-
Bug
-
Resolution: Won't Do
-
Major
-
None
-
4.13.z
-
Important
-
None
-
False
-
Description of problem:
egress proxy deployment
registry.redhat.io/openshift4/ose-egress-http-proxy:v4.15.0
includes squid
Version-Release number of selected component (if applicable):
How reproducible:
Steps to Reproduce:
1. upgrade from 4.12 to 4.13
2.
3.
Actual results:
WARNING: Cannot write log file: /var/log/squid/cache.log
/var/log/squid/cache.log: No such file or directory
messages will be sent to 'stderr'.
WARNING: Cannot write log file: /var/log/squid/cache.log
/var/log/squid/cache.log: No such file or directory
messages will be sent to 'stderr'.
2024/11/18 21:18:10| Starting Squid Cache version 4.15 for x86_64-redhat-linux-gnu...
2024/11/18 21:18:10| Service Name: squid
2024/11/18 21:18:10| FATAL: Cannot open '/dev/stdout' for writing.
The parent directory must be writeable by the
user 'squid', which is the cache_effective_user
set in squid.conf.
Expected results:
upgrade succeeds
egress-proxy-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
argocd.argoproj.io/sync-options: Replace=true
deployment.kubernetes.io/revision: "3"
creationTimestamp: "2024-11-15T06:57:43Z"
generation: 4
labels:
app.kubernetes.io/instance: egress-proxy
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: egress-proxy
app.kubernetes.io/version: 4.13.0
helm.sh/chart: egress-proxy-1.1.1
name: egress-proxy
namespace: openshift-egress
resourceVersion: "1007184"
uid: 9cf05096-8c61-447b-8d23-9b5a9d124769
spec:
progressDeadlineSeconds: 600
replicas: 3
revisionHistoryLimit: 10
selector:
matchLabels:
app.kubernetes.io/instance: egress-proxy
app.kubernetes.io/name: egress-proxy
strategy:
rollingUpdate:
maxSurge: 0
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
annotations:
ca-checksum: 75a11da44c802486bc6f65640aa48a730f0f684c5c07a42ba3cd1735eb3fb070
configmap-checksum: bc8324553a674096c36e33b18cbd0e701a871f28d97698d91e7084f179fb2b51
pod.network.openshift.io/assign-macvlan: "true"
creationTimestamp: null
labels:
app.kubernetes.io/instance: egress-proxy
app.kubernetes.io/name: egress-proxy
name: egress-proxy
spec:
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions: - key: app.kubernetes.io/name
operator: In
values: - egress-proxy
- key: app.kubernetes.io/instance
operator: In
values: - egress-proxy
topologyKey: kubernetes.io/hostname
containers: - image: code.gitlab.prod.us-west-2.tlz.svbank.com:5050/virt/containers/registry.redhat.io/openshift4/ose-egress-http-proxy:v4.15.0
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
tcpSocket:
port: 8080
timeoutSeconds: 1
name: egress-router-pod
ports: - containerPort: 8080
name: http
protocol: TCP - containerPort: 8443
name: https
protocol: TCP - containerPort: 9301
name: metrics
protocol: TCP
readinessProbe:
exec:
command: - curl
- -LIN
- -x
- http://localhost:8080
- downloads.openshift-console.svc.cluster.local
failureThreshold: 3
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources: {}
securityContext:
privileged: true
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts: - mountPath: /bin/egress-http-proxy.sh
name: configmap
subPath: egress-http-proxy.sh - mountPath: /etc/squid/squid_map.md
name: configmap
subPath: squid_map.md - mountPath: /etc/squid/certs/
name: certificate
readOnly: true - mountPath: /etc/pki/ca-trust/source/anchors/
name: custom-ca
readOnly: true - mountPath: /etc/squid/auth
name: ldap-auth
readOnly: true - mountPath: /run/netns
mountPropagation: HostToContainer
name: host-run-netns
readOnly: true - env:
- name: SQUID_PORT
value: "8080" - name: SQUID_EXPORTER_LISTEN
value: :9301
image: code.gitlab.prod.us-west-2.tlz.svbank.com:5050/virt/containers/docker.io/boynux/squid-exporter:v1.10.4
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 5
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
tcpSocket:
port: 9301
timeoutSeconds: 1
name: squid-exporter
readinessProbe:
failureThreshold: 5
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
tcpSocket:
port: 9301
timeoutSeconds: 1
resources: {}
securityContext:
capabilities:
add: - DAC_READ_SEARCH
privileged: false
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
hostPID: true
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: egress-proxy
serviceAccountName: egress-proxy
terminationGracePeriodSeconds: 30
volumes: - configMap:
defaultMode: 493
name: egress-destinations
name: configmap - configMap:
defaultMode: 420
name: custom-trust-bundle
name: custom-ca - name: certificate
secret:
defaultMode: 420
secretName: egress-proxy-tls - name: ldap-auth
secret:
defaultMode: 420
secretName: ldap-auth - hostPath:
path: /run/netns
type: ""
name: host-run-netns
status:
conditions: - lastTransitionTime: "2024-11-15T21:17:22Z"
lastUpdateTime: "2024-11-15T21:17:22Z"
message: Deployment does not have minimum availability.
