Bug 1467776 - .svc should be added to no_proxy list by default
Summary: .svc should be added to no_proxy list by default
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.6.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 3.7.0
Assignee: Tim Bielawa
QA Contact: Gaoyun Pei
Depends On:
TreeView+ depends on / blocked
Reported: 2017-07-05 06:03 UTC by Gaoyun Pei
Modified: 2017-11-28 22:00 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: OpenShift Ansible facts was now adding the 'svc' domain to the NO_PROXY settings. Consequence: Users behind proxies are unable to push to registry by DNS. Fix: Added the '.svc' domain to the openshift ansible facts code which generates the NO_PROXY settings string. Result: Users behind a proxy can now push to registry by DNS.
Clone Of:
Last Closed: 2017-11-28 22:00:15 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:3188 0 normal SHIPPED_LIVE Moderate: Red Hat OpenShift Container Platform 3.7 security, bug, and enhancement update 2017-11-29 02:34:54 UTC

Description Gaoyun Pei 2017-07-05 06:03:31 UTC
Description of problem:
Setup an ocp-3.6 cluster behind proxy, after installation, found it's failed to 
push image to docker-registry
[root@openshift-138 ~]# oc logs nodejs-mongodb-example-1-build -n install-test
Pushing image docker-registry.default.svc:5000/install-test/nodejs-mongodb-example:latest ...
Registry server Address: 
Registry server User Name: serviceaccount
Registry server Email: serviceaccount@example.org
Registry server Password: <<non-empty>>
error: build error: Failed to push image: Get https://docker-registry.default.svc:5000/v1/_ping: Forbidden

[root@openshift-138 ~]# docker info |grep "No Proxy"
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
No Proxy: .cluster.local,,openshift-138.x.com,openshift-144.x.com,openshift-145.x.com,openshift-148.x.com,openshift-151.x.com

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Build ocp-3.6 env behind proxy with the following options in inventory:

Actual results:
See Description

Expected results:

Additional info:

Comment 1 Gaoyun Pei 2017-07-05 06:04:28 UTC
This bug blocks the testing on 3.6 env behind proxy.

Comment 2 Tim Bielawa 2017-07-05 13:32:37 UTC
Fix submitted here 


Comment 4 Gaoyun Pei 2017-07-06 08:49:19 UTC
Verify this bug with openshift-ansible-3.6.135-1.git.0.5533fe3.el7.noarch

.svc domain was added into service env file after installation.

[root@qe-gpei-etcd-sc-master-1 sysconfig]# grep NO_PROXY * -r
[root@qe-gpei-etcd-sc-master-1 sysconfig]# docker info |grep "No Proxy"
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
No Proxy: .cluster.local,.svc,qe-gpei-etcd-sc-master-1

Comment 8 errata-xmlrpc 2017-11-28 22:00:15 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.