RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1315627 - [RFE] pcsd should handle http proxy environment variables better
Summary: [RFE] pcsd should handle http proxy environment variables better
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pcs
Version: 7.2
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: ---
Assignee: Ondrej Mular
QA Contact: cluster-qe@redhat.com
URL:
Whiteboard:
: 1388934 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-03-08 09:30 UTC by Tomas Jelinek
Modified: 2021-02-02 13:44 UTC (History)
15 users (show)

Fixed In Version: pcs-0.9.157-1.el7
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 18:22:57 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1300433 0 unspecified CLOSED Pacemaker pcs command is not accepting domain suffix for no_proxy env. variable 2021-02-22 00:41:40 UTC
Red Hat Bugzilla 1318656 0 unspecified CLOSED document supported ENV variables in man pages 2021-02-22 00:41:40 UTC
Red Hat Bugzilla 1378742 0 medium CLOSED create manpage for pcsd 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHBA-2017:1958 0 normal SHIPPED_LIVE pcs bug fix and enhancement update 2017-08-01 18:09:47 UTC

Internal Links: 1300433 1318656 1378742

Description Tomas Jelinek 2016-03-08 09:30:35 UTC 
Ruby standard library takes http_proxy, https_proxy and no_proxy environment variables into account when connecting to HTTP servers. If there is a HTTP proxy set up, it may prevent pcsd to communicate with other cluster nodes. This is a part of pcsd debug log from when it happened:

Sending HTTP Request to: https://lv9027hb:2224/remote/check_auth
Data: None
Response Reason: Tunnel connection failed: 403 Forbidden

What user only gets when running without --debug is this, which is not helpful at all:
[root@lv9026 ~]# pcs cluster auth lv9026hb lv9027hb
Username: hacluster
Password: 
Error: Unable to communicate with lv9027hb
Error: Unable to communicate with lv9026hb

We cannot disable HTTP proxy environment variables in pcsd completely as there are users who use it in their intended manner and then pcsd works fine for them.

Pcs should print a warning if it is not able to connect to remote node and the reason for that might be HTTP proxy (or print a list of possible reasons every time a connection fails). Or it could try to connect without the proxy if there is a proxy configured and the first connection fails.

Fabio's idea:
try to connect via proxy, if it fails, try by unsetting those vars and
provide proper error report/warning in the process.
"attempting to connect to node foo via proxy XYZ .... FAILED"
"attempting to connect to node foo without proxy even if proxy XYZ is
configured"....

We could either not use https_proxy or add nodes to no_proxy.
Comment 4 Tomas Jelinek 2016-10-26 14:16:03 UTC 
From the duplicate bz1388934:

Robert Scheck 2016-10-26 09:46:11 EDT

Description of problem:
pcs(1) honors HTTP(S)_PROXY/http(s)_proxy by accident (I don't think there
is a proper scenario to let pcs speak through a proxy) and thus fails when
running "pcs cluster auth node1 node2". Example:

$ export http_proxy=http://proxy.example.net:8080
$ export HTTP_PROXY=http://proxy.example.net:8080
$ export https_proxy=http://proxy.example.net:8080
$ export HTTPS_PROXY=http://proxy.example.net:8080

$ pcs cluster auth node1.example.net node2.example.net
Username: hacluster
Password: ********
Error: Unable to communicate with node1.example.net
Error: Unable to communicate with node2.example.net
$ 

While debugging this via strace(1), I noticed that pcs(1) connects here
to http://proxy.example.net:8080 and receives a "HTTP/1.0 403 Forbidden"
by the Squid. This again leads to a hardly readable stack trace within
strace output. The stack trace makes me believing that proxy setups for
pcs(1)are not intended - while pcs(1) seems to honor proxy environment
variables by accident. If this is really intended, then there should be
proper error messages - and of course no stack trace on "403 Forbidden"
replies by the proxy server.

Version-Release number of selected component (if applicable):
pcs-0.9.143-15.el7.x86_64

How reproducible:
Always, see above.

Actual results:
pcs(1) honors HTTP(S)_PROXY/http(s)_proxy by accident and thus fails at
"pcs cluster auth node1 node2".

Expected results:
pcs(1) should not honor environment variables related to proxy servers,
or proxy servers should be properly handled, especially "403 Forbidden".

