Description of problem: If a customers OSE environment requires all outside traffic to go through a proxy the customer won't be able to use downloadable carts. For instance the following will fail to download the manifest if the customer has a proxy in place: rhc --debug app create nodjs https://cartreflect-claytondev.rhcloud.com/reflect?github=wshearn/openshift-origin-cartridge-nodejs This fails even if the customer has the appropriate env variables exported. http_proxy="<proxy url>" https_proxy="<proxy url>" Version-Release number of selected component (if applicable): 1.2 How reproducible: always Steps to Reproduce: 1. Have an OSE environment behind a proxy 2. try to download a cartridge via # rhc --debug app create nodjs https://cartreflect-claytondev.rhcloud.com/reflect?github=wshearn/openshift-origin-cartridge-nodejs Actual results: broker fails to get the manifest, most likely because the proxy environment variables aren't being found. Expected results: Cart download should succeed. Additional info:
Michal might potentially fix this upstream by making the switch to httpclient.
Right, I will work on this one tomorrow and will see how far I will get.
Just an update on this, I tested Michal's patch (https://github.com/openshift/origin-server/pull/3770/files) and setting HTTP_PROXY in /etc/openshift/broker.conf does allow the broker to download cartridge manifests through a proxy. However, the node is still not able to clone from github. To work around this I edited /etc/sysconfig/mcollective and exported the http_proxy and https_proxy variables. I initially tried setting /etc/openshift/env/http{,s}_proxy but it did not work. The node was then able to clone from github however this particular downloadable cartridge uses npm which doesn't not support https_proxy and http_proxy variables. However, ~/.npmrc is actually editable by the gear user so the following commands do work: npm config set proxy http://proxy.company.com:8080 npm config set https-proxy http://proxy.company.com:8080 If they customer was forced to use a proxy they could monify the cartridge to set the proxy appropriately for their environment. I'm not really excited about having to edit /etc/sysconfig/mcollective. If Clayton agrees I'd like to suggest a new setting for /etc/openshift/node.conf.
Should we mark this as ON_QA once this PR is merged: https://github.com/openshift/origin-server/pull/3770 ?
We'll move it to ON_QA once we backport it to OSE.
Commit pushed to master at https://github.com/openshift/origin-server https://github.com/openshift/origin-server/commit/2f02e89bef8375ec6c9ab18945de32dd610cb4ee Bug 1015187: Replace curl with httpclient when downloading cartridges
I don't see a problem with having the setting be in /etc/sysconfig/mcollective (or under 2.0 it would be /opt/rh/ruby193/root/etc/sysconfig/mcollective) except that we should mark it config(noreplace) in the spec file so the changes aren't moved aside by an update. Anyway, that should work today under 2.0.
I should have mentioned this solution: https://access.redhat.com/site/solutions/715333 Configuring a git proxy via system gitconfig should be a pretty good solution... as long as downloadable carts are actually being cloned via git?
The code change is in enterprise-2.2, and the configuration change for Git is documented in the knowledge-base article (see comment 10), so this defect should be resolved. Creating an application with a downloadable cartridge should work as long as the broker has access to the cartridge's Git repository using the proxy specified in broker.conf and as long as the node has access to the same repository using the proxy configured for Git per the knowledge-base article. Note that per comment 4, some cartridges may also require special configuration to use the proxy if they need access to download additional resources at run-time. We generally describe such configuration steps in knowledge-base articles.
Don't support https proxy on broker.