1882518 – yum Received HTTP code 407 from proxy after CONNECT

Bug 1882518 - yum Received HTTP code 407 from proxy after CONNECT

Summary: yum Received HTTP code 407 from proxy after CONNECT

Keywords:
Status:	CLOSED WORKSFORME
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Build
Sub Component:
Version:	4.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	4.7.0
Assignee:	Adam Kaplan
QA Contact:	wewang
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-09-24 19:22 UTC by Dan Seals
Modified:	2020-10-08 12:57 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-10-01 14:20:57 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Dan Seals 2020-09-24 19:22:59 UTC

Description of problem:
Setting the system wide proxy settings to use an authenticated http proxy, with in the build, yum install fails with "Received HTTP code 407 from proxy after CONNECT"

Setting the system wide proxy setting to use a non authenticated http proxy, with in the build, yum installs will succeed.

Result with setting the system wide proxy to: http://CorpSvc_PasProxyAccess:mypassword@some_server.net:80

~~~
Build log:
~~~
Replaced Dockerfile FROM image registry.redhat.io/rhel8/nginx-116
Caching blobs under "/var/cache/blobs".

Pulling image redhat-io.artifactory.parallon.com/rhel8/nginx-116@sha256:8ba23c79c79b0e218ba72b3180424c1e300134375a4fd7eff532015b3b2fdf0d ...
Getting image source signatures
Copying blob sha256:d9fd79de68f8bb285163628a6810c630a979ba67f59cbbf0c4d73fdc0b3880d5
Copying blob sha256:77c58f19bd6e67185938abb6bbb6ec229e07a5e607453904294d982de141d2f0
Copying blob sha256:47db82df7f3f4393c1f19c362a2db2c47ca049b6fb20bef041dfc9bdb12a4504
Copying blob sha256:71391dc11a78542160544b68e45bc123ff55a2e84aeb6fa99b672d75765bc2f8
Copying config sha256:e1752366209efe737dcd908f619f6900a0ab92cb40a967aee1fe24baa9678176
Writing manifest to image destination
Storing signatures
STEP 1: FROM redhat-io.artifactory.parallon.com/rhel8/nginx-116@sha256:8ba23c79c79b0e218ba72b3180424c1e300134375a4fd7eff532015b3b2fdf0d
STEP 2: USER root
time="2020-08-25T15:15:05Z" level=info msg="Image operating system mismatch: image uses \"\", expecting \"linux\""
time="2020-08-25T15:15:05Z" level=info msg="Image architecture mismatch: image uses \"\", expecting \"amd64\""
--> 0def5c89fc0
STEP 3: RUN yum -y install --disableplugin=subscription-manager python3 &&     pip3 install j2cli[yaml] &&     sed -i 's/ln -s /ln -sf /g' /usr/libexec/s2i/run  &&     yum clean all &&     rm -fr /var/cache/yum/* /tmp/*
Red Hat Universal Base Image 8 (RPMs) - BaseOS  0.0  B/s |   0  B     00:00
Errors during downloading metadata for repository 'ubi-8-baseos':
  - Curl error (56): Failure when receiving data from the peer for https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/x86_64/baseos/os/repodata/repomd.xml [Received HTTP code 407 from proxy after CONNECT]
Error: Failed to download metadata for repo 'ubi-8-baseos': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried
subprocess exited with status 1
subprocess exited with status 1
error: build error: error building at STEP "RUN yum -y install --disableplugin=subscription-manager python3 &&     pip3 install j2cli[yaml] &&     sed -i 's/ln -s /ln -sf /g' /usr/libexec/s2i/run  &&     yum clean all &&     rm -fr /var/cache/yum/* /tmp/*": exit status 1

~~~

Comment 1 Adam Kaplan 2020-09-25 14:41:47 UTC

Can you please verify that the HTTP_PROXY and HTTPS_PROXY environment variables are set properly within the build container? You can do this with the following Dockerfile:

```
FROM registry.access.redhat.com/ubi8/ubi:latest

RUN echo $HTTP_PROXY
RUN echo $HTTPS_PROXY
```

I suspect that these environment variables are present, but either a) do not have the correct username:password, or b) there is a configuration issue with the proxy.

Comment 2 Adam Kaplan 2020-10-01 14:20:57 UTC

Cannot reproduce on 4.5 CI cluster with authenticated proxy.

Proxy settings (note - this is an authenticated MITM proxy with a self-signed certificate):

```
$ oc get proxy/cluster -o yaml
kind: Proxy
apiVersion: config.openshift.io/v1
metadata:
  name: cluster
...
spec:
  httpProxy: http://<user>:<password>@<proxy-ip>:<proxy-port>/
  httpsProxy: http://<user>:<password>@<proxy-ip>:<proxy-port>/
  trustedCA:
    name: user-ca-bundle
```

BuildConfig:

```
$ oc new-build https://github.com/sclorg/nginx-ex.git --name rhel8-nginx -D $'FROM registry.redhat.io/rhel8/nginx-116\nUSER root\nRUN yum -y install --disableplugin=subscription-manager python3\nUSER 1001'
```

Comment 4 Pietro Bertera 2020-10-08 07:30:47 UTC

Just for the records: by default dnf (yum) has the option `proxy_auth_method` set to `auto`.

This makes dnf doing a discovery of the authentication method required by the server:
- dnf sends the first request without the `Proxy-Authorization`
- the proxy should answer with 407 containing the `Proxy-Authenticate` header with the authentication type required
- dnf sends the request with all the authentication headers needed

If the proxy do not send the `Proxy-Authenticate` dnf cannot continue the authentication and terminates.

Setting `proxy_auth_method` to the proper method makes dnf sending the authorization headers at the first request.

Note You need to log in before you can comment on or make changes to this bug.