Additional info:
Aside of this, the documentation likely should be updated to document this
behaviour (or did I overlook existing documentation regarding this?).
Comment 5 Tomas Jelinek 2016-10-26 14:16:24 UTC 
*** Bug 1388934 has been marked as a duplicate of this bug. ***
Comment 9 Ondrej Mular 2017-02-03 16:24:49 UTC 
Upstream patch:
https://github.com/ClusterLabs/pcs/commit/3c4d8166ebb4dc43079c2f5aa6b3fd721590

Pcs will show warning about usage of proxy if it was unable to connect to a node.

TEST:
[root@rhel7-node1 ~]# https_proxy=test.proxy pcs cluster auth rhel7-node2 -uhacluster
Password: 
Warning: Proxy is set in environment variables, try disabling it
Error: Unable to communicate with rhel7-node2
Comment 11 Tomas Jelinek 2017-02-23 11:46:34 UTC 
Upstream patch:
https://github.com/ClusterLabs/pcs/commit/f26981e27dc8c4e5e9383c0acc8149525f4ade4f
Comment 12 Ivan Devat 2017-04-10 15:49:37 UTC 
After Fix:

[vm-rhel72-1 ~] $ rpm -q pcs
pcs-0.9.157-1.el7.x86_64

Pcs will show warning about usage of proxy if it was unable to connect to a node.
[vm-rhel72-1 ~] $ https_proxy=test.proxy pcs cluster auth vm-rhel72-3 -uhacluster
Password:
Warning: Proxy is set in environment variables, try disabling it
Error: Unable to communicate with vm-rhel72-3
Comment 18 errata-xmlrpc 2017-08-01 18:22:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1958
Comment 19 Dzmitryj 2018-02-16 15:38:11 UTC 
The  same error still exist in  pcs-0.9.158-6.el7_4.1.x86_64


[root@new-mgs-mds-01 M]# ./configure_cluster.sh
Setting Production Environment...

Creating the HA-cluster...
Authorizing pcs cluster auth -u  -p  new-mgs-mds-01 new-mgs-mds-02
Warning: Proxy is set in environment variables, try disabling it
Error: Unable to communicate with new-mgs-mds-02
Error: Unable to communicate with new-mgs-mds-01

[root@new-mgs-mds-01 M]# ping new-mgs-mds-01
PING new-mgs-mds-01  56(84) bytes of data.
64 bytes from new-mgs-mds-01: icmp_seq=1 ttl=64 time=0.013 ms
64 bytes from new-mgs-mds-01: icmp_seq=2 ttl=64 time=0.008 ms
64 bytes from new-mgs-mds-01: icmp_seq=3 ttl=64 time=0.007 ms
64 bytes from new-mgs-mds-01: icmp_seq=4 ttl=64 time=0.018 ms
^C
--- new-mgs-mds-01 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 0.007/0.011/0.018/0.005 ms
[root@new-mgs-mds-01 M]# ping new-mgs-mds-02
PING new-mgs-mds-02  56(84) bytes of data.
64 bytes from new-mgs-mds-02 : icmp_seq=1 ttl=64 time=0.090 ms
^C
--- new-mgs-mds-02 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.090/0.090/0.090/0.000 ms
[root@new-mgs-mds-01 M]# cc

Can  you please check
Comment 20 Tomas Jelinek 2018-02-19 15:33:14 UTC 
Dzmitryj,

This is expected. It is up to you to configure your proxy / network / environment. Pcs can not and will not do that for you.
Comment 21 Roman Smirnov 2019-10-22 13:44:20 UTC 
(In reply to Dzmitryj from comment #19)
> The  same error still exist in  pcs-0.9.158-6.el7_4.1.x86_64
> 
> 
> [root@new-mgs-mds-01 M]# ./configure_cluster.sh
> Setting Production Environment...
> 
> Creating the HA-cluster...
> Authorizing pcs cluster auth -u  -p  new-mgs-mds-01 new-mgs-mds-02
> Warning: Proxy is set in environment variables, try disabling it
> Error: Unable to communicate with new-mgs-mds-02
> Error: Unable to communicate with new-mgs-mds-01

in version 0.9.167 can set on all nodes env variable NO_PROXY with hosts to ignore proxy. 
Example:
export NO_PROXY="new-mgs-mds-01,new-mgs-mds-02"
Comment 22 hoqbet 2020-04-24 20:52:07 UTC 
https://www.caradaftarsbobetterbaru.com/
Comment 23 Veit Geiger 2021-02-02 13:44:31 UTC 
http://gethelponline.xyz
http://solution-archive.com
http://gammenia.xyz
Note You need to log in before you can comment on or make changes to this bug.