Fix work yum in Install packages requirements for bootstrap

[patsevanton]

I try install kubespray using proxy
Set

## Set these proxy values in order to update package manager and docker daemon to use proxies
http_proxy: "http://172.16.149.1:3128"
https_proxy: "http://172.16.149.1:3128"

If run kubespray without environment: "{{proxy_env}}" in Install packages requirements for bootstrap - get error

TASK [bootstrap-os : Install packages requirements for bootstrap] *******************************************************************************
Sunday 04 November 2018  15:13:57 +0600 (0:00:01.957)       0:00:09.016 ******* 
fatal: [kuber1]: FAILED! => {
    "ansible_facts": {
        "pkg_mgr": "yum"
    }, 
    "changed": false, 
    "rc": 1, 
    "results": [
        "libselinux-python-2.5-12.el7.x86_64 providing libselinux-python is already installed", 
        "Resolving Dependencies\n--> Running transaction check\n---> Package epel-release.noarch 0:7-11 will be installed\n--> Finished Dependency Resolution\n\nDependencies Resolved\n\n================================================================================\n Package                Arch             Version         Repository        Size\n================================================================================\nInstalling:\n epel-release           noarch           7-11            extras            15 k\n\nTransaction Summary\n================================================================================\nInstall  1 Package\n\nTotal download size: 15 k\nInstalled size: 24 k\nDownloading packages:\nDelta RPMs disabled because /usr/bin/applydeltarpm not installed.\n"
    ]
}

MSG:

http://dedic.sh/centos/7.5.1804/extras/x86_64/Packages/epel-release-7-11.noarch.rpm: [Errno 12] Timeout on http://dedic.sh/centos/7.5.1804/extras/x86_64/Packages/epel-release-7-11.noarch.rpm: (28, 'Connection timed out after 30002 milliseconds')
Trying other mirror.
http://mirror.sale-dedic.com/centos/7.5.1804/extras/x86_64/Packages/epel-release-7-11.noarch.rpm: [Errno 12] Timeout on http://mirror.sale-dedic.com/centos/7.5.1804/extras/x86_64/Packages/epel-release-7-11.noarch.rpm: (28, 'Connection timed out after 30002 milliseconds')
Trying other mirror.
http://mirror.logol.ru/centos/7.5.1804/extras/x86_64/Packages/epel-release-7-11.noarch.rpm: [Errno 12] Timeout on http://mirror.logol.ru/centos/7.5.1804/extras/x86_64/Packages/epel-release-7-11.noarch.rpm: (28, 'Connection timed out after 30002 milliseconds')
Trying other mirror.
http://mirror.reconn.ru/centos/7.5.1804/extras/x86_64/Packages/epel-release-7-11.noarch.rpm: [Errno 14] curl#7 - "Failed to connect to 2a00:1f70:0:10::74: Network is unreachable"
Trying other mirror.
http://mirrors.powernet.com.ru/centos/7.5.1804/extras/x86_64/Packages/epel-release-7-11.noarch.rpm: [Errno 12] Timeout on http://mirrors.powernet.com.ru/centos/7.5.1804/extras/x86_64/Packages/epel-release-7-11.noarch.rpm: (28, 'Connection timed out after 30006 milliseconds')
Trying other mirror.
http://mirror.corbina.net/pub/Linux/centos/7.5.1804/extras/x86_64/Packages/epel-release-7-11.noarch.rpm: [Errno 14] curl#7 - "Failed to connect to 2a00:18c0:1:1::4: Network is unreachable"
Trying other mirror.
http://ftp.nsc.ru/pub/centos/7.5.1804/extras/x86_64/Packages/epel-release-7-11.noarch.rpm: [Errno 14] curl#7 - "Failed to connect to 2a00:bf00:0:3::3: Network is unreachable"
Trying other mirror.
http://mirror.awanti.com/centos/7.5.1804/extras/x86_64/Packages/epel-release-7-11.noarch.rpm: [Errno 12] Timeout on http://mirror.awanti.com/centos/7.5.1804/extras/x86_64/Packages/epel-release-7-11.noarch.rpm: (28, 'Connection timed out after 30007 milliseconds')
Trying other mirror.
http://mirror.yandex.ru/centos/7.5.1804/extras/x86_64/Packages/epel-release-7-11.noarch.rpm: [Errno 14] curl#7 - "Failed to connect to 2a02:6b8::183: Network is unreachable"
Trying other mirror.
http://mirror.vilkam.ru/centos/7.5.1804/extras/x86_64/Packages/epel-release-7-11.noarch.rpm: [Errno 12] Timeout on http://mirror.vilkam.ru/centos/7.5.1804/extras/x86_64/Packages/epel-release-7-11.noarch.rpm: (28, 'Connection timed out after 30005 milliseconds')
Trying other mirror.

