you have any concerns about this, please contact your Red Hat Account team.  Thank you.

Comment 7 Brad Buckingham 2024-05-13 10:04:06 UTC

Thank you for your interest in Red Hat Satellite. We have evaluated this request, and while we recognize that it is a valid request, we do not expect this to be implemented in the product in the foreseeable future. This is due to other priorities for the product, and not a reflection on the request itself. We are therefore closing this out as WONTFIX. If you have any concerns about this feel free to contact your Red Hat Account Team. Thank you.