add http proxy support for tornado

[mrproper]

the tornado backend lacks support for http proxies from environment variables.

This patch changes the client method to curl if proxies are configured (curl_httpclient is required for proxy_host and proxy_port).

This adds new minion config parameters:
proxy_host
proxy_port

I’m undecided if we should attempt to read in the environment variables for $protocol_proxy or just configure it as a parameter.

This fixes several issues where proxies are in use that use the file.managed module such as:
#23617

It works towards also resolving these issues:
#21985
#8177

[cachedout]

Hi @mrproper. It looks like there are a number of lint errors here. Could you please take a look? https://jenkins.saltstack.com/job/salt-pr-lint-n/11348/violations/

[jfindlay]

We need to have a larger discussion here before adding another base dependency to salt.

@thatch45, @meggiebot, @dmurphy18, @UtahDave

[thatch45]

There is NO WAY we are going to add another dep, this has been a nightmare

[cachedout]

We can certainly find a comprimise here. I recommend that we keep these configuration options while issuing a warning to the user on start that the necessary libraries be installed in order to facilitate this functionality. Salt's http utility library should be made to work in either case, preferring the pycurl implementation if it is installed on the system.

[mrproper]

Interesting, when installing salt on ubuntu, python-tornado has a dep on python-pycurl anyway.

I guess this is a larger question, should we be using curl_httpclient anyway? tornado seems to recommend it over simple?

I have adjusted the pr to have it as an optional dep unless you set proxy_host/port
Im wondering if i also need to add host exclusions (ie dont proxy for these hosts) similar to no_proxy environment variables

[jfindlay]

@mrproper, thanks for your updates.

[cachedout]

get() will return None by default if the lookup fails, FWIW.

[mrproper]

This is true however i was being explicit, can change in another pr if youd like

[cachedout]

It's fine. Just an FYI in case you weren't aware. :]

[cachedout]

@mrproper Thanks for making these changes. I think this is much improved. Adding host exclusions would be good, but let's do it in an additional PR so we can get this one merged today. Thanks for your hard work here. It's really appreciated.

[mrproper]

thanks everyone for the comments and the quick turn around!

[nlm]

@mrproper I agree with you on using curl_httpclient in all cases. Now it's a required dependency, it's recommended by the authors (http://www.tornadoweb.org/en/stable/httpclient.html) and it would make the code simpler

[mrproper]

It would make sense to use curl_httpclient everywhere that tornado is used, however thats up to the community to discuss a new required dependency, even though debian derivatives have it as a dep due to the debian package python-tornado, its currently not a dep on anything else not using distribution package managers (ie solely from pip etc)

[hoonetorg]

@cachedout:
This fix works on 2015.8.7 if proxy settings are made in minion conf and original http.py is overwritten with the one from this commit.
2 questions:
When will this fix be merged into which stable version of salt?

Which is the last stable version of salt where proxy support is not broken (afaiu: which uses libcurl instead of tornado)

[hoonetorg]

Copy http.py from this PR over a debian jessie install gave me the following problems:

downloaded file has wrong checksum. checksum is always d41d8cd98f00b204e9800998ecf8427e.

I use this feature mainly for archive.extracted and file managed. Downloaded file has always checksum d41d8cd98f00b204e9800998ecf8427e as said above.

Here is the example output of downloading a warfile from a reposerver via proxy:

