Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2046337 - Certain manifest, subscription and repository related actions are broken while using HTTP Proxy as content_default_http_proxy in Satellite 6.10
Summary: Certain manifest, subscription and repository related actions are broken whil...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Subscription Management
Version: 6.10.1
Hardware: All
OS: All
high
urgent
Target Milestone: 6.11.0
Assignee: satellite6-bugs
QA Contact: Cole Higgins
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-01-26 16:01 UTC by Sayan Das
Modified: 2023-12-08 09:23 UTC (History)
7 users (show)

Fixed In Version: tfm-rubygem-katello-4.3.0.3-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 2059372 (view as bug list)
Environment:
Last Closed: 2022-07-05 14:32:22 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
reproducer logs (324.86 KB, application/gzip)
2022-01-26 16:08 UTC, Sayan Das 		no flags Details
reproducer task export (346.78 KB, application/gzip)
2022-01-26 16:09 UTC, Sayan Das 		no flags Details
traceback from customer's satellite (8.53 KB, text/plain)
2022-01-26 16:10 UTC, Sayan Das 		no flags Details
reproducer squid logs (3.66 KB, application/gzip)
2022-01-26 16:10 UTC, Sayan Das 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 34417 0 Normal Closed repo discovery sets proxy across the entire application 2022-02-28 11:19:05 UTC
Red Hat Product Errata RHSA-2022:5498 0 None None None 2022-07-05 14:32:30 UTC

Description Sayan Das 2022-01-26 16:01:30 UTC 
Description of problem:

Certain actions like "Manifest Refresh", "Add Subscriptions" to manifest, Auto-Attach on Hosts, Docker type repo discovery and repo creation etc are failing while using an HTTP type proxy as the content_default_http_proxy, as the Satellite server tries to connect with candleping localhost:23443 at some point but via the proxy server and that action gets denied from proxt on localhost. 


Version-Release number of selected component (if applicable):

Satellite 6.10+

How reproducible:

Always


Steps to Reproduce:
1. Install Satellite 6.10+

2. Import a manifest with some subs in it

3. Try syncing some repos, performing manifest refresh and some repo discovery+creation of docker type content from registry.redhat.io .

4. Setup an external squid proxy which is HTTP in nature [i.e. no HTTPS\Authentication is required ]

5. Create a HTTP proxy in Satellite UI using the details of the external proxy and then Set that proxy entry as the content_default_http_proxy in Satellite.

6. Repeat the testing of all actions from step 3 while observing the satellite logs as well as the /var/log/squid/access.log from the external squid server./



Actual results:

At step 3, without proxy everything works fine.

At step 6, 

Repo sync : works fine

Manifest Refresh: Fails

Add Subscriptions: Fails

Auto-Attach on hosts: Fails

Discovery of Docker type repo: Successful But as soon as we try to create the discovery repo it fails and the task goes to Paused state.


With each of these failed attempts one constant issue is that, 

foreman reports:

403 "Forbidden" (Net::HTTPServerException)

As Satellite tries to connect to localhost:23443 via the external http proxy and proxy denies the same i.e.

1643210976.873      0 10.xx.xx.y TCP_DENIED/403 3903 CONNECT localhost:23443 - HIER_NONE/- text/html


Expected results:

Whether the proxy is HTTPS or HTTP in nature, no matter what actions are being performed, any connection to localhost or localhost:23443 should be done locally but not via proxy. 


Additional info:

For other satellite users,  the underlying cause is same but the error cound be "502 "cannotconnect" (Net::HTTPFatalError)" as well.

I have noticed that with HTTPS type proxy, certain action seems to work i.e. Manifest Refresh , Reduction of entitlement quantity of manifest etc but the action which fails, will show responses like:

503 "Service Unavailable" (Net::HTTPFatalError)

and external HTTPS squid proxy will show:

1643205659.835      2 10.xx.yy.xx TAG_NONE/503 0 CONNECT localhost:23443 satproxy HIER_NONE/- -


So again the underlying reason is the same i.e. Satellite tries to connect to candlepin on localhost:23443 via external proxy, whether the proxy is HTTP or HTTPS in nature.
Comment 1 Sayan Das 2022-01-26 16:08:58 UTC 
Created attachment 1855543 [details]
reproducer logs
Comment 2 Sayan Das 2022-01-26 16:09:44 UTC 
Created attachment 1855544 [details]
reproducer task export
Comment 3 Sayan Das 2022-01-26 16:10:26 UTC 
Created attachment 1855546 [details]
traceback from customer's satellite
Comment 4 Sayan Das 2022-01-26 16:10:59 UTC 
Created attachment 1855547 [details]
reproducer squid logs
Comment 10 Jonathon Turel 2022-02-08 20:56:16 UTC 
Connecting redmine issue https://projects.theforeman.org/issues/34417 from this bug
Comment 15 Justin Sherrill 2022-02-14 19:02:57 UTC 
related to https://bugzilla.redhat.com/show_bug.cgi?id=2054174   (This resolve that bz as well)
Comment 18 jcallaha 2022-04-28 18:10:22 UTC 
Verified in Satellite 6.11 Snap 18


Steps: Same as the initial reporter, but with Satellite 6.11

Results:
Repo sync - Pass
Manifest Refresh - Pass
Add Subscriptions - Pass
Auto-Attach on hosts - Pass
Discovery of yum repos - Pass
    https://fixtures.pulpproject.org/
Discovery of Docker type repo - Pass
    quay.io/satelliteqe/broker
Comment 21 errata-xmlrpc 2022-07-05 14:32:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Satellite 6.11 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5498
Note You need to log in before you can comment on or make changes to this bug.