[Spacewalk-list] Spacewalk client - yum - proxy behavior

Jan Arild Lindstrøm jal at online.no
Tue Feb 28 17:39:49 UTC 2012 

At 16:43 28.02.2012, Jan Pazdziora wrote:
>On Mon, Feb 27, 2012 at 06:50:06PM +0100, Jan Arild Lindstrøm wrote:
>> 
>> 3)
>> 
>> lintest3-virt(root) ~ 34# yum update
>> Loaded plugins: refresh-packagekit, rhnplugin, security
>> Loading mirror speeds from cached hostfile
>> Error: Cannot retrieve repository metadata (repomd.xml) for repository: centos6-x86_64. Please verify its path and try again
>> 
>> ( - "yum update" starts here - )
>> 14:20:33.362368 IP 10.10.0.62.51822 > 10.10.30.183.8080: tcp 0
>> 14:20:33.375652 IP 10.10.30.183.8080 > 10.10.0.62.51822: tcp 0
>> 14:20:33.375852 IP 10.10.0.62.51822 > 10.10.30.183.8080: tcp 0
>> 14:20:33.377344 IP 10.10.0.62.51822 > 10.10.30.183.8080: tcp 627
>> 14:20:33.377522 IP 10.10.0.62.51822 > 10.10.30.183.8080: tcp 1380
>> 14:20:33.378321 IP 10.10.30.183.8080 > 10.10.0.62.51822: tcp 0
>> --cut--
>> 14:20:33.402821 IP 10.10.0.62.51822 > 10.10.30.183.8080: tcp 0
>> 14:20:33.402825 IP 10.10.30.183.8080 > 10.10.0.62.51822: tcp 467
>> 14:20:33.402829 IP 10.10.0.62.51822 > 10.10.30.183.8080: tcp 0
>> 14:20:33.402846 IP 10.10.30.183.8080 > 10.10.0.62.51822: tcp 0
>> 14:20:33.406011 IP 10.10.0.62.51822 > 10.10.30.183.8080: tcp 0
>> 14:20:33.406976 IP 10.10.30.183.8080 > 10.10.0.62.51822: tcp 0
>> 14:20:33.460341 IP 10.10.0.62.50796 > 10.10.0.60.80: tcp 0
>> 14:20:36.460258 IP 10.10.0.62.50796 > 10.10.0.60.80: tcp 0
>> 14:20:42.460278 IP 10.10.0.62.50796 > 10.10.0.60.80: tcp 0
>> --cut--
>> 
>> Proxy = 10.10.30.183
>> Spacewalk server = 10.10.0.62
>
>Is it possible that it's actually
>
>        Spacewalk client = 10.10.0.62
>        Proxy = 10.10.30.183
>        Spacewalk server 10.10.0.60
>
>?


Yes, I just make sure my two test clients can not speak directly with the Spacewalk 
server:
        spacewalk01(root) ~ 1442# iptables -L -n -v
        Chain INPUT (policy ACCEPT 11M packets, 4471M bytes)
         pkts bytes target     prot opt in     out     source               destination         
          636 38304 DROP       all  --  *      *       10.123.0.62          0.0.0.0/0           
        29538 1182K DROP       all  --  *      *       10.123.0.61          0.0.0.0/0           
        --cut-- 

I want them to use only the proxy and not be able to shortcut it by using the Spacewalk 
server directly. That is because I do not want to open port 80 out from all our other VLANs. 

>Can you do more tcpdumping to see what are the HTTP requests that are
>being sent directly?

The proxy is Squid 3.1.x.

Disabled iptables on the Spacewalk server while running tshark on the client.

Captured: yum repolist (run after a "yum clean all").

Without "http_proxy=http://proxy-z2.mydomain.no:8080 ; export http_proxy":

        lintest3-virt(root) ~ 162# tshark -c 500 -R 'http' port 80 or port 8080
        Running as user "root" and group "root". This could be dangerous.
        Capturing on eth0
          0.014810  10.123.0.62 -> 10.123.30.183 HTTP/XML POST http://spacewalk01.mydomain.no/XMLRPC HTTP/1.1 
          0.045528 10.123.30.183 -> 10.123.0.62  HTTP/XML HTTP/1.0 200 OK 
          0.070893  10.123.0.62 -> 10.123.30.183 HTTP/XML POST http://spacewalk01.mydomain.no/XMLRPC HTTP/1.1 
          0.107598 10.123.30.183 -> 10.123.0.62  HTTP/XML HTTP/1.0 200 OK 
          0.155940  10.123.0.62 -> 10.123.0.60  HTTP GET /XMLRPC/GET-REQ/centos6-x86_64/repodata/repomd.xml HTTP/1.1 
          0.159237  10.123.0.60 -> 10.123.0.62  HTTP/XML HTTP/1.1 200 OK 
          0.184609  10.123.0.62 -> 10.123.0.60  HTTP GET /XMLRPC/GET-REQ/centos6-x86_64/repodata/primary.xml.gz HTTP/1.1 
          4.318590  10.123.0.62 -> 10.123.0.60  HTTP GET /XMLRPC/GET-REQ/centos6-x86_64-addons/repodata/repomd.xml HTTP/1.1 
          4.321661  10.123.0.60 -> 10.123.0.62  HTTP/XML HTTP/1.1 200 OK 
        --cut--

        It start using the Spacewalk server directly when fetching the repo stuff.

With "http_proxy=http://proxy-z2.mydomain.no:8080 ; export http_proxy":

        lintest3-virt(root) ~ 167# tshark -c 5000 -R 'http' port 80 or port 8080
        Running as user "root" and group "root". This could be dangerous.
        Capturing on eth0
          0.004991  10.123.0.62 -> 10.123.30.183 HTTP/XML POST http://spacewalk01.mydomain.no/XMLRPC HTTP/1.1 
          0.028022 10.123.30.183 -> 10.123.0.62  HTTP/XML HTTP/1.0 200 OK 
          0.051706  10.123.0.62 -> 10.123.30.183 HTTP/XML POST http://spacewalk01.mydomain.no/XMLRPC HTTP/1.1 
          0.071484 10.123.30.183 -> 10.123.0.62  HTTP/XML HTTP/1.0 200 OK 
          0.132816  10.123.0.62 -> 10.123.30.183 HTTP GET http://spacewalk01.mydomain.no/XMLRPC/GET-REQ/centos6-x86_64/repodata/repomd.xml HTTP/1.1 
          0.141334 10.123.30.183 -> 10.123.0.62  HTTP/XML HTTP/1.0 200 OK 
          0.174648  10.123.0.62 -> 10.123.30.183 HTTP GET http://spacewalk01.mydomain.no/XMLRPC/GET-REQ/centos6-x86_64/repodata/primary.xml.gz HTTP/1.1 
          4.577575  10.123.0.62 -> 10.123.30.183 HTTP GET http://spacewalk01.mydomain.no/XMLRPC/GET-REQ/centos6-x86_64-addons/repodata/repomd.xml HTTP/1.1 
          4.587044 10.123.30.183 -> 10.123.0.62  HTTP/XML HTTP/1.0 200 OK 
        --cut--

        It never uses the Spacewalk server directly.


--
Regards
Jan Arild


>-- 
>Jan Pazdziora
>Principal Software Engineer, Satellite Engineering, Red Hat
>
>_______________________________________________
>Spacewalk-list mailing list
>Spacewalk-list at redhat.com
>https://www.redhat.com/mailman/listinfo/spacewalk-list

More information about the Spacewalk-list mailing list