Bug 1414749 - Add docker-registry.default.svc.cluster.local to NO_PROXY
Summary: Add docker-registry.default.svc.cluster.local to NO_PROXY
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.4.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: ---
Assignee: Scott Dodson
QA Contact: Johnny Liu
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-19 11:15 UTC by Marko Myllynen
Modified: 2017-08-16 19:51 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Image streams now reference the dns hostname of 'docker-registry.default.svc:5000' which allows the installer to ensure that the hostname is appended to NO_PROXY environment variables so that image pushes work properly in an environment that requires a proxy.
Clone Of:
Environment:
Last Closed: 2017-08-10 05:17:28 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2017:1716 0 normal SHIPPED_LIVE Red Hat OpenShift Container Platform 3.6 RPM Release Advisory 2017-08-10 09:02:50 UTC

Description Marko Myllynen 2017-01-19 11:15:06 UTC
Description of problem:
With something like

openshift_http_proxy=http://10.10.10.10:8080
openshift_https_proxy=http://10.10.10.10:8080
openshift_no_proxy=10.1.0.0/16,172.30.0.0/16,test.example.com
openshift_generate_no_proxy_hosts=True

we see that the above list of CIDRs/FQDNs + node names + .cluster.local are configured in /etc/sysconfig/docker. However, since Docker NO_PROXY does not support CIDRs docker-registry.default.svc.cluster.local should be added as well.

Perhaps .cluster.local and docker-registry.default.svc.cluster.local should be added even if openshift_generate_no_proxy_hosts=True is not set.

Comment 1 Scott Dodson 2017-01-19 22:14:39 UTC
(In reply to Marko Myllynen from comment #0)
> Description of problem:
> With something like
> 
> openshift_http_proxy=http://10.10.10.10:8080
> openshift_https_proxy=http://10.10.10.10:8080
> openshift_no_proxy=10.1.0.0/16,172.30.0.0/16,test.example.com
> openshift_generate_no_proxy_hosts=True
> 
> we see that the above list of CIDRs/FQDNs + node names + .cluster.local are
> configured in /etc/sysconfig/docker. However, since Docker NO_PROXY does not
> support CIDRs docker-registry.default.svc.cluster.local should be added as
> well.

Docker should match 'docker-registry.default.svc.cluster.local' to '.cluster.local'. Are you seeing that having '.cluster.local' isn't working as expected and preventing proxy use for the entire domain?
 
> Perhaps .cluster.local and docker-registry.default.svc.cluster.local should
> be added even if openshift_generate_no_proxy_hosts=True is not set.

I'm fine with adding .cluster.local no matter what.

Proposed fix https://github.com/openshift/openshift-ansible/pull/3131

Comment 2 Marko Myllynen 2017-01-24 14:42:15 UTC
(In reply to Scott Dodson from comment #1)
> (In reply to Marko Myllynen from comment #0)
> > Description of problem:
> > With something like
> > 
> > openshift_http_proxy=http://10.10.10.10:8080
> > openshift_https_proxy=http://10.10.10.10:8080
> > openshift_no_proxy=10.1.0.0/16,172.30.0.0/16,test.example.com
> > openshift_generate_no_proxy_hosts=True
> > 
> > we see that the above list of CIDRs/FQDNs + node names + .cluster.local are
> > configured in /etc/sysconfig/docker. However, since Docker NO_PROXY does not
> > support CIDRs docker-registry.default.svc.cluster.local should be added as
> > well.
> 
> Docker should match 'docker-registry.default.svc.cluster.local' to
> '.cluster.local'. Are you seeing that having '.cluster.local' isn't working
> as expected and preventing proxy use for the entire domain?

You're right, adding docker-registry.default.svc.cluster.local would indeed be redundant, I've tested this again and .example.com does match test.example.com etc.

Thanks.

Comment 3 Scott Dodson 2017-06-09 03:38:06 UTC
Looking at this again this appears to already be the case based on https://github.com/openshift/openshift-ansible/pull/2753

Can you confirm if that's true or not? That change should exist in all versions of openshift-ansible-3.4.18-1 and newer.

