Bug 1467776 - .svc should be added to no_proxy list by default
.svc should be added to no_proxy list by default
Status: VERIFIED
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer (Show other bugs)
3.6.0
Unspecified Unspecified
high Severity high
: ---
: 3.7.0
Assigned To: Tim Bielawa
Gaoyun Pei
: Regression, TestBlocker
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-05 02:03 EDT by Gaoyun Pei
Modified: 2017-10-05 13:47 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: OpenShift Ansible facts was now adding the 'svc' domain to the NO_PROXY settings. Consequence: Users behind proxies are unable to push to registry by DNS. Fix: Added the '.svc' domain to the openshift ansible facts code which generates the NO_PROXY settings string. Result: Users behind a proxy can now push to registry by DNS.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Gaoyun Pei 2017-07-05 02:03:31 EDT
Description of problem:
Setup an ocp-3.6 cluster behind proxy, after installation, found it's failed to 
push image to docker-registry
[root@openshift-138 ~]# oc logs nodejs-mongodb-example-1-build -n install-test
<snip>
Pushing image docker-registry.default.svc:5000/install-test/nodejs-mongodb-example:latest ...
Registry server Address: 
Registry server User Name: serviceaccount
Registry server Email: serviceaccount@example.org
Registry server Password: <<non-empty>>
error: build error: Failed to push image: Get https://docker-registry.default.svc:5000/v1/_ping: Forbidden

[root@openshift-138 ~]# docker info |grep "No Proxy"
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
No Proxy: .cluster.local,169.254.169.254,openshift-138.x.com,openshift-144.x.com,openshift-145.x.com,openshift-148.x.com,openshift-151.x.com


Version-Release number of selected component (if applicable):
openshift-ansible-3.6.133-1.git.0.950bb48.el7.noarch.rpm

How reproducible:
Always

Steps to Reproduce:
1. Build ocp-3.6 env behind proxy with the following options in inventory:
openshift_http_proxy=http://xxx.redhat.com:x
openshift_https_proxy=http://xxx.redhat.com:x
openshift_no_proxy="169.254.169.254"


Actual results:
See Description

Expected results:


Additional info:
Comment 1 Gaoyun Pei 2017-07-05 02:04:28 EDT
This bug blocks the testing on 3.6 env behind proxy.
Comment 2 Tim Bielawa 2017-07-05 09:32:37 EDT
Fix submitted here 

https://github.com/openshift/openshift-ansible/pull/4678
Comment 4 Gaoyun Pei 2017-07-06 04:49:19 EDT
Verify this bug with openshift-ansible-3.6.135-1.git.0.5533fe3.el7.noarch

.svc domain was added into service env file after installation.

[root@qe-gpei-etcd-sc-master-1 sysconfig]# grep NO_PROXY * -r
atomic-openshift-master:NO_PROXY=.cluster.local,.svc,qe-gpei-etcd-sc-master-1,172.30.0.0/16,10.128.0.0/14
docker:NO_PROXY='.cluster.local,.svc,qe-gpei-etcd-sc-master-1'
[root@qe-gpei-etcd-sc-master-1 sysconfig]# docker info |grep "No Proxy"
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
No Proxy: .cluster.local,.svc,qe-gpei-etcd-sc-master-1

Note You need to log in before you can comment on or make changes to this bug.