Description of problem: With something like openshift_http_proxy=http://10.10.10.10:8080 openshift_https_proxy=http://10.10.10.10:8080 openshift_no_proxy=10.1.0.0/16,172.30.0.0/16,test.example.com openshift_generate_no_proxy_hosts=True we see that the above list of CIDRs/FQDNs + node names + .cluster.local are configured in /etc/sysconfig/docker. However, since Docker NO_PROXY does not support CIDRs docker-registry.default.svc.cluster.local should be added as well. Perhaps .cluster.local and docker-registry.default.svc.cluster.local should be added even if openshift_generate_no_proxy_hosts=True is not set.
(In reply to Marko Myllynen from comment #0) > Description of problem: > With something like > > openshift_http_proxy=http://10.10.10.10:8080 > openshift_https_proxy=http://10.10.10.10:8080 > openshift_no_proxy=10.1.0.0/16,172.30.0.0/16,test.example.com > openshift_generate_no_proxy_hosts=True > > we see that the above list of CIDRs/FQDNs + node names + .cluster.local are > configured in /etc/sysconfig/docker. However, since Docker NO_PROXY does not > support CIDRs docker-registry.default.svc.cluster.local should be added as > well. Docker should match 'docker-registry.default.svc.cluster.local' to '.cluster.local'. Are you seeing that having '.cluster.local' isn't working as expected and preventing proxy use for the entire domain? > Perhaps .cluster.local and docker-registry.default.svc.cluster.local should > be added even if openshift_generate_no_proxy_hosts=True is not set. I'm fine with adding .cluster.local no matter what. Proposed fix https://github.com/openshift/openshift-ansible/pull/3131
(In reply to Scott Dodson from comment #1) > (In reply to Marko Myllynen from comment #0) > > Description of problem: > > With something like > > > > openshift_http_proxy=http://10.10.10.10:8080 > > openshift_https_proxy=http://10.10.10.10:8080 > > openshift_no_proxy=10.1.0.0/16,172.30.0.0/16,test.example.com > > openshift_generate_no_proxy_hosts=True > > > > we see that the above list of CIDRs/FQDNs + node names + .cluster.local are > > configured in /etc/sysconfig/docker. However, since Docker NO_PROXY does not > > support CIDRs docker-registry.default.svc.cluster.local should be added as > > well. > > Docker should match 'docker-registry.default.svc.cluster.local' to > '.cluster.local'. Are you seeing that having '.cluster.local' isn't working > as expected and preventing proxy use for the entire domain? You're right, adding docker-registry.default.svc.cluster.local would indeed be redundant, I've tested this again and .example.com does match test.example.com etc. Thanks.
Looking at this again this appears to already be the case based on https://github.com/openshift/openshift-ansible/pull/2753 Can you confirm if that's true or not? That change should exist in all versions of openshift-ansible-3.4.18-1 and newer.
(In reply to Scott Dodson from comment #3) > Looking at this again this appears to already be the case based on > https://github.com/openshift/openshift-ansible/pull/2753 > > Can you confirm if that's true or not? That change should exist in all > versions of openshift-ansible-3.4.18-1 and newer. Thanks, verified with openshift-ansible-playbooks-3.5.78-1.git.0.f7be576.el7.noarch, .cluster.local is added as described. While testing this, I found two related issues which can be discussed elsewhere: https://bugzilla.redhat.com/show_bug.cgi?id=1462651 - cosmetic https://bugzilla.redhat.com/show_bug.cgi?id=1462652 - serious Thanks,
.svc and .cluster.local are now added to the no_proxy list which effectively ensures that docker-registry.default.svc as configured in 3.6 and docker-registry.default.svc.cluster.local should not be proxied. Moving this ON_QA
Verified this bug with openshift-ansible-3.6.123.1002-1.git.0.506cfa7.el7.noarch, and PASS. # docker info <--snip--> Http Proxy: http://file.rdu.redhat.com:3128 Https Proxy: http://file.rdu.redhat.com:3128 No Proxy: .cluster.local,.svc,169.254.169.254,openshift-102.lab.sjc.redhat.com,openshift-106.lab.sjc.redhat.com,openshift-136.lab.sjc.redhat.com,openshift-137.lab.sjc.redhat.com,openshift-139.lab.sjc.redhat.com,openshift-141.lab.sjc.redhat.com,openshift-154.lab.sjc.redhat.com <--snip--> # cat /etc/sysconfig/atomic-openshift-master-api OPTIONS=--loglevel=5 --listen=https://0.0.0.0:443 --master=https://openshift-154.lab.sjc.redhat.com CONFIG_FILE=/etc/origin/master/master-config.yaml OPENSHIFT_DEFAULT_REGISTRY=docker-registry.default.svc:5000 IMAGE_VERSION=v3.6.126 # Proxy configuration # See https://docs.openshift.com/enterprise/latest/install_config/install/advanced_install.html#configuring-global-proxy HTTP_PROXY=http://file.rdu.redhat.com:3128 HTTPS_PROXY=http://file.rdu.redhat.com:3128 NO_PROXY=.cluster.local,.svc,169.254.169.254,openshift-102.lab.sjc.redhat.com,openshift-106.lab.sjc.redhat.com,openshift-136.lab.sjc.redhat.com,openshift-137.lab.sjc.redhat.com,openshift-139.lab.sjc.redhat.com,openshift-141.lab.sjc.redhat.com,openshift-154.lab.sjc.redhat.com,172.31.0.0/16,10.2.0.0/16 # cat /etc/sysconfig/atomic-openshift-master-controllers OPTIONS=--loglevel=5 --listen=https://0.0.0.0:8444 CONFIG_FILE=/etc/origin/master/master-config.yaml OPENSHIFT_DEFAULT_REGISTRY=docker-registry.default.svc:5000 IMAGE_VERSION=v3.6.126 # Proxy configuration # See https://docs.openshift.com/enterprise/latest/install_config/install/advanced_install.html#configuring-global-proxy HTTP_PROXY=http://file.rdu.redhat.com:3128 HTTPS_PROXY=http://file.rdu.redhat.com:3128 NO_PROXY=.cluster.local,.svc,169.254.169.254,openshift-102.lab.sjc.redhat.com,openshift-106.lab.sjc.redhat.com,openshift-136.lab.sjc.redhat.com,openshift-137.lab.sjc.redhat.com,openshift-139.lab.sjc.redhat.com,openshift-141.lab.sjc.redhat.com,openshift-154.lab.sjc.redhat.com,172.31.0.0/16,10.2.0.0/16
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:1716