Bug 1990556 - get-resources.sh doesn't honor the no_proxy settings even with no_proxy var
Summary: get-resources.sh doesn't honor the no_proxy settings even with no_proxy var
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Bare Metal Hardware Provisioning
Version: 4.8
Hardware: All
OS: All
high
high
Target Milestone: ---
: 4.10.0
Assignee: Derek Higgins
QA Contact: Victor Voronkov
URL:
Whiteboard:
Depends On:
Blocks: 2020546
TreeView+ depends on / blocked
 
Reported: 2021-08-05 15:58 UTC by Pamela Escorza
Modified: 2022-06-21 06:30 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
cause: curl (used by the machine downloader image doesn't support CIDR's in no_proxy) consequence: any CIDR added to noProxy is ignored when downloading the RHCOS image fix: proxys are now removed from the environment if appropriate before calling curl result: When downloading the machine image the value of NO_PROXY is no longer ignored
Clone Of:
: 2020546 (view as bug list)
Environment:
Last Closed: 2022-03-12 04:37:00 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift ironic-rhcos-downloader pull 65 0 None open Bug 1990556: Clear proxy env variables if go would have 2021-10-19 14:02:55 UTC
Red Hat Product Errata RHSA-2022:0056 0 None None None 2022-03-12 04:37:13 UTC

Description Pamela Escorza 2021-08-05 15:58:21 UTC
Description of problem:

get-resources.sh[0] used by OCP 4.8.2 includes var no_proxy but curl is not making reference to the variable:

#!/bin/bash -xe

# Check and set http(s)_proxy. Required for cURL to use a proxy
export http_proxy=${http_proxy:-$HTTP_PROXY}
export https_proxy=${https_proxy:-$HTTPS_PROXY}
export no_proxy=${no_proxy:-$NO_PROXY}
export CURL_CA_BUNDLE=${CURL_CA_BUNDLE:-/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem}
export IP_OPTIONS=${IP_OPTIONS:-}

....

else
    CONNECT_TIMEOUT=120
    MAX_ATTEMPTS=5

    for i in $(seq ${MAX_ATTEMPTS}); do
        if ! curl -g --compressed -L --connect-timeout ${CONNECT_TIMEOUT} -o "${RHCOS_IMAGE_FILENAME_RAW}" "${IMAGE_URL}/${RHCOS_IMAGE_FILENAME_RAW}"; then
          if (( ${i} == ${MAX_ATTEMPTS} )); then
            echo "Download failed."
            exit 1
          else
            SLEEP_TIME=$((i*i))
            echo "Download failed, retrying after ${SLEEP_TIME} seconds..."
            sleep ${SLEEP_TIME}
          fi
        else
          break
        fi
    done
...
}

As workaround, by updating the script /usr/local/bin/get-resource.sh with the correct noproxy information, the installation continue

[0]https://github.com/openshift/ironic-rhcos-downloader/blob/71967e7deca9e9d0e094cbaedb7fe7ce0267dd84/get-resource.sh


Version-Release number of selected component (if applicable):
Deploy a cluster with proxy settings and serving the ipa and rhcos images in a local http server with no proxy in the middle

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:
The script download fails because of the proxy

Expected results:

Download images correctly as per proxy configuration

Additional info:

Comment 13 Pamela Escorza 2021-08-12 09:11:57 UTC
Hi @kiran: adding the IP in the list of the noProxy variable works as expected.
Is expected to allow CIDR in the noProxy list for future versions?

Comment 14 Kiran Thyagaraja 2021-08-12 14:30:26 UTC
(In reply to Pamela Escorza from comment #13)
> Hi @kiran: adding the IP in the list of the noProxy variable
> works as expected.
> Is expected to allow CIDR in the noProxy list for future versions?

Hi Pamela, I doubt the CIDRs in no_proxy/NO_PROXY ever worked with curl or wget. Its a limitation of these tools. Short of rendering the CIDRs into IP addresses, I don't think this will look different in the future releases. Thanks.
https://www.gnu.org/software/wget/manual/html_node/Proxies.html
https://curl.se/docs/manpage.html

Comment 28 Tony Mulqueen 2022-01-11 10:46:50 UTC
@derekh Can you please provide Doc Text to assist in drawing up the Release Notes entry?

Comment 31 errata-xmlrpc 2022-03-12 04:37:00 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056


Note You need to log in before you can comment on or make changes to this bug.