[Spacewalk-list] Spacewalk client - yum - proxy behavior
Jan Arild Lindstrøm
jal at online.no
Tue Feb 28 17:39:49 UTC 2012
At 16:43 28.02.2012, Jan Pazdziora wrote:
>On Mon, Feb 27, 2012 at 06:50:06PM +0100, Jan Arild Lindstrøm wrote:
>>
>> 3)
>>
>> lintest3-virt(root) ~ 34# yum update
>> Loaded plugins: refresh-packagekit, rhnplugin, security
>> Loading mirror speeds from cached hostfile
>> Error: Cannot retrieve repository metadata (repomd.xml) for repository: centos6-x86_64. Please verify its path and try again
>>
>> ( - "yum update" starts here - )
>> 14:20:33.362368 IP 10.10.0.62.51822 > 10.10.30.183.8080: tcp 0
>> 14:20:33.375652 IP 10.10.30.183.8080 > 10.10.0.62.51822: tcp 0
>> 14:20:33.375852 IP 10.10.0.62.51822 > 10.10.30.183.8080: tcp 0
>> 14:20:33.377344 IP 10.10.0.62.51822 > 10.10.30.183.8080: tcp 627
>> 14:20:33.377522 IP 10.10.0.62.51822 > 10.10.30.183.8080: tcp 1380
>> 14:20:33.378321 IP 10.10.30.183.8080 > 10.10.0.62.51822: tcp 0
>> --cut--
>> 14:20:33.402821 IP 10.10.0.62.51822 > 10.10.30.183.8080: tcp 0
>> 14:20:33.402825 IP 10.10.30.183.8080 > 10.10.0.62.51822: tcp 467
>> 14:20:33.402829 IP 10.10.0.62.51822 > 10.10.30.183.8080: tcp 0
>> 14:20:33.402846 IP 10.10.30.183.8080 > 10.10.0.62.51822: tcp 0
>> 14:20:33.406011 IP 10.10.0.62.51822 > 10.10.30.183.8080: tcp 0
>> 14:20:33.406976 IP 10.10.30.183.8080 > 10.10.0.62.51822: tcp 0
>> 14:20:33.460341 IP 10.10.0.62.50796 > 10.10.0.60.80: tcp 0
>> 14:20:36.460258 IP 10.10.0.62.50796 > 10.10.0.60.80: tcp 0
>> 14:20:42.460278 IP 10.10.0.62.50796 > 10.10.0.60.80: tcp 0
>> --cut--
>>
>> Proxy = 10.10.30.183
>> Spacewalk server = 10.10.0.62
>
>Is it possible that it's actually
>
> Spacewalk client = 10.10.0.62
> Proxy = 10.10.30.183
> Spacewalk server 10.10.0.60
>
>?
Yes, I just make sure my two test clients can not speak directly with the Spacewalk
server:
spacewalk01(root) ~ 1442# iptables -L -n -v
Chain INPUT (policy ACCEPT 11M packets, 4471M bytes)
pkts bytes target prot opt in out source destination
636 38304 DROP all -- * * 10.123.0.62 0.0.0.0/0
29538 1182K DROP all -- * * 10.123.0.61 0.0.0.0/0
--cut--
I want them to use only the proxy and not be able to shortcut it by using the Spacewalk
server directly. That is because I do not want to open port 80 out from all our other VLANs.
>Can you do more tcpdumping to see what are the HTTP requests that are
>being sent directly?
The proxy is Squid 3.1.x.
Disabled iptables on the Spacewalk server while running tshark on the client.
Captured: yum repolist (run after a "yum clean all").
Without "http_proxy=http://proxy-z2.mydomain.no:8080 ; export http_proxy":
lintest3-virt(root) ~ 162# tshark -c 500 -R 'http' port 80 or port 8080
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
0.014810 10.123.0.62 -> 10.123.30.183 HTTP/XML POST http://spacewalk01.mydomain.no/XMLRPC HTTP/1.1
0.045528 10.123.30.183 -> 10.123.0.62 HTTP/XML HTTP/1.0 200 OK
0.070893 10.123.0.62 -> 10.123.30.183 HTTP/XML POST http://spacewalk01.mydomain.no/XMLRPC HTTP/1.1
0.107598 10.123.30.183 -> 10.123.0.62 HTTP/XML HTTP/1.0 200 OK
0.155940 10.123.0.62 -> 10.123.0.60 HTTP GET /XMLRPC/GET-REQ/centos6-x86_64/repodata/repomd.xml HTTP/1.1
0.159237 10.123.0.60 -> 10.123.0.62 HTTP/XML HTTP/1.1 200 OK
0.184609 10.123.0.62 -> 10.123.0.60 HTTP GET /XMLRPC/GET-REQ/centos6-x86_64/repodata/primary.xml.gz HTTP/1.1
4.318590 10.123.0.62 -> 10.123.0.60 HTTP GET /XMLRPC/GET-REQ/centos6-x86_64-addons/repodata/repomd.xml HTTP/1.1
4.321661 10.123.0.60 -> 10.123.0.62 HTTP/XML HTTP/1.1 200 OK
--cut--
It start using the Spacewalk server directly when fetching the repo stuff.
With "http_proxy=http://proxy-z2.mydomain.no:8080 ; export http_proxy":
lintest3-virt(root) ~ 167# tshark -c 5000 -R 'http' port 80 or port 8080
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
0.004991 10.123.0.62 -> 10.123.30.183 HTTP/XML POST http://spacewalk01.mydomain.no/XMLRPC HTTP/1.1
0.028022 10.123.30.183 -> 10.123.0.62 HTTP/XML HTTP/1.0 200 OK
0.051706 10.123.0.62 -> 10.123.30.183 HTTP/XML POST http://spacewalk01.mydomain.no/XMLRPC HTTP/1.1
0.071484 10.123.30.183 -> 10.123.0.62 HTTP/XML HTTP/1.0 200 OK
0.132816 10.123.0.62 -> 10.123.30.183 HTTP GET http://spacewalk01.mydomain.no/XMLRPC/GET-REQ/centos6-x86_64/repodata/repomd.xml HTTP/1.1
0.141334 10.123.30.183 -> 10.123.0.62 HTTP/XML HTTP/1.0 200 OK
0.174648 10.123.0.62 -> 10.123.30.183 HTTP GET http://spacewalk01.mydomain.no/XMLRPC/GET-REQ/centos6-x86_64/repodata/primary.xml.gz HTTP/1.1
4.577575 10.123.0.62 -> 10.123.30.183 HTTP GET http://spacewalk01.mydomain.no/XMLRPC/GET-REQ/centos6-x86_64-addons/repodata/repomd.xml HTTP/1.1
4.587044 10.123.30.183 -> 10.123.0.62 HTTP/XML HTTP/1.0 200 OK
--cut--
It never uses the Spacewalk server directly.
--
Regards
Jan Arild
>--
>Jan Pazdziora
>Principal Software Engineer, Satellite Engineering, Red Hat
>
>_______________________________________________
>Spacewalk-list mailing list
>Spacewalk-list at redhat.com
>https://www.redhat.com/mailman/listinfo/spacewalk-list
More information about the Spacewalk-list
mailing list