Bug 1315627 - [RFE] pcsd should handle http proxy environment variables better
[RFE] pcsd should handle http proxy environment variables better
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pcs (Show other bugs)
7.2
Unspecified Unspecified
high Severity unspecified
: rc
: ---
Assigned To: Ondrej Mular
cluster-qe@redhat.com
: FutureFeature
: 1388934 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-03-08 04:30 EST by Tomas Jelinek
Modified: 2017-08-01 14:22 EDT (History)
11 users (show)

See Also:
Fixed In Version: pcs-0.9.157-1.el7
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-01 14:22:57 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Jelinek 2016-03-08 04:30:35 EST
Ruby standard library takes http_proxy, https_proxy and no_proxy environment variables into account when connecting to HTTP servers. If there is a HTTP proxy set up, it may prevent pcsd to communicate with other cluster nodes. This is a part of pcsd debug log from when it happened:

Sending HTTP Request to: https://lv9027hb:2224/remote/check_auth
Data: None
Response Reason: Tunnel connection failed: 403 Forbidden

What user only gets when running without --debug is this, which is not helpful at all:
[root@lv9026 ~]# pcs cluster auth lv9026hb lv9027hb
Username: hacluster
Password: 
Error: Unable to communicate with lv9027hb
Error: Unable to communicate with lv9026hb

We cannot disable HTTP proxy environment variables in pcsd completely as there are users who use it in their intended manner and then pcsd works fine for them.

Pcs should print a warning if it is not able to connect to remote node and the reason for that might be HTTP proxy (or print a list of possible reasons every time a connection fails). Or it could try to connect without the proxy if there is a proxy configured and the first connection fails.

Fabio's idea:
try to connect via proxy, if it fails, try by unsetting those vars and
provide proper error report/warning in the process.
"attempting to connect to node foo via proxy XYZ .... FAILED"
"attempting to connect to node foo without proxy even if proxy XYZ is
configured"....

We could either not use https_proxy or add nodes to no_proxy.
Comment 4 Tomas Jelinek 2016-10-26 10:16:03 EDT
From the duplicate bz1388934:

Robert Scheck 2016-10-26 09:46:11 EDT

Description of problem:
pcs(1) honors HTTP(S)_PROXY/http(s)_proxy by accident (I don't think there
is a proper scenario to let pcs speak through a proxy) and thus fails when
running "pcs cluster auth node1 node2". Example:

$ export http_proxy=http://proxy.example.net:8080
$ export HTTP_PROXY=http://proxy.example.net:8080
$ export https_proxy=http://proxy.example.net:8080
$ export HTTPS_PROXY=http://proxy.example.net:8080

$ pcs cluster auth node1.example.net node2.example.net
Username: hacluster
Password: ********
Error: Unable to communicate with node1.example.net
Error: Unable to communicate with node2.example.net
$ 

While debugging this via strace(1), I noticed that pcs(1) connects here
to http://proxy.example.net:8080 and receives a "HTTP/1.0 403 Forbidden"
by the Squid. This again leads to a hardly readable stack trace within
strace output. The stack trace makes me believing that proxy setups for
pcs(1)are not intended - while pcs(1) seems to honor proxy environment
variables by accident. If this is really intended, then there should be
proper error messages - and of course no stack trace on "403 Forbidden"
replies by the proxy server.

Version-Release number of selected component (if applicable):
pcs-0.9.143-15.el7.x86_64

How reproducible:
Always, see above.

Actual results:
pcs(1) honors HTTP(S)_PROXY/http(s)_proxy by accident and thus fails at
"pcs cluster auth node1 node2".

Expected results:
pcs(1) should not honor environment variables related to proxy servers,
or proxy servers should be properly handled, especially "403 Forbidden".

Additional info:
Aside of this, the documentation likely should be updated to document this
behaviour (or did I overlook existing documentation regarding this?).
Comment 5 Tomas Jelinek 2016-10-26 10:16:24 EDT
*** Bug 1388934 has been marked as a duplicate of this bug. ***
Comment 9 Ondrej Mular 2017-02-03 11:24:49 EST
Upstream patch:
https://github.com/ClusterLabs/pcs/commit/3c4d8166ebb4dc43079c2f5aa6b3fd721590

Pcs will show warning about usage of proxy if it was unable to connect to a node.

TEST:
[root@rhel7-node1 ~]# https_proxy=test.proxy pcs cluster auth rhel7-node2 -uhacluster
Password: 
Warning: Proxy is set in environment variables, try disabling it
Error: Unable to communicate with rhel7-node2
Comment 12 Ivan Devat 2017-04-10 11:49:37 EDT
After Fix:

[vm-rhel72-1 ~] $ rpm -q pcs
pcs-0.9.157-1.el7.x86_64

Pcs will show warning about usage of proxy if it was unable to connect to a node.
[vm-rhel72-1 ~] $ https_proxy=test.proxy pcs cluster auth vm-rhel72-3 -uhacluster
Password:
Warning: Proxy is set in environment variables, try disabling it
Error: Unable to communicate with vm-rhel72-3
Comment 18 errata-xmlrpc 2017-08-01 14:22:57 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1958

Note You need to log in before you can comment on or make changes to this bug.