Bug 432358

Summary: yum process not functional through proxy appliance
Product: Red Hat Enterprise Linux 5 Reporter: Don Vanco <don.vanco>
Component: yum-rhn-pluginAssignee: John Matthews <jmatthew>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: low    
Version: 5.1CC: Ben.Stanley, cperry, cww, etay, johfulto, ppira, xdmoon
Target Milestone: rcKeywords: Reopened
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-02-21 04:31:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Don Vanco 2008-02-11 15:27:10 UTC 
Description of problem:
Using a Blue Coat proxy appliance, cannot get yum to authenticate successfully.


Version-Release number of selected component (if applicable):
Latest via install / update of RHEL 5 Update 1 and updates posted prior to
2-10-2008 (sorry - no longer have direct console access)


How reproducible:
Always


Steps to Reproduce:
1. Install OS
2. Try to update

  
Actual results:
Fails to connect


Expected results:
A connection to RHN

Additional info:
We have determined that we've successfully gotten the up2date process working -
this was accomplished by editing /etc/sysconfig/rhn/up2date and enabling proxy,
but NOT proxy authentication, and then supplying auth creds as part of the URL.
 Supplying separate authentication credentials did NOT allow up2date to function
(validated with rhn_check)

However, no combination of proxy settings in yum.conf allows the update process
to function.  I get a 104 - connection reset by peer.  If I look at the logs I
can see 5 attempts to authenticate then failure.


Here is the contents of /etc/yum.conf 

[main] 
cachedir=/var/cache/yum 
keepcache=0 
debuglevel=2 
logfile=/var/log/yum.log 
pkgpolicy=newest 
distroverpkg=redhat-release 
tolerant=1 
exactarch=1 
obsoletes=1 
gpgcheck=1 
plugins=1 
metadata_expire=1800 

proxy=http://username:userpass@proxy-pac.dir.ucb-group.com:8080 
# from other attempts to authenticate:
#proxy=http://proxy-pac.dir.ucb-group.com:8080 
#proxy_username=username 
#proxy_password=userpass 

# PUT YOUR REPOS HERE OR IN separate files named file.repo 
# in /etc/yum.repos.d 
(END) 





Here is the contents of /etc/sysconfig/rhn/up2date 

# Automatically generated Red Hat Update Agent config file, do not edit. 
# Format: 1.0 
versionOverride[comment]=Override the automatically determined system version 
versionOverride= 

enableProxyAuth[comment]=To use an authenticated proxy or not 
enableProxyAuth=0 

networkRetries[comment]=Number of attempts to make at network connections before 
 giving up 
networkRetries=5 

hostedWhitelist[comment]=RHN Hosted URL's 
hostedWhitelist= 

enableProxy[comment]=Use a HTTP Proxy 
enableProxy=1 

serverURL[comment]=Remote server URL 
serverURL=http://xmlrpc.rhn.redhat.com/XMLRPC 



proxyUser[comment]=The username for an authenticated proxy 

disallowConfChanges[comment]=Config options that can not be overwritten by a con 
fig update action 
disallowConfChanges=noReboot;sslCACert;useNoSSLForPackages;noSSLServerURL;server 
URL;disallowConfChanges; 

sslCACert[comment]=The CA cert used to verify the ssl server 
sslCACert=/usr/share/rhn/RHNS-CA-CERT 

debug[comment]=Whether or not debugging is enabled 
debug=0 

httpProxy[comment]=HTTP proxy in host:port format, e.g. squid.redhat.com:3128 
httpProxy=http://username:userpass@proxy-pac.dir.ucb-group.com:8080 

systemIdPath[comment]=Location of system id 
systemIdPath=/etc/sysconfig/rhn/systemid 

