-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
6.11.2
-
None
Description of problem:
When CNAME is used, it is not excluded from the proxy communication by default unlike "localhost" or the "fqdn" of the satellite itself.
Version-Release number of selected component (if applicable):
Satellite 6.11.2
How reproducible:
Always ( but under very specific circumstances )
Steps to Reproduce:
1. Identify an IP that has an A record and a CNAME record e.g.
- nslookup 10.XX.XXX.XX
XX.XXX.XX.10.in-addr.arpa name = sat611.example.com.
XX.XXX.XX.10.in-addr.arpa name = mysatellite.example.com.
2. Have a squid proxy configured. ( assuming http://10.XX.XXX.YY:3128 )
3. Install an RHEL 8 VM having that IP and hostname set to sat611.example.com
- hostname -f
sat611.example.com
4. Enable required repos to install Satellite 6.11 and proceed with "yum install satellite".
5. Run the installer with the following options ( where the use of cname can be noticed ).
satellite-installer --scenario=satellite \
--foreman-initial-organization RedHat --foreman-initial-location Pune \
--foreman-initial-admin-username admin --foreman-initial-admin-password RedHat1! \
--certs-cname=mysatellite.example.com \
--foreman-servername=mysatellite.example.com \
--foreman-foreman-url=https://mysatellite.example.com \
--foreman-unattended-url=https://mysatellite.example.com \
--foreman-proxy-foreman-base-url=https://mysatellite.example.com \
--foreman-proxy-template-url=http://mysatellite.example.com:8000 --foreman-plugin-tasks-automatic-cleanup=true \
--enable-foreman-plugin-puppet --enable-foreman-cli-puppet --foreman-proxy-puppet=true --foreman-proxy-puppetca=true \
--foreman-proxy-content-puppet=true --enable-puppet --puppet-server=true \
--puppet-server-foreman-url=https://mysatellite.example.com \
--puppet-server-foreman-ssl-ca /etc/pki/katello/puppet/puppet_client_ca.crt \
--puppet-server-foreman-ssl-cert /etc/pki/katello/puppet/puppet_client.crt \
--puppet-server-foreman-ssl-key /etc/pki/katello/puppet/puppet_client.key \
--puppet-server-certname=mysatellite.example.com \
--foreman-proxy-puppet-ssl-cert=/etc/puppetlabs/puppet/ssl/certs/mysatellite.example.com.pem \
--foreman-proxy-puppet-ssl-key=/etc/puppetlabs/puppet/ssl/private_keys/mysatellite.example.com.pem \
--foreman-proxy-puppet-url=https://mysatellite.example.com:8140 \
--enable-foreman-plugin-remote-execution --enable-foreman-proxy-plugin-remote-execution-ssh \
--foreman-proxy-tftp=true --foreman-proxy-dhcp=false --foreman-proxy-dns=false
6. Check "hammer capsule list" and "hammer ping" to confirm the health of satellite and see the name of the internal smart-proxy. Make sure firewalld is configured to allow necessary access to Satellite.
7. Check "/etc/pulp/settings.py" and notice that It also got configured with the CNAME mysatellite.example.com.
8. Confirm that the foreman knows the fqdn as sat611.example.com.
- echo "SETTINGS[:fqdn]" | foreman-rake console
"sat611.example.com"
9. Import a manifest in satellite.
10. Go to Administer --> Settings --> General --> HTTP(s) Proxy --> set "http://10.XX.XXX.YY:3128" as the value there for the proxy server.
11. Log in to the squid server and tail the log files:
- tail -f -v -n0 /var/log/squid/*log
12. Go to Content --> Red Hat Repositories --> Expand any repos and try enabling it while monitor the /var/log/foreman/production.log file of satellite as well as log files on squid server.
Actual results:
During the repo enabling task itself, we will be able to see following entries in satellite's production.log multiple times.
2022-09-19T17:53:37 [I|app|3dd40cb3] (Excon) Proxying request to mysatellite.example.com via http://10.XX.XXX.YY:3128
Which means, Satellite tried to connect to pulp via the CNAME and that connection was established via proxy.
The squid proxy logs will also convey the same message.
The same problem will happen during repo sync or any tasks that requires communication from foreman -> foreman-proxy via the CNAME.
Expected results:
Satellite should not try to connect to it's own CNAME via the proxy configured or else the proxy server would get overloaded very frequently.
Additional info:
When I check the code from https://github.com/theforeman/foreman/blob/3.1-stable/lib/foreman/http_proxy.rb#L33-L38 , That function includes the fqdn of the satellite as well.
def local_request?(request_host)
request_host.starts_with?('127.') ||
request_host == 'localhost' ||
request_host == '::1' ||
request_host == SETTINGS[:fqdn]
end
And whenever a request via proxy is initiated, any ip\fqdn defined in the local_request function should be excluded:
https://github.com/theforeman/foreman/blob/3.1-stable/lib/foreman/http_proxy.rb#L16-L23
Now, The problem in our case is that the code of the satellite works simply as expected i.e. it excludes SETTINGS[:fqdn] when it comes to communication via proxy.
SETTINGS[:fqdn] here is sat611.example.com but not mysatellite.example.com. So as long as that is true but the satellite internally uses mysatellite.example.com for communication, the same issue will continue to exist.
WORKAROUND: Put the CNAME into the "HTTP(S) proxy except hosts" list from Administer --> Settings --> General page.
IMPROVEMENT REQUEST: If "--certs-cname" is used with the installer, then the CNAME FQDN should get set as a value of :cname object, so that it can be queried via SETTINGS[:cname] and then perhaps improve the function here:
def local_request?(request_host)
request_host.starts_with?('127.') ||
request_host == 'localhost' ||
request_host == '::1' ||
request_host == SETTINGS[:fqdn] ||
request_host == SETTINGS[:cname]
end
Any other ideas are always welcome as long as it can clearly address the concern