Error downloading packages:
  epel-release-7-11.noarch: [Errno 256] No more mirrors to try.

Task Install packages requirements for bootstrap dont work with proxy

This PR added environment: "{{proxy_env}}" to Install packages requirements for bootstrap

[Atoms]

If you have proxy needed for yum it should be already configured within yum.conf, at least our node provision does that, and then you don't need such env here

[patsevanton]

I understand you. I need enter to every node and change file yum.conf before run kubespray?

[Atoms]

@patsevanton it would be provision job, if you do that manually then yes.

[patsevanton]

@Atoms Add proxy to /etc/yum.conf if http_proxy is defined

[patsevanton]

Check commit Add proxy to /etc/yum.conf if http_proxy is defined

`TASK [bootstrap-os : Add proxy to /etc/yum.conf if http_proxy is defined] ***********************************************************************
Monday 05 November 2018 12:49:38 +0600 (0:00:01.804) 0:00:16.659 *******
changed: [kuber3]
changed: [kuber1]
changed: [kuber2]

TASK [bootstrap-os : Install packages requirements for bootstrap] *******************************************************************************
Monday 05 November 2018 12:49:40 +0600 (0:00:01.434) 0:00:18.094 *******
changed: [kuber1]
changed: [kuber3]
changed: [kuber2]

TASK [bootstrap-os : Install pip for bootstrap] *************************************************************************************************
Monday 05 November 2018 12:49:45 +0600 (0:00:05.924) 0:00:24.018 *******
changed: [kuber1]
changed: [kuber3]
changed: [kuber2]
`

Line in /etc/yum.conf

proxy=http://172.16.149.1:3128

PR work, kuberspray installed kubernetes

[Atoms]

ci check this

[patsevanton]

ERROR: Job failed: image pull failed: Back-off pulling image "quay.io/kubespray/kubespray:v2.7"

[patsevanton]

All tests passed :)

[Atoms]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Atoms

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [Atoms]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[puthi]

Hi,
I think setting the yum proxy globally like that probably not a good approach, the reason is it will work with the external repository that need to pass through the proxy but fail with the internal repository that doesn't need proxy. We have this case happening in our environment. My suggestion would be either
1- add yum proxy to only your own repo which is /etc/yum.repo.d/{docker.repo,epel.repo}
2- Or add the environment variable for the OS for these variables: http_proxy https_proxy and no_proxy.

The second option worked for us before the change to yum proxy was made 8 days ago.

[patsevanton]

Hi,
I think setting the yum proxy globally like that probably not a good approach, the reason is it will work with the external repository that need to pass through the proxy but fail with the internal repository that doesn't need proxy. We have this case happening in our environment. My suggestion would be either
1- add yum proxy to only your own repo which is /etc/yum.repo.d/{docker.repo,epel.repo}
2- Or add the environment variable for the OS for these variables: http_proxy https_proxy and no_proxy.

The second option worked for us before the change to yum proxy was made 8 days ago.

Are you using proxy like squid?

[puthi]

yeah we are using squid as proxy server at the moment.

[patsevanton]

kuberspray did work before merge?
is kuberspray with custom patch or not?
How are you run playbook?
May be i wrong run playbook ...

[puthi]

• Kubespray work before the merge (with http_proxy,https_proxy,no_proxy set in sample/all.yaml)
• we don't make any change locally we only update the variables available in sample folder.
• here is the command we ran
  ansible-playbook -u someuser -i inventory/local/hosts.ini cluster.yml -b

it failed at bootstrap-os tasks

fatal: [somehostname]: FAILED! => {
"ansible_facts": {
"pkg_mgr": "yum"
},
"changed": false,
"invocation": {
"module_args": {
"allow_downgrade": false,
"autoremove": false,
"bugfix": false,
"conf_file": null,
"disable_excludes": null,
"disable_gpg_check": false,
"disable_plugin": [],
"disablerepo": [],
"download_only": false,
"enable_plugin": [],
"enablerepo": [],
"exclude": [],
"install_repoquery": true,
"installroot": "/",
"list": null,
"name": [
"libselinux-python",
"epel-release"
],
"releasever": null,
"security": false,
"skip_broken": false,
"state": "present",
"update_cache": false,
"update_only": false,
"use_backend": "auto",
"validate_certs": true
}
},
"msg": "http://myrepo/centos/7/x86_64/repodata/repomd.xml: [Errno 14] HTTP Error 503 - Service Unavailable\nTrying other

[patsevanton]

Were you set proxy (for playbook)?

