Bug 1114083 - [RFE] Capsule should support running behind a proxy
Summary: [RFE] Capsule should support running behind a proxy
Alias: None
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Capsule
Version: 6.0.3
Hardware: Unspecified
OS: Unspecified
high vote
Target Milestone: Unspecified
Assignee: Eric Helms
QA Contact: Katello QA List
David O'Brien
Depends On:
TreeView+ depends on / blocked
Reported: 2014-06-27 16:41 UTC by Corey Welton
Modified: 2019-07-11 08:02 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Last Closed: 2016-02-16 18:26:47 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Corey Welton 2014-06-27 16:41:49 UTC
Description of problem:
Similar to bug# 1083818, we probably need proxy config flags for capsule-installer.

Version-Release number of selected component (if applicable):

Steps to Reproduce:
1. katello-installer --help|grep proxy
2. capsule-installer --help|grep proxy
3. view results

Actual results:
[root@qeblade6 ~]# katello-installer --help|grep proxy
    --capsule-foreman-proxy-port  Port on which will foreman proxy listen (default: 9090)
    --capsule-realm-keytab        Kerberos keytab path to authenticate realm updates (default: "/etc/foreman-proxy/freeipa.keytab")
    --capsule-realm-principal     Kerberos principal for realm updates (default: "realm-proxy@EXAMPLE.COM")
    --capsule-register-in-foreman  Register proxy back in Foreman (default: true)
    --katello-proxy-password      Proxy password for authentication (default: nil)
    --katello-proxy-port          Port the proxy is running on (default: nil)
    --katello-proxy-url           URL of the proxy server (default: nil)
    --katello-proxy-username      Proxy username for authentication (default: nil)

[root@cloud-qe-22 ~]# capsule-installer --help |grep proxy
    --foreman-proxy-port          Port on which will foreman proxy listen (default: 9090)
    --realm-keytab                Kerberos keytab path to authenticate realm updates (default: "/etc/foreman-proxy/freeipa.keytab")
    --realm-principal             Kerberos principal for realm updates (default: "realm-proxy@EXAMPLE.COM")
    --register-in-foreman         Register proxy back in Foreman (default: true)

Expected results:
capsule-installer should have proxy flags too, perhaps

Additional info:
WORKAROUND: Sync capsule stuff on a satellite and install from there.  it seems unlikely a customer would need to proxy on their internal network?  Product Management feedback welcome.  In any case, though, installing capsule from content synced onto a satellite is a known entity and works pretty well.

Comment 2 Mike McCune 2014-08-14 14:04:31 UTC

The user can manually configure the Pulp proxy settings if they have a http proxy between their Capsule and their Satellite.

Comment 3 Mike McCune 2014-08-27 01:38:09 UTC

The capsule can be configured to use a specific proxy for all repositories by adding the following settings to the following files:


 "proxy_host" : "<url>",
 "proxy_port" : <port>,
 "proxy_username" : "<username>",
 "proxy_password" : "<password>"


These are a JSON files, so care must be taken when editing these fields.  The file must also contain *ALL* the above values even if the proxy does not require a username or password.  If it does not require a username or password just use:

 "proxy_username" : "",
 "proxy_password" : ""

Once these files are created in the above location the user must restart all capsule related services

Comment 5 Eric Helms 2014-10-29 12:56:52 UTC
Support for this requires a full feature implementation. If we were to provide proxy options for a Capsule for just the Pulp part, and a user were to lockdown their Capsule's communication to only outbound port 80 they could break other functionality. I have outlined this feature here - http://projects.theforeman.org/projects/katello/wiki/CapsuleCommunication

Comment 6 Mike McCune 2014-10-31 16:02:43 UTC
Note: Even with the WORKAROUND in comment #3 if the user's capsule has restricted communications between the Capsule and the Satellite the settings outlined in #3 are not sufficient to have a proxy sit between the Capsule and the Satellite.

See comment #5 for more information.

Comment 7 Justin Sherrill 2015-03-20 14:37:16 UTC
My vote is to close this as WONT_FIX IMHO.  The whole premise is that the capsule can communicate with the Satellite.  We really don't want to go down this road.

Comment 8 David O'Brien 2015-06-16 05:50:28 UTC
Does this still require a rel note for 6.1 and if so has it changed at all from what's listed here?


Comment 9 Bryan Kearney 2016-02-16 18:26:47 UTC
We are not planning to fix this. If this is an issue, please feel free to re-open with a specific business justification.

Note You need to log in before you can comment on or make changes to this bug.