<div dir="ltr"><div dir="ltr"><div>Hi Ben,</div><div><br></div><div>I have experience dealing with http & https proxies in the past. I would very much like to make pulp_installer work properly with them, or to provide instructions on how to use them with it.<br></div><div><br></div><div>It seems like when software is configured internally to use a proxy, it works. But when software is relying on environment variables, the ansible become (i.e., sudo from "user1", to "root", to "pulp") gets rid of the environment variable.</div><div><br></div><div>Try setting http_proxy and https_proxy as part of the user's environment on the system, and configuring sudoers per this comment:<br></div><div><a href="https://github.com/ansible/ansible/issues/38050#issuecomment-768501547">https://github.com/ansible/ansible/issues/38050#issuecomment-768501547</a></div><div><br></div><div>See in-line replies.<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sun, Apr 18, 2021 at 10:14 PM Ben Stanley <<a href="mailto:ben.stanley@gmail.com">ben.stanley@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>Hello Pulp people,</p>
<p>I'm trying to install pulp 3.12.0 on RHEL 7.8 using the ansible
method documented at
<a href="https://docs.pulpproject.org/pulpcore/installation/instructions.html" target="_blank">https://docs.pulpproject.org/pulpcore/installation/instructions.html</a>
.</p>
<p>I have not yet managed to make it to the end of the
pulp_install.yml playbook without error. I have worked around 2
errors, but now I am stuck on the third. I believe the root cause
of my problems is trying to use a proxy server. I have set the
environment variables http_proxy, https_proxy and proxy
appropriately.<br>
</p>
<ol>
<li>At the step "TASK [pulp.pulp_installer.pulp_common : Import
required EPEL RPM GPG keys]"
(~/.ansible.collections/ansible_collections/pulp/pulp_installer/roles/pulp_common/tasks/repos.yml),
the rpm_key module has two problems.</li>
<ol>
<li>The ansible rpm_key module fails to pass the proxy settings
to the underlying rpm call.<br>
<a href="https://github.com/ansible/ansible/issules/19000" target="_blank">https://github.com/ansible/ansible/issules/19000</a><br>
I worked around this problem by replacing the rpm_key ansible
module call with a raw line calling the rpm command directly,
and specifying the proxy settings to use.<br></li></ol></ol></div></blockquote><div>See the link above for the environment variables. <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><ol><ol><li>
</li>
<li>The rpm --import <key-url> command uses curl
internally.<br>
curl+proxy+https does not work, but curl+proxy+http works.
Note also wget+proxy+https works.<br>
<a href="https://unix.stackexchange.com/questions/441021/curling-a-https-url-via-a-proxy-results-in-nss-error-5938" target="_blank">https://unix.stackexchange.com/questions/441021/curling-a-https-url-via-a-proxy-results-in-nss-error-5938</a><br>
I worked around this problem by referencing the RPM-GPG key
with a http URL instead of a https URL.<br></li></ol></ol></div></blockquote><div>That sounds like a bug in curl or libcurl. But if you are using a proxy for https, then your system is talking to the proxy, which is in turn talking to the webserver. So SSL is from your system to the proxy. I suspect it's a cipher mismatch per that bug. Let me know if you can figure out how to force the cipher.<br></div><div><br></div><div>Either way, I will discuss changing the URL from https to http, or making it configurable via a variable at our next installer development meeting.</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><ol>
<li>At the step "TASK [pulp.pulp_installer.pulp_common : Upgrade
to a recent edition of pip (supporting manylinux2014)]"
(~/.ansible.collections/ansible_collections/pulp/pulp_installer/roles/pulp_common/tasks/install_pip.yml),
