Bug 1467776 - .svc should be added to no_proxy list by default
Summary: .svc should be added to no_proxy list by default
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.6.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 3.7.0
Assignee: Tim Bielawa
QA Contact: Gaoyun Pei
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-07-05 06:03 UTC by Gaoyun Pei
Modified: 2017-11-28 22:00 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: OpenShift Ansible facts was now adding the 'svc' domain to the NO_PROXY settings. Consequence: Users behind proxies are unable to push to registry by DNS. Fix: Added the '.svc' domain to the openshift ansible facts code which generates the NO_PROXY settings string. Result: Users behind a proxy can now push to registry by DNS.
Clone Of:
Environment:
Last Closed: 2017-11-28 22:00:15 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:3188 normal SHIPPED_LIVE Moderate: Red Hat OpenShift Container Platform 3.7 security, bug, and enhancement update 2017-11-29 02:34:54 UTC

Description Gaoyun Pei 2017-07-05 06:03:31 UTC
Description of problem:
Setup an ocp-3.6 cluster behind proxy, after installation, found it's failed to 
push image to docker-registry
[root@openshift-138 ~]# oc logs nodejs-mongodb-example-1-build -n install-test
<snip>
Pushing image docker-registry.default.svc:5000/install-test/nodejs-mongodb-example:latest ...
Registry server Address: 
Registry server User Name: serviceaccount
Registry server Email: serviceaccount@example.org
Registry server Password: <<non-empty>>
error: build error: Failed to push image: Get https://docker-registry.default.svc:5000/v1/_ping: Forbidden

[root@openshift-138 ~]# docker info |grep "No Proxy"
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
No Proxy: .cluster.local,169.254.169.254,openshift-138.x.com,openshift-144.x.com,openshift-145.x.com,openshift-148.x.com,openshift-151.x.com


Version-Release number of selected component (if applicable):
openshift-ansible-3.6.133-1.git.0.950bb48.el7.noarch.rpm

How reproducible:
Always

Steps to Reproduce:
1. Build ocp-3.6 env behind proxy with the following options in inventory:
openshift_http_proxy=http://xxx.redhat.com:x
openshift_https_proxy=http://xxx.redhat.com:x
openshift_no_proxy="169.254.169.254"


Actual results:
See Description

Expected results:


Additional info:

Comment 1 Gaoyun Pei 2017-07-05 06:04:28 UTC
This bug blocks the testing on 3.6 env behind proxy.

Comment 2 Tim Bielawa 2017-07-05 13:32:37 UTC
Fix submitted here 

https://github.com/openshift/openshift-ansible/pull/4678

Comment 4 Gaoyun Pei 2017-07-06 08:49:19 UTC
Verify this bug with openshift-ansible-3.6.135-1.git.0.5533fe3.el7.noarch

.svc domain was added into service env file after installation.

[root@qe-gpei-etcd-sc-master-1 sysconfig]# grep NO_PROXY * -r
atomic-openshift-master:NO_PROXY=.cluster.local,.svc,qe-gpei-etcd-sc-master-1,172.30.0.0/16,10.128.0.0/14
docker:NO_PROXY='.cluster.local,.svc,qe-gpei-etcd-sc-master-1'
[root@qe-gpei-etcd-sc-master-1 sysconfig]# docker info |grep "No Proxy"
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
No Proxy: .cluster.local,.svc,qe-gpei-etcd-sc-master-1

Comment 8 errata-xmlrpc 2017-11-28 22:00:15 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:3188


Note You need to log in before you can comment on or make changes to this bug.