[puthi]

the proxy were set in inventory/sample/group_vars/all/all.yml

Set these proxy values in order to update package manager and docker daemon to use proxies
http_proxy: "http://someproxy/"
https_proxy: "http://someproxy/"

Refer to roles/kubespray-defaults/defaults/main.yml before modifying no_proxy
no_proxy: "127.0.0.0/8,172.x.x.x/16,..."

[puthi]

here is the config we have:
`cat /etc/profile.d/proxy.sh

#my proxy setting
http_proxy=http://myproxy
ftp_proxy=$http_proxy
https_proxy=$http_proxy
no_proxy=localhost,127.0.0.0/8,10.0.0.0/8,169.0.0.0/8,172.16.0.0/12,192.168.0.0/16,.local
export http_proxy ftp_proxy https_proxy no_proxy
#end: my proxy setting
`

`
cat /etc/systemd/system/docker.service.d/http-proxy.conf

[Service]
Environment="HTTP_PROXY=http://myproxy" "HTTPS_PROXY=http://myproxy" "NO_PROXY=localhost,127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,.local,...."
`

and nothing set in /etc/yum.conf

[patsevanton]

I think this custom setting. Let try install kubespray without

-- name: Add proxy to /etc/yum.conf if http_proxy is defined
-  lineinfile:
-    path: "/etc/yum.conf"
-    line: "proxy={{http_proxy}}"
-    create: yes
-    state: present
-  when: http_proxy is defined

but before run:

export http_proxy="http://someproxy/"
export https_proxy="http://someproxy/"
export no_proxy="127.0.0.0/8,172.x.x.x/16,10.0.0.0/8"

[puthi]

I think this custom setting. Let try install kubespray without

-- name: Add proxy to /etc/yum.conf if http_proxy is defined
-  lineinfile:
-    path: "/etc/yum.conf"
-    line: "proxy={{http_proxy}}"
-    create: yes
-    state: present
-  when: http_proxy is defined

but before run:

export http_proxy="http://someproxy/"
export https_proxy="http://someproxy/"
export no_proxy="127.0.0.0/8,172.x.x.x/16,10.0.0.0/8"

If we comment out the task "Add proxy to /etc/yum.conf..." it works for us.

[patsevanton]

Without

-- name: Add proxy to /etc/yum.conf if http_proxy is defined
-  lineinfile:
-    path: "/etc/yum.conf"
-    line: "proxy={{http_proxy}}"
-    create: yes
-    state: present
-  when: http_proxy is defined

dont work without /etc/profile.d/proxy.sh

/etc/profile.d/proxy.sh - this is custom settings.

Need create clean OS without /etc/profile.d/proxy.sh and try install kubespray.

[patsevanton]

@Atoms @mirwan May be create /etc/profile.d/proxy.sh (when run kubespray) with proxy setting and delete line proxy in /etc/yum.conf ??

[patsevanton]

@Atoms @mirwan May be create /etc/profile.d/proxy.sh (when run kubespray) with proxy setting and delete line proxy in /etc/yum.conf ??

[patsevanton]

@puthi Are you agree at your configuration if i create new Pull Request where create /etc/profile.d/proxy.sh (when run kubespray) with proxy setting and delete line proxy in /etc/yum.conf ??

[puthi]

Yeah I think that would work for environment which require proxy.

[Atoms]

In my opinion, we never used /etc/profile.d/, and i'm not sure yum picks up those vars. And this path is not making sense, as let's imagine you try to do something with yum and it does not work, you will look to yum config files not profile.d some script. the less places you make customization the better, so i do not agree with adding /etc/profile.d/proxy.sh

Story about our infra - We manage all OS repos with ansible, and we have proxy = _none_ already configured in local repos and for all repos which does not include this proxy is in use. As we use different yum.repos.d directory to properly manage repos we have no problems. Count repos configured on server and then decide add proxy for repos needed or add proxy globally and exclude proxy for those 1 or 2 repos, we have 11 repos configured on kubernetes nodes and only 3 are local repos.

[puthi]

If I understand correctly, yum use curl and curl respect those environment variables. We have this setup working in our environment too.

But like I mentioned in my first comment, if you want to be safe you can only add yum proxy to your own repository(docker.repo, peel.repo...) instead of setting it globally for yum.

[puthi]

Also just to add a bit more, the /etc/profile.d/proxy.sh is executed when the machine startup so all of the users will have those environment variables.

