-
Story
-
Resolution: Unresolved
-
Minor
-
None
-
None
-
None
-
Low
-
subs-client-tools-2
-
None
-
False
-
False
-
-
None
-
None
-
None
-
None
-
Unspecified
-
Unspecified
-
Unspecified
-
None
Background
subscription-manager is a tool that communicates with an entitlement server (candlepin) and respects environment variables {HTTP_PROXY , HTTPS_PROXY , NO_PROXY}, optional proxy options {–proxy, --proxyuser, --proxypassword, --noproxy}, and proxy configurations in the /etc/rhsm/rhsm.conf file. As described in the man page for subscription-manager, these settings are "...read independently, with precedence being command-line over configuration over environment...".
On the contrary, when I monitor traffic through my configured proxy server, I am surprised to see any traffic pass through the proxy even though I am registering from a verify restrictive NO_PROXY=* environment.
Issue
In reality, the proxy environment variables and proxy command line options influence communication to the entitlement server, but NOT the cdn server (identified by the baseurl in the /etc/rhsm/rhsm.conf file). The proxy configurations in the /etc/rhsm/rhsm.conf file are the only settings that affect proxy communication to the cdn. Once they are configured in the rhsm.conf file, the precedence statement in the man page falsely leads me to believe the proxy environment variables and command line options will influence all proxy traffic.
Since the introduction of Simple Content Access (as well as the former register with --auto-attach option), a single registration transaction will produce traffic to two servers: the hostname and the baseurl. However, when the registration command includes proxy options or is expected to use proxy environment variables, their values are only honored by the proxy traffic to the entitlement server; NOT the cdn server.
For implementation and design reasons, I do not expect the behavior described above to change. Instead, I would like to see an additional statement in the man page.
Actual Man Page Documentation
Today's subscription-manager (1.30.10-1.el10) man page says...
PROXY CONFIGURATION
subscription-manager can be configured to use a proxy in several ways:
* via standard HTTP_PROXY , HTTPS_PROXY , NO_PROXY environment
variables (environment-level settings)
* via options in /etc/rhsm/rhsm.conf (application-level settings)
* via command-line arguments (command-level overrides)
Although subscription-manager respects environment variables for proxy
configuration, this should be avoided in favor of the configuration
file, because the daemons (ex. rhsmcertd ) do not provide ways to
modify their environments.
Each option of the proxy configuration (hostname, port, host/domain
pattern blocklist, username, password) is read independently, with
precedence being command-line over configuration over environment, and
then the resulting set of options is used to configure the proxy con‐
figuration.
For example, if the HTTP_PROXY environment variable is set and
no_proxy is set in /etc/rhsm/rhsm.conf then both are present in the
effective proxy configuration.
If two equivalent options are set in different places, then the prece‐
dence determines which value is effective.
For example, the NO_PROXY environment variable is set and the no_proxy
configuration file option is set, then the value from the configuration
file is the effective value.
Acceptance criteria
For clarity, I would like to see the following paragraph appended to the man page documentation:
While the proxy environment variables and command line proxy options can
be used to override the proxy configurations set in /etc/rhsm/rhsm.conf
for filtering network traffic to the entitlement server, only the proxy
configurations in the /etc/rhsm/rhsm.conf file will be used to filter
network traffic to the Red Hat CDN.