noReboot[comment]=Disable the reboot actions 
noReboot=0 



Here is what happens when we try to run the update tool 

[root@atlinsdbp001 ~]# yum list update 
Loading "rhnplugin" plugin 
Loading "installonlyn" plugin 
Loading "security" plugin 
Setting up repositories 
Traceback (most recent call last): 
  File "/usr/bin/yum", line 29, in ? 
    yummain.main(sys.argv[1:]) 
  File "/usr/share/yum-cli/yummain.py", line 102, in main 
    result, resultmsgs = do() 
  File "/usr/share/yum-cli/cli.py", line 359, in doCommands 
    return self.yum_cli_commands[self.basecmd].doCommand(self, self.basecmd, sel 
f.extcmds) 
  File "/usr/share/yum-cli/yumcommands.py", line 160, in doCommand 
    ypl = base.returnPkgLists(extcmds) 
  File "/usr/share/yum-cli/cli.py", line 863, in returnPkgLists 
    ypl = self.doPackageLists(pkgnarrow=pkgnarrow) 
  File "/usr/lib/python2.4/site-packages/yum/__init__.py", line 970, in doPackag 
eLists 
    self.doRepoSetup() 
  File "/usr/share/yum-cli/cli.py", line 102, in doRepoSetup 
    yum.YumBase.doRepoSetup(self, thisrepo=thisrepo) 
  File "/usr/lib/python2.4/site-packages/yum/__init__.py", line 299, in doRepoSe 
tup 
    repo.setup(self.conf.cache) 
  File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 503, in setup 
    self._loadRepoXML(text=self) 
  File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 530, in _loadRepo 
XML 
    cache=self.http_caching == 'all') 
  File "/usr/lib/yum-plugins/rhnplugin.py", line 221, in _getFile 
    start, end, copy_local, checkfunc, text, reget, cache) 
  File "/usr/lib/yum-plugins/rhnplugin.py", line 305, in _noExceptionWrappingGet 
    http_headers=headers, 
  File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 927, in ur 
lgrab 
    return self._retry(opts, retryfunc, url, filename) 
  File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 845, in _r 
etry 
    r = apply(func, (opts,) + args, {}) 
  File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 913, in re 
tryfunc 
    fo = URLGrabberFileObject(url, filename, opts) 
  File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 1001, in _ 
_init__ 
    self._do_open() 
  File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 1072, in _ 
do_open 
    fo, hdr = self._make_request(req, opener) 
  File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 1172, in _ 
make_request 
    fo = opener.open(req) 
  File "/usr/lib64/python2.4/urllib2.py", line 358, in open 
    response = self._open(req, data) 
  File "/usr/lib64/python2.4/urllib2.py", line 376, in _open 
    '_open', req) 
  File "/usr/lib64/python2.4/urllib2.py", line 337, in _call_chain 
    result = func(*args) 
  File "/usr/lib64/python2.4/urllib2.py", line 573, in <lambda> 
    lambda r, proxy=url, type=type, meth=self.proxy_open: \ 
  File "/usr/lib64/python2.4/urllib2.py", line 597, in proxy_open 
    return self.parent.open(req) 
  File "/usr/lib64/python2.4/urllib2.py", line 358, in open 
    response = self._open(req, data) 
  File "/usr/lib64/python2.4/urllib2.py", line 376, in _open 
    '_open', req) 
  File "/usr/lib64/python2.4/urllib2.py", line 337, in _call_chain 
    result = func(*args) 
  File "/usr/lib64/python2.4/site-packages/M2Crypto/m2urllib2.py", line 66, in h 
ttps_open 
    h.request(req.get_method(), req.get_full_url(), req.data, headers) 
  File "/usr/lib64/python2.4/httplib.py", line 804, in request 
    self._send_request(method, url, body, headers) 
  File "/usr/lib64/python2.4/httplib.py", line 827, in _send_request 
    self.endheaders() 
  File "/usr/lib64/python2.4/site-packages/M2Crypto/httpslib.py", line 145, in e 
ndheaders 
    HTTPSConnection.endheaders(self) 
  File "/usr/lib64/python2.4/httplib.py", line 798, in endheaders 
    self._send_output() 
  File "/usr/lib64/python2.4/httplib.py", line 679, in _send_output 
    self.send(msg) 
  File "/usr/lib64/python2.4/httplib.py", line 646, in send 
    self.connect() 
  File "/usr/lib64/python2.4/site-packages/M2Crypto/httpslib.py", line 161, in c 
onnect 
    self._start_ssl() 
  File "/usr/lib64/python2.4/site-packages/M2Crypto/httpslib.py", line 176, in _ 
start_ssl 
    self.sock.connect_ssl() 
  File "/usr/lib64/python2.4/site-packages/M2Crypto/SSL/Connection.py", line 149 
, in connect_ssl 
    return m2.ssl_connect(self.ssl, self._timeout) 
M2Crypto.SSL.SSLError: (104, 'Connection reset by peer')
Comment 3 Patrik Pira 2008-05-20 15:13:04 UTC 
Have the exact same problem. Also with a Bluecoat proxy appliance. Tried
updating m2crypto to the latest version from FasTrack but it made no difference,
still "Connection reset by peer".
Comment 4 Ben.Stanley 2008-05-27 06:35:56 UTC 
We had this problem. We sent off a packet capture to BlueCoat and they
recommended some changes to us. I don't know what the changes were, I will try
to get them attached here. However, as a result of the changes, I am now
successfully running 'yum update'.