ansible fails with the error text:<br>
fatal: [honeybee]: FAILED! => {"changed": false, "cmd":
["/usr/local/lib/pulp/bin/pip", "install", "pip>20.2"],
"msg": "stdout: Collecting pip>20.2\n\n:stderr: Retrying
(Retry(total=4, connect=None, read=None, redirect=None,
status=None)) after connection broken by
'ConnectTimeoutError(<pip._vendor.urllib3.connection.VerifiedHTTPSConnection
object at 0x7ffafd356dd8>, 'Connection to <a href="http://pypi.python.org" target="_blank">pypi.python.org</a>
timed out. (connect timeout=15)')': /simple/pip/\n Retrying
(Retry(total=3, connect=None, read=None, redirect=None,
status=None)) after connection broken by
'NewConectionError('<pip.vendor.urllib3.connection.VerifiedHTTPSConnection
object at 0x7ffafd356ef0>: Failed to establish a new
connection: [Errno 101] Network is unreachable',)':
/simple/pip/\n Retrying (Retry(total=1, connect=None,
read=None, redirect=None, status=None)) after connection broken
by
'NewConnectionError('<pip._vendor.urllib3.connection.VerifiedHTTPSConnection
object a 0x7ffafd356f98>:Failed to establish a new
connection: [Errno 101] Network is unreachable .....<br>
I have not figured out how to work around this problem. It seems
that the pip ansible command is also not passing on the correct
proxy settings. I haven't even figured out how to work around
this problem running pip manually yet.<br></li></ol></div></blockquote><div>Hmm, so we start out with the old system version of pip, copied into the virtualenv. Then we use it to upgrade the virtualenv the new version of pip.</div><div><br></div><div> Perhaps the old version cannot talk to the proxy?</div><div><br></div><div>Try using the virtualenv like:</div><div>sudo -i -u pulp</div><div>source /usr/local/lib/pulp/bin/activate</div><div>export http_proxy=your-proxy-url</div><div>export https_proxy=your-proxy-url</div><div>pip install --upgrade pip<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>
<p>It would be fantastic if I could get some help with these issues
so that I can get my pulp server upgraded from pulp2 to pulp3.</p>
<p>Thanks,<br>
Ben Stanley.</p></div></blockquote><div><br></div><div>-Mike </div><div><br></div></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><p style="color:rgb(0,0,0);font-family:RedHatText,sans-serif;font-weight:bold;margin:0px;padding:0px;font-size:14px;text-transform:capitalize"><span>Mike</span> <span>DePaulo</span><span style="text-transform:uppercase;color:rgb(170,170,170);margin:0px"></span></p><p style="color:rgb(0,0,0);font-family:RedHatText,sans-serif;font-size:12px;margin:0px 0px 4px;text-transform:capitalize">He / Him / His</p><p style="color:rgb(0,0,0);font-family:RedHatText,sans-serif;font-size:12px;margin:0px;text-transform:capitalize"><span>Service Reliability Engineer, Pulp</span></p><p style="color:rgb(0,0,0);font-family:RedHatText,sans-serif;margin:0px 0px 4px;font-size:12px"><a href="https://www.redhat.com/" style="color:rgb(0,136,206);margin:0px" target="_blank">Red Hat<span></span></a></p><div style="color:rgb(0,0,0);font-family:RedHatText,sans-serif;font-size:medium;margin-bottom:4px"></div><p style="color:rgb(0,0,0);font-family:RedHatText,sans-serif;margin:0px;font-size:12px"><span>IM: <span>mikedep333</span></span></p><p style="color:rgb(0,0,0);font-family:RedHatText,sans-serif;font-size:12px;margin:0px"><span>GPG: 51745404</span></p><div style="color:rgb(0,0,0);font-family:RedHatText,sans-serif;font-size:medium;margin-top:12px"><table border="0"><tbody><tr><td width="100px"><a href="https://www.redhat.com/" target="_blank"><img src="https://marketing-outfit-prod-images.s3-us-west-2.amazonaws.com/f5445ae0c9ddafd5b2f1836854d7416a/Logo-RedHat-Email.png" width="90" height="auto"></a></td></tr></tbody></table></div></div></div></div>