Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1882518

Summary: yum Received HTTP code 407 from proxy after CONNECT
Product: OpenShift Container Platform Reporter: Dan Seals <dseals>
Component: BuildAssignee: Adam Kaplan <adam.kaplan>
Status: CLOSED WORKSFORME QA Contact: wewang <wewang>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.5CC: aos-bugs, kelly.brown1, pbertera, wzheng
Target Milestone: ---   
Target Release: 4.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-01 14:20:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dan Seals 2020-09-24 19:22:59 UTC 
Description of problem:
Setting the system wide proxy settings to use an authenticated http proxy, with in the build, yum install fails with "Received HTTP code 407 from proxy after CONNECT"

Setting the system wide proxy setting to use a non authenticated http proxy, with in the build, yum installs will succeed.

Result with setting the system wide proxy to: http://CorpSvc_PasProxyAccess:mypassword@some_server.net:80

~~~
Build log:
~~~
Replaced Dockerfile FROM image registry.redhat.io/rhel8/nginx-116
Caching blobs under "/var/cache/blobs".

Pulling image redhat-io.artifactory.parallon.com/rhel8/nginx-116@sha256:8ba23c79c79b0e218ba72b3180424c1e300134375a4fd7eff532015b3b2fdf0d ...
Getting image source signatures
Copying blob sha256:d9fd79de68f8bb285163628a6810c630a979ba67f59cbbf0c4d73fdc0b3880d5
Copying blob sha256:77c58f19bd6e67185938abb6bbb6ec229e07a5e607453904294d982de141d2f0
Copying blob sha256:47db82df7f3f4393c1f19c362a2db2c47ca049b6fb20bef041dfc9bdb12a4504
Copying blob sha256:71391dc11a78542160544b68e45bc123ff55a2e84aeb6fa99b672d75765bc2f8
Copying config sha256:e1752366209efe737dcd908f619f6900a0ab92cb40a967aee1fe24baa9678176
Writing manifest to image destination
Storing signatures
STEP 1: FROM redhat-io.artifactory.parallon.com/rhel8/nginx-116@sha256:8ba23c79c79b0e218ba72b3180424c1e300134375a4fd7eff532015b3b2fdf0d
STEP 2: USER root
time="2020-08-25T15:15:05Z" level=info msg="Image operating system mismatch: image uses \"\", expecting \"linux\""
time="2020-08-25T15:15:05Z" level=info msg="Image architecture mismatch: image uses \"\", expecting \"amd64\""
--> 0def5c89fc0
STEP 3: RUN yum -y install --disableplugin=subscription-manager python3 &&     pip3 install j2cli[yaml] &&     sed -i 's/ln -s /ln -sf /g' /usr/libexec/s2i/run  &&     yum clean all &&     rm -fr /var/cache/yum/* /tmp/*
Red Hat Universal Base Image 8 (RPMs) - BaseOS  0.0  B/s |   0  B     00:00
Errors during downloading metadata for repository 'ubi-8-baseos':
  - Curl error (56): Failure when receiving data from the peer for https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/x86_64/baseos/os/repodata/repomd.xml [Received HTTP code 407 from proxy after CONNECT]
Error: Failed to download metadata for repo 'ubi-8-baseos': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried
subprocess exited with status 1
subprocess exited with status 1
error: build error: error building at STEP "RUN yum -y install --disableplugin=subscription-manager python3 &&     pip3 install j2cli[yaml] &&     sed -i 's/ln -s /ln -sf /g' /usr/libexec/s2i/run  &&     yum clean all &&     rm -fr /var/cache/yum/* /tmp/*": exit status 1

~~~
Comment 1 Adam Kaplan 2020-09-25 14:41:47 UTC 
Can you please verify that the HTTP_PROXY and HTTPS_PROXY environment variables are set properly within the build container? You can do this with the following Dockerfile:

```
FROM registry.access.redhat.com/ubi8/ubi:latest

RUN echo $HTTP_PROXY
RUN echo $HTTPS_PROXY
```

I suspect that these environment variables are present, but either a) do not have the correct username:password, or b) there is a configuration issue with the proxy.
Comment 2 Adam Kaplan 2020-10-01 14:20:57 UTC 
Cannot reproduce on 4.5 CI cluster with authenticated proxy.

Proxy settings (note - this is an authenticated MITM proxy with a self-signed certificate):

```
$ oc get proxy/cluster -o yaml
kind: Proxy
apiVersion: config.openshift.io/v1
metadata:
  name: cluster
...
spec:
  httpProxy: http://<user>:<password>@<proxy-ip>:<proxy-port>/
  httpsProxy: http://<user>:<password>@<proxy-ip>:<proxy-port>/
  trustedCA:
    name: user-ca-bundle
```

BuildConfig:

```
$ oc new-build https://github.com/sclorg/nginx-ex.git --name rhel8-nginx -D $'FROM registry.redhat.io/rhel8/nginx-116\nUSER root\nRUN yum -y install --disableplugin=subscription-manager python3\nUSER 1001'
```
Comment 4 Pietro Bertera 2020-10-08 07:30:47 UTC 
Just for the records: by default dnf (yum) has the option `proxy_auth_method` set to `auto`.

This makes dnf doing a discovery of the authentication method required by the server:
- dnf sends the first request without the `Proxy-Authorization`
- the proxy should answer with 407 containing the `Proxy-Authenticate` header with the authentication type required
- dnf sends the request with all the authentication headers needed

If the proxy do not send the `Proxy-Authenticate` dnf cannot continue the authentication and terminates.

Setting `proxy_auth_method` to the proper method makes dnf sending the authorization headers at the first request.