But again I’m ok to have yum proxy at /etc/yum.repos.d/ but not at yum.conf level.

[patsevanton]

I see 2 way:

1. Create /etc/profile.d/proxy.sh with proxy or add proxy to /etc/yum.conf
2. Install epel-release and docker packages
3. Remove /etc/profile.d/proxy.sh or remove line proxy in /etc/yum.conf
4. Added proxy to docker.repo, epel.repo

What do you think?
@puthi Why only docker.repo, epel.repo ? If i install on clean CentOS - i think need add proxy to CentOS-Base.repo

[puthi]

@patsevanton doing something like that might be a bit hassle i think, as you have to do that 4 steps every times your ansible task need to work with yum.

As for why only docker.repo and epel.repo is because in our environment we have our server deployment with local repo configured by default so there is no need to talk to internet and only the docker.repo,epel.repo... from kubespray that need the external repo. In fact we can host all the docker packages and it dependencies locally but because there is no option to tell kubespray to do so(correct me if i miss something here) that is why we whitelist the repo and allow our server to connect to internet.
In my opinion, for the environment the require proxy during the OS deployment the admin should already have a way to configure there server to talk to the proxy already and if kubespray make any change globally, it might conflict with the user setup. That's why i suggest to only touch the part that kubespray operate on, it might be safer.

[patsevanton]

@puthi If i install on clean CentOS with CentOS-Base.repo and try install kubespray using proxy - i get error, because CentOS-Base.repo dont have proxy
@Atoms What do you think?

[puthi]

@patsevanton not sure i get you, so you use /etc/profile.d/proxy.sh and run kubespray playbooks(cluster.yml) and it failed? Or you use yum to install kubespary(eg. yum install -y kubespray) and it failed?

[patsevanton]

@puthi Try https://github.com/patsevanton/kubespray - I Refactored add proxy for CentOS
@Atoms New Pull Request - #3732

[puthi]

@patsevanton i will try it out on Monday and let you know the result.
Thanks

[puthi]

@patsevanton i tried on my environment but it doesn't work. And the reason is because we have our /etc/yum.repos.d/CentOS-.repo content comment out and if you just add proxy line at the end of each repo ( [base,update,...] ) it will just failed, probably from the wrong format of the .repo file or somehting. So i have to remove the task where you touch all of the CentOS-.repo to make it work for me. But this is very specific to my environment, i'm not sure if there is a better to give general user a more flexible option.

How about give user a flag like yum_proxy_enable = true/false in all.yml and let user decide wither they want kubespray to add the yum proxy for them or not?

[patsevanton]

@puthi Are you have /etc/yum.repos.d/CentOS-Base.repo?

1. Please show list all files in /etc/yum.repos.d/
2. Please show /etc/yum.repos.d/CentOS-Base.repo

[puthi]

here u go

DISABLED BY REPO PKG## CentOS-Base.repo
#DISABLED BY REPO PKG##
#DISABLED BY REPO PKG## The mirror system uses the connecting IP address of the client and the
#DISABLED BY REPO PKG## update status of each mirror to pick mirrors that are updated to and
#DISABLED BY REPO PKG## geographically close to the client. You should use this for CentOS updates
#DISABLED BY REPO PKG## unless you are manually picking other mirrors.
#DISABLED BY REPO PKG##
#DISABLED BY REPO PKG## If the mirrorlist= does not work for you, as a fall back you can try the
#DISABLED BY REPO PKG## remarked out baseurl= line instead.
#DISABLED BY REPO PKG##
#DISABLED BY REPO PKG##
#DISABLED BY REPO PKG#
#DISABLED BY REPO PKG#[base]
#DISABLED BY REPO PKG#name=CentOS-$releasever - Base
#DISABLED BY REPO PKG#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os&infra=$infra
#DISABLED BY REPO PKG##baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/
#DISABLED BY REPO PKG#gpgcheck=1
#DISABLED BY REPO PKG#gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
#DISABLED BY REPO PKG#
#DISABLED BY REPO PKG##released updates
#DISABLED BY REPO PKG#[updates]
#DISABLED BY REPO PKG#name=CentOS-$releasever - Updates
#DISABLED BY REPO PKG#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates&infra=$infra
#DISABLED BY REPO PKG##baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
#DISABLED BY REPO PKG#gpgcheck=1
#DISABLED BY REPO PKG#gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
#DISABLED BY REPO PKG#
#DISABLED BY REPO PKG##additional packages that may be useful
#DISABLED BY REPO PKG#[extras]
#DISABLED BY REPO PKG#name=CentOS-$releasever - Extras
#DISABLED BY REPO PKG#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extras&infra=$infra
#DISABLED BY REPO PKG##baseurl=http://mirror.centos.org/centos/$releasever/extras/$basearch/
#DISABLED BY REPO PKG#gpgcheck=1
#DISABLED BY REPO PKG#gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
#DISABLED BY REPO PKG#
#DISABLED BY REPO PKG##additional packages that extend functionality of existing packages
#DISABLED BY REPO PKG#[centosplus]
#DISABLED BY REPO PKG#name=CentOS-$releasever - Plus
#DISABLED BY REPO PKG#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus&infra=$infra
#DISABLED BY REPO PKG##baseurl=http://mirror.centos.org/centos/$releasever/centosplus/$basearch/
#DISABLED BY REPO PKG#gpgcheck=1
#DISABLED BY REPO PKG#enabled=0
#DISABLED BY REPO PKG#gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
#DISABLED BY REPO PKG#

