Description of problem: --- - According to https://docs.openshift.com/container-platform/3.5/install_config/http_proxies.html#configuring-no-proxy, etcd IPs are not necessary to be added in master-controllers of NO_PROXY. However, we experienced an issue if there are no etcd's IP in NO_PROXY of /etc/sysconfig/atomic-openshift-master-controllers Version-Release number of selected component (if applicable): --- - OCP 3.5 Steps to Reproduce: --- 1. Install OCP 3.5 behind the proxy Actual results: --- - master-controllers keeps restarding with below error. ~~~ atomic-openshift-master-controllers[72302]: ; error #1: Forbidden atomic-openshift-master-controllers[72302]: ; error #2: Forbidden atomic-openshift-master-controllers[72302]: E0530 14:05:07.264674 72302 leaderlease.go:95] unable to check lease openshift.io/leases/controllers: Forbidden atomic-openshift-master-controllers[72302]: E0530 14:05:07.295492 72302 leaderlease.go:87] client: etcd cluster is unavailable or misconfigured; error #0: Forbidden ~~~ Expected results: --- - OCP should work without NO_PROXY config for the etcd IPs. Otherwise, Docs should mention about it. - (However, /etc/origin.) urls: - https://knakayam-ose35-master1.example.com:2379 .... Additional info: --- - put the customers' logs in private.
I would expect the etcd hosts to be included in NO_PROXY for the openshift-master and openshift-master-controllers Not sure if this is docs or ansible or both
Kenjiro, Reviewing the playbooks the etcd hosts should automatically be added to the NO_PROXY list, can you confirm whether or not the proxy variables were defined manually or by the installer?
Hi Scott, Jordan, NO_PROXY had etcd's hostname, but it didn't have etcd's IP and we had to add it. Here are the short summary. 1. ansible inventory doesn't have NO_PROXY(=openshift_no_proxy) config for etcd's IP. 2. ansible inventory also doesn't have etcd's IPs, as it defines them as etcd's hostname. 3. After running ansible, NO_PROXY in /etc/sysconfig/atomic-openshift-master-controllers doesn't have etcd's IP. 4. After running ansible, NO_PROXY in /etc/sysconfig/atomic-openshift-master-controllers had etcd's hostname. 5. We had to _manually_ add NO_PROXY=<etcd *IPs*> in /etc/sysconfig/atomic-openshift-master-controllers /etc/origin/master/master-config.yaml also had etcd's hostname, so I think IPs should not be necessary to be added. (But again, the proxy log showed the access and fixed by adding etcd's IP)
I think the etcd client prefers to connect to the IP address even if you've specified the endpoints using a hostname. We should make sure that the ip address of the etcd endpoints is added via the playbooks too.
Sounds great. Thank you Scott.
*** Bug 1459505 has been marked as a duplicate of this bug. ***
Scott, should this bug be cloned to the Installer?
(In reply to Brenton Leanhardt from comment #12) > Scott, should this bug be cloned to the Installer? Yeah, I think we have one already but on the off chance that we don't I'll go ahead and clone it and set it 3.6.1.
See https://github.com/openshift/openshift-docs/pull/4720 for description of changes and links to preview docs.
Looks good to me! Sorry for the late response.
Published changes described in revhistory here: https://docs.openshift.com/container-platform/3.5/welcome/revhistory_full.html#fri-jul-07-2017