This bug is BlueCoat's fault.
Comment 5 Don Vanco 2008-05-27 13:05:32 UTC 
So - some random user comes in here and says "it's BlueCoat's fault", posts no
resolution for the world at large, and the bug gets closed as "not a bug"??

I spoke with BlueCoat - they have no idea what the problem is and have never
seen it before.

Until someone PROVES otherwise please leave this as an open bug.
Comment 6 Patrik Pira 2008-05-27 14:02:31 UTC 
As up2date from RedHat Enterprise 4 works fine with our bluecoat proxy and yum
with rhnplugin from RedHat Enterprise 5 does not, rhnplugin must do things a bit
different than the old up2date.

According to our network guys rhnplugin uses TLS instead of SSL and that's why
bluecoat resets the connection, they did not manage to get the bluecoat proxy to
let TLS through though (yet).
Comment 7 Ben.Stanley 2008-05-28 02:53:01 UTC 
The following is the information forwarded to me by the local BlueCoat
administrator. I have no further information, for which I refer you to BlueCoat
systems.

The issue was apparently software bug: 94037 where the compression method for
the website is not supported by the proxy.  

 

This was the fix:

1)    Disable protocol detection
       Go to Management console > Configuration > Policy > Policy Files Install
Local File From > Text Editor
       <proxy>
       url.domain = //redhat.com detect_protocol(no)


2)    Disable HTTP server compression
       Web access layer:
       Add a rule:
      Source: Any
      Destination: Right click > Set > New > Request URL > Simple match > redhat.com
      Service: Any
      Time: Any
      Action: Right click > New > Set Server HTTP Compression Object >Disable
HTTP compression

 

This worked for us.
Comment 8 Patrik Pira 2008-05-29 06:22:00 UTC 
Above fix works for me too.

Not a bug in rhnplugin, more of a documentation bug as rhnplugin differs a bit
from up2date. Can we have this documented in the knowledge base?
Comment 10 Clifford Perry 2009-02-20 21:47:59 UTC 
This was sent to our knowledgebase team as a suggested article. It does not seem to have been done yet. I am though going to close this bug out now. A search for BlueCoat should quickly find this bug report in public archives for future users as well.

Cliff
Comment 11 Xixi 2009-05-29 20:40:46 UTC 
(In reply to comment #10)
KBase article at http://kbase.redhat.com/faq/docs/DOC-17129
Comment 12 Xixi 2009-05-29 20:45:19 UTC 
(In reply to comment #11)
> (In reply to comment #10)
> KBase article at http://kbase.redhat.com/faq/docs/DOC-17129  
(It's currently undergoing the publication process.)