subscription-manager version call failing in proxy environment

[praveenkumar]

subscription-manager version call failing in proxy environments.
Also some code refactoring around current code i.e. we are parsing proxy details using regex and then passing it to subscription manager. subscription manager do honor the shell proxy env and should consumed it instead we do extra work from parsing.

[agajdosi]

@praveenkumar I have found two problematic things in current proxy solution, but I am not sure if this is going to help you as I was unable to somehow understand your changes. However those 2 things are:

1. If you mean by "shell proxy env" the http_proxy variable, then checking for subscription-manager version is currently being executed before setting up http_proxy.
2. But more importantly: "subscription-manager version" is checking subscription.rhsm.redhat.com:433 so in current solution when I am behind proxy this command times out => minishift thinks that image does not support registration => registration never happens. It works well when you are testing with ?not_blocking_proxy? but in central-ci, it goes with timeout.

About to run SSH command:
sudo subscription-manager version
SSH cmd err, output: exit status 70: Unable to verify server's identity: timed out

Distribution doesn't support registration
(minishift) Calling .GetSSHHostname
(minishift) DBG | GetIP called for minishift
(minishift) DBG | Failed to retrieve dnsmasq leases from /var/lib/libvirt/dnsmasq/docker-machines.leases
(minishift) DBG | IP address: 192.168.42.174
(minishift) Calling .GetSSHPort
(minishift) DBG | Unable to locate IP address for MAC 52:54:00:ec:94:4d
(minishift) Calling .GetSSHKeyPath
(minishift) DBG | AK: resolvestorepath: /home/hudson/.minishift
(minishift) Calling .GetSSHKeyPath
(minishift) Calling .GetSSHUsername
(minishift) DBG | AK: resolvestorepath: /home/hudson/.minishift
Using SSH client type: external
Using SSH private key: /home/hudson/.minishift/machines/minishift/id_rsa (-rw-------)
&{[-F /dev/null -o PasswordAuthentication=no -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=quiet -o ConnectionAttempts=3 -o ConnectTimeout=10 -o ControlMaster=no -o ControlPath=none docker@192.168.42.174 -o IdentitiesOnly=yes -i /home/hudson/.minishift/machines/minishift/id_rsa -p 22] /usr/bin/ssh <nil>}
About to run SSH command:
export http_proxy=http://squid.corp.redhat.com:3128 

[docker@minishift ~]$ echo $http_proxy
http://squid.corp.redhat.com:3128

[docker@minishift ~]$ sudo subscription-manager version                                   
Unable to verify server's identity: timed out

[docker@minishift ~]$ sudo subscription-manager version --proxy squid.corp.redhat.com:3128
server type: Red Hat Subscription Management
subscription management server: 0.9.51.21-1
subscription management rules: 5.15.1
subscription-manager: 1.17.15-1.el7
python-rhsm: 1.17.9-1.el7

[praveenkumar]

If you mean by "shell proxy env" the http_proxy variable, then checking for subscription-manager version is currently being executed before setting up http_proxy

Before it was doing that but now with the PR it does setup proxy before executing any subscription-manager commands.

But more importantly: "subscription-manager version" is checking subscription.rhsm.redhat.com:433 so in current solution when I am behind proxy this command times out => minishift thinks that image does not support registration => registration never happens. It works well when you are testing with ?not_blocking_proxy? but in central-ci, it goes with timeout.

The way I can see is you are executing sudo without preserving the environment variables so when you use sudo with subscription manager then use -E option of sudo which also part of the PR.

I recommend you to do a manual build from this PR and you are able to see subscription-manager will go through from proxy server.

[LalatenduMohanty]

If you mean by "shell proxy env" the http_proxy variable, then checking for subscription-manager version is currently being executed before setting up http_proxy.
But more importantly: "subscription-manager version" is checking subscription.rhsm.redhat.com:433 so in current solution when I am behind proxy this command times out => minishift thinks that image does not support registration => registration never happens. It works well when you are testing with ?not_blocking_proxy? but in central-ci, it goes with timeout.

This looks like a bug with the code and it is blocker issue. I have assumed that the version command is a local command and does not need network access.
So not testing minishift in an environment where internet is limited to pass though only proxy was a mistake from me.
We should file a separate bug and track it.

