New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

toolbox stopped working after update due to rkt not using proxy #1869

Closed
mscribe opened this Issue Mar 16, 2017 · 6 comments

Comments

Projects
None yet
3 participants
@mscribe

mscribe commented Mar 16, 2017

Issue Report

Bug

Container Linux Version

stable (1298.5.0)

Environment

desktop computer

Expected Behavior

Contents of ~/.toolboxrc:

TOOLBOX_DOCKER_IMAGE=centos

Run toolbox:

/usr/bin/toolbox

Then, centos should be fetched and used.

Actual Behavior

Everything used to work as expected behind a proxy. However, after the update, this error started showing after running toolbox:

fetch: Get https://registry-1.docker.io/v2/: dial tcp: lookup registry-1.docker.io: no such host

Running this works:

docker pull centos

Running this also works:

curl https://www.google.com

I peaked inside of /usr/bin/toolbox and tried running this, which does NOT work:

sudo rkt --insecure-options=image fetch "docker://centos:latest"

It throws that fetch error mentioned above.

Reproduction Steps

  1. Configure coreos to run behind a proxy server.
  2. Run toolbox.
@lucab

This comment has been minimized.

Show comment
Hide comment
@lucab

lucab Mar 16, 2017

Member

rkt does honor the http_proxy= env flag, so I think it is either not set in your calling environment or not passed through sudo. Can you please double check manually directly in a root shell if the variable is set and how rkt reacts to it? Also, this strangely looks more similar to a DNS issue than an HTTP proxy one.

Member

lucab commented Mar 16, 2017

rkt does honor the http_proxy= env flag, so I think it is either not set in your calling environment or not passed through sudo. Can you please double check manually directly in a root shell if the variable is set and how rkt reacts to it? Also, this strangely looks more similar to a DNS issue than an HTTP proxy one.

@mscribe

This comment has been minimized.

Show comment
Hide comment
@mscribe

mscribe Mar 16, 2017

Thanks for the quick response!

The proxy environment variable wasn't available with sudo; I confirmed that with:

sudo -s
echo $http_proxy

This worked:

sudo -s
export http_proxy=http://proxy...com:80
rkt --insecure-options=image fetch "docker://centos:latest"

In the past, things were working when all I had was an /etc/profile.d/proxy.sh file with my proxy details. I also tried putting the proxy info in /etc/profile.env to debug this problem, which didn't help. Since environment variables in those files aren't available with sudo rkt, what is the proper way in coreos to make the toolbox command work as expected behind a proxy?

mscribe commented Mar 16, 2017

Thanks for the quick response!

The proxy environment variable wasn't available with sudo; I confirmed that with:

sudo -s
echo $http_proxy

This worked:

sudo -s
export http_proxy=http://proxy...com:80
rkt --insecure-options=image fetch "docker://centos:latest"

In the past, things were working when all I had was an /etc/profile.d/proxy.sh file with my proxy details. I also tried putting the proxy info in /etc/profile.env to debug this problem, which didn't help. Since environment variables in those files aren't available with sudo rkt, what is the proper way in coreos to make the toolbox command work as expected behind a proxy?

@lucab

This comment has been minimized.

Show comment
Hide comment
@lucab

lucab Mar 16, 2017

Member

what is the proper way in coreos to make the toolbox command work as expected behind a proxy?

Non-authoritative answer: I'd probably go with a keep_env entry in the sudoers file.

Not sure if the toolbox wrapper should be adjusted in any way.

/cc @dm0-

Member

lucab commented Mar 16, 2017

what is the proper way in coreos to make the toolbox command work as expected behind a proxy?

Non-authoritative answer: I'd probably go with a keep_env entry in the sudoers file.

Not sure if the toolbox wrapper should be adjusted in any way.

/cc @dm0-

@mscribe

This comment has been minimized.

Show comment
Hide comment
@mscribe

mscribe Mar 16, 2017

I created a file /etc/sudoers.d/bill that contains:

Defaults env_keep += "http_proxy"

Now, when I run toolbox, it says:

fetch: attempted fallback to API v1 but not supported

mscribe commented Mar 16, 2017

I created a file /etc/sudoers.d/bill that contains:

Defaults env_keep += "http_proxy"

Now, when I run toolbox, it says:

fetch: attempted fallback to API v1 but not supported
@dm0-

This comment has been minimized.

Show comment
Hide comment
@dm0-

dm0- Mar 16, 2017

Member

Can you try copying /usr/bin/toolbox to some writeable location and replacing sudo rkt with sudo -E rkt? You shouldn't need to make any sudoers customizations with that. I submitted a pull request with that change, which should restore the behavior you had before.

Member

dm0- commented Mar 16, 2017

Can you try copying /usr/bin/toolbox to some writeable location and replacing sudo rkt with sudo -E rkt? You shouldn't need to make any sudoers customizations with that. I submitted a pull request with that change, which should restore the behavior you had before.

@mscribe

This comment has been minimized.

Show comment
Hide comment
@mscribe

mscribe Mar 16, 2017

I copied /usr/bin/toolbox, added -E and got the same error after removing /etc/sudoers.d/bill. That confirmed that the fix you did is good, and will stop me from having to add a file in /etc/sudoers.d/. I realized that since my .toolboxrc file was missing TOOLBOX_DOCKER_TAG, it used the one for Fedora (24) that was hard coded in /usr/bin/toolbox. When I added TOOLBOX_DOCKER_TAG=latest, it worked. It might make sense to not use 24 as the default tag for all images, but my problems are over after your commit gets pushed in an update to my desktop. Thanks for your help!

This ticket can be closed.

mscribe commented Mar 16, 2017

I copied /usr/bin/toolbox, added -E and got the same error after removing /etc/sudoers.d/bill. That confirmed that the fix you did is good, and will stop me from having to add a file in /etc/sudoers.d/. I realized that since my .toolboxrc file was missing TOOLBOX_DOCKER_TAG, it used the one for Fedora (24) that was hard coded in /usr/bin/toolbox. When I added TOOLBOX_DOCKER_TAG=latest, it worked. It might make sense to not use 24 as the default tag for all images, but my problems are over after your commit gets pushed in an update to my desktop. Thanks for your help!

This ticket can be closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment