Description of problem: Setting the system wide proxy settings to use an authenticated http proxy, with in the build, yum install fails with "Received HTTP code 407 from proxy after CONNECT" Setting the system wide proxy setting to use a non authenticated http proxy, with in the build, yum installs will succeed. Result with setting the system wide proxy to: http://CorpSvc_PasProxyAccess:mypassword@some_server.net:80 ~~~ Build log: ~~~ Replaced Dockerfile FROM image registry.redhat.io/rhel8/nginx-116 Caching blobs under "/var/cache/blobs". Pulling image redhat-io.artifactory.parallon.com/rhel8/nginx-116@sha256:8ba23c79c79b0e218ba72b3180424c1e300134375a4fd7eff532015b3b2fdf0d ... Getting image source signatures Copying blob sha256:d9fd79de68f8bb285163628a6810c630a979ba67f59cbbf0c4d73fdc0b3880d5 Copying blob sha256:77c58f19bd6e67185938abb6bbb6ec229e07a5e607453904294d982de141d2f0 Copying blob sha256:47db82df7f3f4393c1f19c362a2db2c47ca049b6fb20bef041dfc9bdb12a4504 Copying blob sha256:71391dc11a78542160544b68e45bc123ff55a2e84aeb6fa99b672d75765bc2f8 Copying config sha256:e1752366209efe737dcd908f619f6900a0ab92cb40a967aee1fe24baa9678176 Writing manifest to image destination Storing signatures STEP 1: FROM redhat-io.artifactory.parallon.com/rhel8/nginx-116@sha256:8ba23c79c79b0e218ba72b3180424c1e300134375a4fd7eff532015b3b2fdf0d STEP 2: USER root time="2020-08-25T15:15:05Z" level=info msg="Image operating system mismatch: image uses \"\", expecting \"linux\"" time="2020-08-25T15:15:05Z" level=info msg="Image architecture mismatch: image uses \"\", expecting \"amd64\"" --> 0def5c89fc0 STEP 3: RUN yum -y install --disableplugin=subscription-manager python3 && pip3 install j2cli[yaml] && sed -i 's/ln -s /ln -sf /g' /usr/libexec/s2i/run && yum clean all && rm -fr /var/cache/yum/* /tmp/* Red Hat Universal Base Image 8 (RPMs) - BaseOS 0.0 B/s | 0 B 00:00 Errors during downloading metadata for repository 'ubi-8-baseos': - Curl error (56): Failure when receiving data from the peer for https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/x86_64/baseos/os/repodata/repomd.xml [Received HTTP code 407 from proxy after CONNECT] Error: Failed to download metadata for repo 'ubi-8-baseos': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried subprocess exited with status 1 subprocess exited with status 1 error: build error: error building at STEP "RUN yum -y install --disableplugin=subscription-manager python3 && pip3 install j2cli[yaml] && sed -i 's/ln -s /ln -sf /g' /usr/libexec/s2i/run && yum clean all && rm -fr /var/cache/yum/* /tmp/*": exit status 1 ~~~
Can you please verify that the HTTP_PROXY and HTTPS_PROXY environment variables are set properly within the build container? You can do this with the following Dockerfile: ``` FROM registry.access.redhat.com/ubi8/ubi:latest RUN echo $HTTP_PROXY RUN echo $HTTPS_PROXY ``` I suspect that these environment variables are present, but either a) do not have the correct username:password, or b) there is a configuration issue with the proxy.
Cannot reproduce on 4.5 CI cluster with authenticated proxy. Proxy settings (note - this is an authenticated MITM proxy with a self-signed certificate): ``` $ oc get proxy/cluster -o yaml kind: Proxy apiVersion: config.openshift.io/v1 metadata: name: cluster ... spec: httpProxy: http://<user>:<password>@<proxy-ip>:<proxy-port>/ httpsProxy: http://<user>:<password>@<proxy-ip>:<proxy-port>/ trustedCA: name: user-ca-bundle ``` BuildConfig: ``` $ oc new-build https://github.com/sclorg/nginx-ex.git --name rhel8-nginx -D $'FROM registry.redhat.io/rhel8/nginx-116\nUSER root\nRUN yum -y install --disableplugin=subscription-manager python3\nUSER 1001' ```
Just for the records: by default dnf (yum) has the option `proxy_auth_method` set to `auto`. This makes dnf doing a discovery of the authentication method required by the server: - dnf sends the first request without the `Proxy-Authorization` - the proxy should answer with 407 containing the `Proxy-Authenticate` header with the authentication type required - dnf sends the request with all the authentication headers needed If the proxy do not send the `Proxy-Authenticate` dnf cannot continue the authentication and terminates. Setting `proxy_auth_method` to the proper method makes dnf sending the authorization headers at the first request.