[LalatenduMohanty]

@praveenkumar if @agajdosi 's observation is correct than we have a bug in below code. Which did not change from the first attempt of adding proxy. So I think your current PR will also fail for @agajdosi

func (registrator *RedHatRegistrator) Register(param *RegistrationParameters) error {
 	if output, err := registrator.SSHCommand("sudo subscription-manager version"); err != nil {
 		return err

[hferentschik]

I have found two problematic things

@agajdosi good catch 👍 - so here we have an issue regardless of which approach we are taking.

[LalatenduMohanty]

I manually tested and I agree with @agajdosi , Saw below in the proxy server access log when I executed teh version command.

1488445934.517   3585 10.10.62.209 TCP_TUNNEL/200 4072 CONNECT subscription.rhsm.redhat.com:443 fedora HIER_DIRECT/10.4.204.72 -
1488445938.920   3789 10.10.62.209 TCP_TUNNEL/200 3303 CONNECT subscription.rhsm.redhat.com:443 fedora HIER_DIRECT/10.4.204.72 -

[LalatenduMohanty]

@hferentschik yes, the config command needs to run first then anything else

[praveenkumar]

@LalatenduMohanty even config command run then also if we need to use sudo with -E then it will have same issue. I updated the PR with all the bits and will test it once we have CI passed along with @agajdosi

[LalatenduMohanty]

@praveenkumar Sorry I did not get you. I mean the subscription-manager config command with proxy details need to run first and the the subscription-manager version command needs to run with respect to existing implementation.

[agajdosi]

@praveenkumar RHEL is being registered successfully in OpenStack with build of your PR branch. Verified with functionality of yum. Only problem I am facing is I have to use MINISHIFT_USERNAME and MINISHIFT_PASSWORD, when using --username and --password flags I am getting following error:

[hudson@cdkqe-agajdosi-fresh-rhel ~]$ minishift start --username foo --password bar --http-proxy http://squid.corp.redhat.com:3128 --iso-url file:///home/hudson/minishift-rhel.iso
Starting local OpenShift cluster using 'kvm' hypervisor...
Registering machine using subscription-manager
E0302 06:07:34.842774   22287 start.go:158] Error starting the VM: Error registering the VM: This virutal machine requires registration. Credentials must either be passed via the environment variables MINISHIFT_USERNAME and MINISHIFT_PASSWORD  or the --username and --password flags
. Retrying.
Registering machine using subscription-manager
E0302 06:07:43.820474   22287 start.go:158] Error starting the VM: Error registering the VM: This virutal machine requires registration. Credentials must either be passed via the environment variables MINISHIFT_USERNAME and MINISHIFT_PASSWORD  or the --username and --password flags
. Retrying.
Registering machine using subscription-manager
E0302 06:07:52.923966   22287 start.go:158] Error starting the VM: Error registering the VM: This virutal machine requires registration. Credentials must either be passed via the environment variables MINISHIFT_USERNAME and MINISHIFT_PASSWORD  or the --username and --password flags
. Retrying.
E0302 06:07:52.923998   22287 start.go:164] Error starting the VM:  Error registering the VM: This virutal machine requires registration. Credentials must either be passed via the environment variables MINISHIFT_USERNAME and MINISHIFT_PASSWORD  or the --username and --password flags

Error registering the VM: This virutal machine requires registration. Credentials must either be passed via the environment variables MINISHIFT_USERNAME and MINISHIFT_PASSWORD  or the --username and --password flags

Error registering the VM: This virutal machine requires registration. Credentials must either be passed via the environment variables MINISHIFT_USERNAME and MINISHIFT_PASSWORD  or the --username and --password flags

But this can be also problem with bad configuration on my side: I am using rhel.iso from cdk beta2 build with --iso-url flag, nothing else was configured from my side.

The way I can see is you are executing sudo without preserving the environment variables so when you use sudo with subscription manager then use -E option of sudo which also part of the PR.

👍 Thank you for this info, did not realized that.

[agajdosi]

@praveenkumar Tested your PR on RHEL7 behind blocking proxy. Issue with not accepting --password --username is gone. MINISHIFT_PASSWORD/MINISHIFT_USERNAME works also well. Proxy registration in both cases went fine. Seems fine to me. 👍

[praveenkumar]

@agajdosi Thank you for testing it out 👍

[hferentschik]

Merged via pull request #490