[INFO    ] Running state [/var/lib/tomcat7/webapps/warfile.war] at time 12:46:29.450401
[INFO    ] Executing state file.managed for /var/lib/tomcat7/webapps/warfile.war
[DEBUG   ] Reading configuration from /etc/salt/minion
[DEBUG   ] Including configuration from '/etc/salt/minion.d/_schedule.conf'
[DEBUG   ] Reading configuration from /etc/salt/minion.d/_schedule.conf
[DEBUG   ] Including configuration from '/etc/salt/minion.d/f_defaults.conf'
[DEBUG   ] Reading configuration from /etc/salt/minion.d/f_defaults.conf
[DEBUG   ] Using cached minion ID from /etc/salt/minion_id: tserver.example.org
[DEBUG   ] Requesting URL http://reposerver.example.org/warfiles/warfile.war using GET method
[DEBUG   ] GET http://reposerver.example.org/warfiles/warfile.war
[DEBUG   ] Hostname was NOT found in DNS cache
[DEBUG   ] Trying 192.168.1.254...
[DEBUG   ] Connected to 192.168.1.254 (192.168.1.254) port 3128 (#0)
[DEBUG   ] > GET http://reposerver.example.org/warfiles/warfile.war HTTP/1.1
[DEBUG   ] > Host: reposerver.example.org
[DEBUG   ] > Accept: */*
[DEBUG   ] > Accept-Encoding: gzip,deflate
[DEBUG   ] > Proxy-Connection: Keep-Alive
[DEBUG   ] > User-Agent: Salt/2015.8.8.2 http.query()
[DEBUG   ] >
[DEBUG   ] < HTTP/1.1 200 OK
[DEBUG   ] Server nginx is not blacklisted
[DEBUG   ] < Server: nginx
[DEBUG   ] < Date: Wed, 06 Apr 2016 11:46:35 GMT
[DEBUG   ] < Content-Type: application/java-archive
[DEBUG   ] < Content-Length: 35831096
[DEBUG   ] < Last-Modified: Fri, 13 Nov 2015 08:35:00 GMT
[DEBUG   ] < Accept-Ranges: bytes
[DEBUG   ] < X-Cache: MISS from fproxy.example.org
[DEBUG   ] < X-Cache-Lookup: MISS from fproxy.example.org:3128
[DEBUG   ] < X-Cache: MISS from proxy.example.org
[DEBUG   ] < X-Cache-Lookup: MISS from proxy.example.org:3128
[DEBUG   ] < Via: 1.1 fproxy.example.org (squid/3.3.8), 1.1 proxy.example.org (squid/3.4.8)
[DEBUG   ] < Connection: keep-alive
[DEBUG   ] <
[DEBUG   ] Connection #0 to host 192.168.1.254 left intact
[ERROR   ] File changed:
New file
[INFO    ] Completed state [/var/lib/tomcat7/webapps/warfile.war] at time 12:46:38.947663

----------
          ID: app__appwarfile
    Function: file.managed
        Name: /var/lib/tomcat7/webapps/warfile.war
      Result: False
     Comment: File sum set for file /var/lib/tomcat7/webapps/warfile.war of <sum1> does not match real sum of d41d8cd98f00b204e9800998ecf8427e
     Started: 12:46:29.450401
    Duration: 9497.262 ms
     Changes:
              ----------
              diff:
                  New file

Versions:

salt-call --versions-report
Salt Version:
           Salt: 2015.8.8.2

Dependency Versions:
         Jinja2: 2.7.3
       M2Crypto: Not Installed
           Mako: Not Installed
         PyYAML: 3.11
          PyZMQ: 14.4.0
         Python: 2.7.9 (default, Mar  1 2015, 12:57:24)
           RAET: Not Installed
        Tornado: 4.2.1
            ZMQ: 4.0.5
           cffi: 0.8.6
       cherrypy: Not Installed
       dateutil: 2.2
          gitdb: Not Installed
      gitpython: Not Installed
          ioflo: Not Installed
        libgit2: Not Installed
        libnacl: Not Installed
   msgpack-pure: Not Installed
 msgpack-python: 0.4.2
   mysql-python: 1.2.3
      pycparser: 2.10
       pycrypto: 2.6.1
         pygit2: Not Installed
   python-gnupg: Not Installed
          smmap: Not Installed
        timelib: Not Installed

System Versions:
           dist: debian 8.3 
        machine: x86_64
        release: 3.16.0-4-amd64
         system: debian 8.3 

[jfindlay]

@rallytime, can this be backported to 2015.5?

[rallytime]

I don't really want to backport this to 2015.5, but I think 2015.8 is reasonable.

[jfindlay]

@rallytime, thanks.