Bug 2005805 - Cannot set whole subnet cidr in noProxy in install-config.yaml for baremetal os4 deployment
Summary: Cannot set whole subnet cidr in noProxy in install-config.yaml for baremetal ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Bare Metal Hardware Provisioning
Version: 4.8
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.8.z
Assignee: Derek Higgins
QA Contact: Victor Voronkov
URL:
Whiteboard:
Depends On: 2020546
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-09-20 08:53 UTC by Andy Bartlett
Modified: 2022-04-25 05:58 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
cause: curl (used by the machine downloader image doesn't support CIDR's in no_proxy) consequence: any CIDR added to noProxy is ignored when downloading the RHCOS image fix: proxys are now removed from the environment if appropriate before calling curl result: When downloading the machine image the value of NO_PROXY is no longer ignored
Clone Of:
Environment:
Last Closed: 2022-01-05 16:11:41 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift ironic-rhcos-downloader pull 72 0 None open Bug 2005805: Clear proxy env variables if go would have 2021-11-16 14:51:01 UTC
Red Hat Product Errata RHBA-2021:5209 0 None None None 2022-01-05 16:11:58 UTC

Description Andy Bartlett 2021-09-20 08:53:40 UTC
Description of problem:

I have a customer having issues with the noproxy settings:

We have to pull the container images via a proxy. I've configured it like below:

install-config.yaml:
apiVersion: v1
baseDomain: xxxx.xxxx.local
proxy:
  httpProxy: http://prx1.<domain>:3128 
  httpsProxy: http://prx1.<domain>:3128
  noProxy: .xxx.xxx.local,10.118.17.8,10.118.145.68,10.118.145.69,10.118.145.70,10.118.145.71,10.118.145.72,10.118.145.72,10.118.145.73,10.118.17.5,10.118.17.6,10.118.17.7,10.118.17.9,10.118.17.20,10.118.17.21

Currently I have to specify every single ip address to be excluded from the proxy. I would rather use 10.118.17.0/26 in the noProxy config but unfortunately that does not work.

In the Openshift3 config it was possible to set a subnetrange ( see chapter 23.3. Configuring Hosts for Proxies) : https://access.redhat.com/documentation/en-us/openshift_container_platform/3.4/html/installation_and_configuration/install-config-http-proxies

If i check the bootstrap node it has automatically added some subnet ranges with should be excluded from the proxy but this does not work either:

[root@bootstrap ~]# set | grep -i proxy
HTTPS_PROXY=http://prx1.<domain>:3128
HTTP_PROXY=http://prx1.<domain>:3128
NO_PROXY=.cluster.local,.xxxx.xxxx.local,.svc,10.118.145.68,10.118.145.69,10.118.145.70,10.118.145.71,10.118.145.72,10.118.145.73,10.118.17.0/26,10.118.17.20,10.118.17.21,10.118.17.5,10.118.17.6,10.118.17.7,10.118.17.8,10.118.17.9,10.128.0.0/14,127.0.0.1,172.30.0.0/16,api-int.xxx.xxxx.xxxx.local,localhost


Version-Release number of selected component (if applicable):

Openshift 4.8 Baremetal Install

How reproducible:

100%


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Mohamed Mahmoud 2021-09-20 12:02:48 UTC
Why this component is set to MetalLB ? Metallb is not even exists in 4.8 release ?

Comment 13 Mohamed Mahmoud 2021-09-21 12:08:31 UTC
I assume u are using openshift-install command to create ur cluster ? I just tried an install-config.yaml using something like the following 
apiVersion: v1
baseDomain: gcp.devcluster.openshift.com
proxy:
  httpProxy: http://10.10.10.11:3128 
  httpsProxy: http://10.10,10.11:3128
  noProxy: 10.118.17.0/26,10.118.145.64/26 
compute:
- architecture: amd64
and it didn't complain

Comment 14 Mohamed Mahmoud 2021-09-21 12:12:53 UTC
(In reply to Mohamed Mahmoud from comment #13)
> I assume u are using openshift-install command to create ur cluster ? I just
> tried an install-config.yaml using something like the following 
> apiVersion: v1
> baseDomain: gcp.devcluster.openshift.com
> proxy:
>   httpProxy: http://10.10.10.11:3128 
>   httpsProxy: http://10.10,10.11:3128
>   noProxy: 10.118.17.0/26,10.118.145.64/26 
> compute:
> - architecture: amd64
> and it didn't complain

were u able to repro this issue if its that straight fwd to repro ?

Comment 25 Derek Higgins 2021-09-28 16:23:23 UTC
This bug appears to be a duplicate of bz#1990556

A solution is currently being worked on and a workaround is described in bz#1990556

Let us know if this workaround works for your setup

Comment 32 Derek Higgins 2021-11-16 14:48:28 UTC
Attaching fix to support CIDR in the RHOS image download container

Comment 39 errata-xmlrpc 2022-01-05 16:11:41 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.8.25 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:5209

Comment 42 Victor Voronkov 2022-04-25 05:58:40 UTC
no need in automation, same issue covered by https://bugzilla.redhat.com/show_bug.cgi?id=1990556


Note You need to log in before you can comment on or make changes to this bug.