reason: MinimumReplicasUnavailable
status: "False"
type: Available - lastTransitionTime: "2024-11-15T21:32:09Z"
lastUpdateTime: "2024-11-15T21:32:09Z"
message: ReplicaSet "egress-proxy-64cf99877d" has timed out progressing.
reason: ProgressDeadlineExceeded
status: "False"
type: Progressing
observedGeneration: 4
replicas: 3
unavailableReplicas: 3
updatedReplicas: 3
egress-proxy-64cf99877d-dsvgt.txt
Running squid with config:
http_port 8080
https_port 8443 cert=/etc/squid/certs/tls.crt key=/etc/squid/certs/tls.key
cache deny all
access_log stdio:/dev/stdout squid
debug_options ALL,0
shutdown_lifetime 0
- Deny sources external to the cluster
acl cluster src 10.24.0.0/13
http_access allow localhost manager
http_access deny !cluster !localhost !manager
- Deny requests to unknown ports
- http
acl Safe_ports port 80 - https
acl Safe_ports port 443
http_access deny !Safe_ports
- Deny CONNECT to other than SSL ports
acl SSL_ports port 443
acl SSL_ports port 5000
acl CONNECT method CONNECT
http_access deny CONNECT !SSL_ports
acl default_destinations dstdomain downloads.openshift-console.svc.cluster.local
http_access allow default_destinations
- Force ldap auth
auth_param basic program /usr/lib64/squid/basic_ldap_auth -b "OU=Service Accounts,OU=SVB,DC=uat,DC=svbank,DC=com" -D "CN=svc.openshift_auth,OU=Service_Accounts,OU=Corporate,DC=uat,DC=svbank,DC=com" -W /etc/squid/auth/ldap_password -f "(&(objectClass=person)(sAMAccountName=%s))" -H "ldaps://ldap.uat.svbank.com:636"
acl ldap-auth proxy_auth REQUIRED
http_access deny !ldap-auth
external_acl_type ldap_group %LOGIN /usr/lib64/squid/ext_ldap_group_acl -b "OU=Service Accounts,OU=SVB,DC=uat,DC=svbank,DC=com" -D "CN=svc.openshift_auth,OU=Service_Accounts,OU=Corporate,DC=uat,DC=svbank,DC=com" -W /etc/squid/auth/ldap_password -f "(&(objectClass=person)(sAMAccountName=%u)(memberOf=cn=%a,ou=Application_Access,ou=Application_Groups,ou=Groups,ou=Corporate,dc=uat,dc=svbank,dc=com))" -H "ldaps://ldap.uat.svbank.com:636"
- RITM0000000
acl ldapgroup-APP-OCP_Proxy_example-dest1 external ldap_group APP-OCP_Proxy_example
acl APP-OCP_Proxy_example-dest1 dstdomain example.com
http_access allow APP-OCP_Proxy_example-dest1 ldapgroup-APP-OCP_Proxy_example-dest1
http_access deny APP-OCP_Proxy_example-dest1 !ldapgroup-APP-OCP_Proxy_example-dest1
- RITM0000001
acl ldapgroup-APP-OCP_Proxy_beta_example-dest2 external ldap_group APP-OCP_Proxy_beta_example
acl APP-OCP_Proxy_beta_example-dest2 dstdomain beta.example.com
http_access allow APP-OCP_Proxy_beta_example-dest2 ldapgroup-APP-OCP_Proxy_beta_example-dest2
http_access deny APP-OCP_Proxy_beta_example-dest2 !ldapgroup-APP-OCP_Proxy_beta_example-dest2
http_access deny all
WARNING: Cannot write log file: /var/log/squid/cache.log
/var/log/squid/cache.log: No such file or directory
messages will be sent to 'stderr'.
WARNING: Cannot write log file: /var/log/squid/cache.log
/var/log/squid/cache.log: No such file or directory
messages will be sent to 'stderr'.
2024/11/18 21:18:10| Starting Squid Cache version 4.15 for x86_64-redhat-linux-gnu...
2024/11/18 21:18:10| Service Name: squid
2024/11/18 21:18:10| FATAL: Cannot open '/dev/stdout' for writing.
The parent directory must be writeable by the
user 'squid', which is the cache_effective_user
set in squid.conf.
2024/11/18 21:18:10| Squid Cache (Version 4.15): Terminated abnormally.
CPU Usage: 0.178 seconds = 0.115 user + 0.063 sys
Maximum Resident Size: 673920 KB
Page faults with physical i/o: 0