[puthi]

but this is very specific to my environment, it probably not work for everyone if u just update the code for my environment

[patsevanton]

it is standard CentOS-Base.repo.

1. Try add:
   [base]
   proxy='you proxy squid'

2. Show CentOS-Base.repo (Dont show #DISABLED BY REPO PKG#) + show as code

3. run yum makecache (show output)

[puthi]

previous comment is my actually CentOS-Base.repo basically we don't use CentOS-Base.repo at all, that is why it is comment out.

[patsevanton]

1. I Asked - Are you have /etc/yum.repos.d/CentOS-Base.repo?
2. Show list all files in /etc/yum.repos.d/ on server where error

[puthi]

here is the list of all files in /etc/yum.repos.d/

ls -al /etc/yum.repos.d/

total 92
drwxr-xr-x. 2 root root 4096 Nov 19 13:33 .
drwxr-xr-x. 103 root root 12288 Nov 19 15:56 ..
-rw-r--r-- 1 root root 556 Nov 1 14:44 myrepo-centos.repo
-rw-r--r-- 1 root root 175 Nov 1 14:44 myrepo-fwpp.repo
-rw-r--r-- 1 root root 153 Nov 1 14:44 myrepo-hpsum.repo
-rw-r--r-- 1 root root 151 Nov 1 14:44 myrepo-local.repo
-rw-r--r-- 1 root root 335 Nov 1 14:44 myrepo-puppet.repo
-rw-r--r-- 1 root root 121 Nov 1 14:44 myrepo-sensu.repo
-rw-r--r-- 1 root root 164 Nov 1 14:44 myrepo-spp.repo
-rw-r--r-- 1 root root 4128 Nov 19 13:32 CentOS-Base.repo
-rw-r--r-- 1 root root 1309 Oct 8 22:38 CentOS-CR.repo
-rw-r--r-- 1 root root 649 Oct 8 22:38 CentOS-Debuginfo.repo
-rw-r--r-- 1 root root 314 Oct 8 22:38 CentOS-fasttrack.repo
-rw-r--r-- 1 root root 630 Oct 8 22:38 CentOS-Media.repo
-rw-r--r-- 1 root root 1331 Oct 8 22:38 CentOS-Sources.repo
-rw-r--r-- 1 root root 4768 Oct 8 22:38 CentOS-Vault.repo
-rw-r--r-- 1 root root 1002 Nov 19 13:33 epel.repo
-rw-r--r-- 1 root root 1050 Oct 3 2017 epel-testing.repo
-rw-r--r-- 1 root root 115 Nov 1 14:44 flapjack.repo

[patsevanton]

ls -1

run kubespray from https://github.com/patsevanton/kubespray + set proxy and show output error
Come back - 1,5-2h
I can help on skype

[puthi]

here is the error

TASK [bootstrap-os : Install packages requirements for bootstrap] ***********************************************************************************************************************************************************
Monday 19 November 2018 19:07:50 +0700 (0:00:00.559) 0:00:06.967 *******
fatal: [kubworker]: FAILED! => {"changed": false, "msg": "Error accessing repos: File contains no section headers.\nfile: file:///etc/yum.repos.d/CentOS-Base.repo, line: 45\n'proxy=http://my-proxy:3128\\n'"}
fatal: [kubmaster]: FAILED! => {"changed": false, "msg": "Error accessing repos: File contains no section headers.\nfile: file:///etc/yum.repos.d/CentOS-Base.repo, line: 45\n'proxy=http://my-proxy:3128\\n'"}

[patsevanton]

@puthi please send CentOS-Base.repo before run kubespray and after run kubespray to my email patsev.anton @ gmail.com

[puthi]

@patsevanton email sent.