Bug 1015187 - [RFE] Allow Broker and node to go through a proxy when attempting to download a cartridge.
[RFE] Allow Broker and node to go through a proxy when attempting to download...
Product: OpenShift Container Platform
Classification: Red Hat
Component: RFE (Show other bugs)
All All
low Severity medium
: ---
: ---
Assigned To: Mike Barrett
Johnny Liu
Depends On:
  Show dependency treegraph
Reported: 2013-10-03 11:18 EDT by Nick Harvey
Modified: 2016-04-11 14:28 EDT (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-04-11 14:28:52 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 715333 None None None Never

  None (edit)
Description Nick Harvey 2013-10-03 11:18:39 EDT
Description of problem: If a customers OSE environment requires all outside traffic to go through a proxy the customer won't be able to use downloadable carts. For instance the following will fail to download the manifest if the customer has a proxy in place:

rhc --debug app create nodjs https://cartreflect-claytondev.rhcloud.com/reflect?github=wshearn/openshift-origin-cartridge-nodejs

This fails even if the customer has the appropriate env variables exported. 
http_proxy="<proxy url>"
https_proxy="<proxy url>"

Version-Release number of selected component (if applicable): 1.2

How reproducible: always 

Steps to Reproduce:
1. Have an OSE environment behind a proxy
2. try to download a cartridge via 
# rhc --debug app create nodjs https://cartreflect-claytondev.rhcloud.com/reflect?github=wshearn/openshift-origin-cartridge-nodejs

Actual results: broker fails to get the manifest, most likely because the proxy environment variables aren't being found. 

Expected results: Cart download should succeed. 

Additional info:
Comment 2 Clayton Coleman 2013-10-03 12:03:03 EDT
Michal might potentially fix this upstream by making the switch to httpclient.
Comment 3 Michal Fojtik 2013-10-03 12:27:56 EDT
Right, I will work on this one tomorrow and will see how far I will get.
Comment 4 Brenton Leanhardt 2013-10-08 14:28:09 EDT
Just an update on this, I tested Michal's patch (https://github.com/openshift/origin-server/pull/3770/files) and setting HTTP_PROXY in /etc/openshift/broker.conf does allow the broker to download cartridge manifests through a proxy.

However, the node is still not able to clone from github.  To work around this I edited /etc/sysconfig/mcollective and exported the http_proxy and https_proxy variables.  I initially tried setting /etc/openshift/env/http{,s}_proxy but it did not work.

The node was then able to clone from github however this particular downloadable cartridge uses npm which doesn't not support https_proxy and http_proxy variables.  However, ~/.npmrc is actually editable by the gear user so the following commands do work:

npm config set proxy http://proxy.company.com:8080
npm config set https-proxy http://proxy.company.com:8080

If they customer was forced to use a proxy they could monify the cartridge to set the proxy appropriately for their environment.

I'm not really excited about having to edit /etc/sysconfig/mcollective.  If Clayton agrees I'd like to suggest a new setting for /etc/openshift/node.conf.
Comment 5 Michal Fojtik 2013-10-23 09:31:56 EDT
Should we mark this as ON_QA once this PR is merged: https://github.com/openshift/origin-server/pull/3770 ?
Comment 6 Brenton Leanhardt 2013-10-23 09:46:11 EDT
We'll move it to ON_QA once we backport it to OSE.
Comment 7 openshift-github-bot 2013-10-23 20:51:56 EDT
Commit pushed to master at https://github.com/openshift/origin-server

Bug 1015187: Replace curl with httpclient when downloading cartridges
Comment 9 Luke Meyer 2014-03-26 09:18:00 EDT
I don't see a problem with having the setting be in /etc/sysconfig/mcollective (or under 2.0 it would be /opt/rh/ruby193/root/etc/sysconfig/mcollective) except that we should mark it config(noreplace) in the spec file so the changes aren't moved aside by an update. Anyway, that should work today under 2.0.
Comment 10 Luke Meyer 2014-03-26 14:42:51 EDT
I should have mentioned this solution:

Configuring a git proxy via system gitconfig should be a pretty good solution... as long as downloadable carts are actually being cloned via git?
Comment 11 Miciah Dashiel Butler Masters 2014-10-23 13:58:48 EDT
The code change is in enterprise-2.2, and the configuration change for Git is documented in the knowledge-base article (see comment 10), so this defect should be resolved.

Creating an application with a downloadable cartridge should work as long as the broker has access to the cartridge's Git repository using the proxy specified in broker.conf and as long as the node has access to the same repository using the proxy configured for Git per the knowledge-base article.

Note that per comment 4, some cartridges may also require special configuration to use the proxy if they need access to download additional resources at run-time.  We generally describe such configuration steps in knowledge-base articles.
Comment 12 Ma xiaoqiang 2014-10-24 04:51:57 EDT
Don't support https proxy on broker.

Note You need to log in before you can comment on or make changes to this bug.