Bug 1315627 - [RFE] pcsd should handle http proxy environment variables better
Summary: [RFE] pcsd should handle http proxy environment variables better
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pcs
Version: 7.2
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: ---
Assignee: Ondrej Mular
QA Contact: cluster-qe@redhat.com
URL:
Whiteboard:
Keywords: FutureFeature
: 1388934 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-03-08 09:30 UTC by Tomas Jelinek
Modified: 2018-02-19 15:33 UTC (History)
12 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2017-08-01 18:22:57 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:1958 normal SHIPPED_LIVE pcs bug fix and enhancement update 2017-08-01 18:09:47 UTC
Red Hat Bugzilla 1300433 None CLOSED Pacemaker pcs command is not accepting domain suffix for no_proxy env. variable 2019-03-19 19:26 UTC
Red Hat Bugzilla 1318656 None CLOSED document supported ENV variables in man pages 2019-03-19 19:26 UTC
Red Hat Bugzilla 1378742 None None None Never

Internal Trackers: 1300433 1318656 1378742

Description Tomas Jelinek 2016-03-08 09:30:35 UTC
Ruby standard library takes http_proxy, https_proxy and no_proxy environment variables into account when connecting to HTTP servers. If there is a HTTP proxy set up, it may prevent pcsd to communicate with other cluster nodes. This is a part of pcsd debug log from when it happened:

Sending HTTP Request to: https://lv9027hb:2224/remote/check_auth
Data: None
Response Reason: Tunnel connection failed: 403 Forbidden

What user only gets when running without --debug is this, which is not helpful at all:
[root@lv9026 ~]# pcs cluster auth lv9026hb lv9027hb
Username: hacluster
Password: 
Error: Unable to communicate with lv9027hb
Error: Unable to communicate with lv9026hb

We cannot disable HTTP proxy environment variables in pcsd completely as there are users who use it in their intended manner and then pcsd works fine for them.

Pcs should print a warning if it is not able to connect to remote node and the reason for that might be HTTP proxy (or print a list of possible reasons every time a connection fails). Or it could try to connect without the proxy if there is a proxy configured and the first connection fails.

Fabio's idea:
try to connect via proxy, if it fails, try by unsetting those vars and
provide proper error report/warning in the process.
"attempting to connect to node foo via proxy XYZ .... FAILED"
"attempting to connect to node foo without proxy even if proxy XYZ is
configured"....

We could either not use https_proxy or add nodes to no_proxy.

Comment 4 Tomas Jelinek 2016-10-26 14:16:03 UTC
From the duplicate bz1388934:

Robert Scheck 2016-10-26 09:46:11 EDT

Description of problem:
pcs(1) honors HTTP(S)_PROXY/http(s)_proxy by accident (I don't think there
is a proper scenario to let pcs speak through a proxy) and thus fails when
running "pcs cluster auth node1 node2". Example:

$ export http_proxy=http://proxy.example.net:8080
$ export HTTP_PROXY=http://proxy.example.net:8080
$ export https_proxy=http://proxy.example.net:8080
$ export HTTPS_PROXY=http://proxy.example.net:8080

$ pcs cluster auth node1.example.net node2.example.net
Username: hacluster
Password: ********
Error: Unable to communicate with node1.example.net
Error: Unable to communicate with node2.example.net
$ 

While debugging this via strace(1), I noticed that pcs(1) connects here
to http://proxy.example.net:8080 and receives a "HTTP/1.0 403 Forbidden"
by the Squid. This again leads to a hardly readable stack trace within
strace output. The stack trace makes me believing that proxy setups for
pcs(1)are not intended - while pcs(1) seems to honor proxy environment
variables by accident. If this is really intended, then there should be
proper error messages - and of course no stack trace on "403 Forbidden"
replies by the proxy server.

Version-Release number of selected component (if applicable):
pcs-0.9.143-15.el7.x86_64

How reproducible:
Always, see above.

Actual results:
pcs(1) honors HTTP(S)_PROXY/http(s)_proxy by accident and thus fails at
"pcs cluster auth node1 node2".

Expected results:
pcs(1) should not honor environment variables related to proxy servers,
or proxy servers should be properly handled, especially "403 Forbidden".

Additional info:
Aside of this, the documentation likely should be updated to document this
behaviour (or did I overlook existing documentation regarding this?).

Comment 5 Tomas Jelinek 2016-10-26 14:16:24 UTC
*** Bug 1388934 has been marked as a duplicate of this bug. ***

Comment 9 Ondrej Mular 2017-02-03 16:24:49 UTC
Upstream patch:
https://github.com/ClusterLabs/pcs/commit/3c4d8166ebb4dc43079c2f5aa6b3fd721590

Pcs will show warning about usage of proxy if it was unable to connect to a node.

TEST:
[root@rhel7-node1 ~]# https_proxy=test.proxy pcs cluster auth rhel7-node2 -uhacluster
Password: 
Warning: Proxy is set in environment variables, try disabling it
Error: Unable to communicate with rhel7-node2

Comment 12 Ivan Devat 2017-04-10 15:49:37 UTC
After Fix:

[vm-rhel72-1 ~] $ rpm -q pcs
pcs-0.9.157-1.el7.x86_64

Pcs will show warning about usage of proxy if it was unable to connect to a node.
[vm-rhel72-1 ~] $ https_proxy=test.proxy pcs cluster auth vm-rhel72-3 -uhacluster
Password:
Warning: Proxy is set in environment variables, try disabling it
Error: Unable to communicate with vm-rhel72-3

Comment 18 errata-xmlrpc 2017-08-01 18:22:57 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1958

Comment 19 Dzmitryj 2018-02-16 15:38:11 UTC
The  same error still exist in  pcs-0.9.158-6.el7_4.1.x86_64


[root@new-mgs-mds-01 M]# ./configure_cluster.sh
Setting Production Environment...

Creating the HA-cluster...
Authorizing pcs cluster auth -u  -p  new-mgs-mds-01 new-mgs-mds-02
Warning: Proxy is set in environment variables, try disabling it
Error: Unable to communicate with new-mgs-mds-02
Error: Unable to communicate with new-mgs-mds-01

[root@new-mgs-mds-01 M]# ping new-mgs-mds-01
PING new-mgs-mds-01  56(84) bytes of data.
64 bytes from new-mgs-mds-01: icmp_seq=1 ttl=64 time=0.013 ms
64 bytes from new-mgs-mds-01: icmp_seq=2 ttl=64 time=0.008 ms
64 bytes from new-mgs-mds-01: icmp_seq=3 ttl=64 time=0.007 ms
64 bytes from new-mgs-mds-01: icmp_seq=4 ttl=64 time=0.018 ms
^C
--- new-mgs-mds-01 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 0.007/0.011/0.018/0.005 ms
[root@new-mgs-mds-01 M]# ping new-mgs-mds-02
PING new-mgs-mds-02  56(84) bytes of data.
64 bytes from new-mgs-mds-02 : icmp_seq=1 ttl=64 time=0.090 ms
^C
--- new-mgs-mds-02 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.090/0.090/0.090/0.000 ms
[root@new-mgs-mds-01 M]# cc

Can  you please check

Comment 20 Tomas Jelinek 2018-02-19 15:33:14 UTC
Dzmitryj,

This is expected. It is up to you to configure your proxy / network / environment. Pcs can not and will not do that for you.


Note You need to log in before you can comment on or make changes to this bug.