Comment 4 Marko Myllynen 2017-06-19 07:52:33 UTC
(In reply to Scott Dodson from comment #3)
> Looking at this again this appears to already be the case based on
> https://github.com/openshift/openshift-ansible/pull/2753
> 
> Can you confirm if that's true or not? That change should exist in all
> versions of openshift-ansible-3.4.18-1 and newer.

Thanks, verified with openshift-ansible-playbooks-3.5.78-1.git.0.f7be576.el7.noarch, .cluster.local is added as described.

While testing this, I found two related issues which can be discussed elsewhere:

https://bugzilla.redhat.com/show_bug.cgi?id=1462651 - cosmetic
https://bugzilla.redhat.com/show_bug.cgi?id=1462652 - serious

Thanks,

Comment 5 Scott Dodson 2017-06-28 17:40:48 UTC
.svc and .cluster.local are now added to the no_proxy list which effectively ensures that docker-registry.default.svc as configured in 3.6 and docker-registry.default.svc.cluster.local should not be proxied. 

Moving this ON_QA

Comment 7 Johnny Liu 2017-06-29 02:45:44 UTC
Verified this bug with openshift-ansible-3.6.123.1002-1.git.0.506cfa7.el7.noarch, and PASS.


# docker info
<--snip-->
Http Proxy: http://file.rdu.redhat.com:3128
Https Proxy: http://file.rdu.redhat.com:3128
No Proxy: .cluster.local,.svc,169.254.169.254,openshift-102.lab.sjc.redhat.com,openshift-106.lab.sjc.redhat.com,openshift-136.lab.sjc.redhat.com,openshift-137.lab.sjc.redhat.com,openshift-139.lab.sjc.redhat.com,openshift-141.lab.sjc.redhat.com,openshift-154.lab.sjc.redhat.com
<--snip-->

# cat /etc/sysconfig/atomic-openshift-master-api
OPTIONS=--loglevel=5 --listen=https://0.0.0.0:443 --master=https://openshift-154.lab.sjc.redhat.com
CONFIG_FILE=/etc/origin/master/master-config.yaml
OPENSHIFT_DEFAULT_REGISTRY=docker-registry.default.svc:5000
IMAGE_VERSION=v3.6.126


# Proxy configuration
# See https://docs.openshift.com/enterprise/latest/install_config/install/advanced_install.html#configuring-global-proxy
HTTP_PROXY=http://file.rdu.redhat.com:3128
HTTPS_PROXY=http://file.rdu.redhat.com:3128
NO_PROXY=.cluster.local,.svc,169.254.169.254,openshift-102.lab.sjc.redhat.com,openshift-106.lab.sjc.redhat.com,openshift-136.lab.sjc.redhat.com,openshift-137.lab.sjc.redhat.com,openshift-139.lab.sjc.redhat.com,openshift-141.lab.sjc.redhat.com,openshift-154.lab.sjc.redhat.com,172.31.0.0/16,10.2.0.0/16


# cat /etc/sysconfig/atomic-openshift-master-controllers
OPTIONS=--loglevel=5 --listen=https://0.0.0.0:8444
CONFIG_FILE=/etc/origin/master/master-config.yaml
OPENSHIFT_DEFAULT_REGISTRY=docker-registry.default.svc:5000
IMAGE_VERSION=v3.6.126


# Proxy configuration
# See https://docs.openshift.com/enterprise/latest/install_config/install/advanced_install.html#configuring-global-proxy
HTTP_PROXY=http://file.rdu.redhat.com:3128
HTTPS_PROXY=http://file.rdu.redhat.com:3128
NO_PROXY=.cluster.local,.svc,169.254.169.254,openshift-102.lab.sjc.redhat.com,openshift-106.lab.sjc.redhat.com,openshift-136.lab.sjc.redhat.com,openshift-137.lab.sjc.redhat.com,openshift-139.lab.sjc.redhat.com,openshift-141.lab.sjc.redhat.com,openshift-154.lab.sjc.redhat.com,172.31.0.0/16,10.2.0.0/16

Comment 9 errata-xmlrpc 2017-08-10 05:17:28 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1716


Note You need to log in before you can comment on or make changes to this bug.