[Solved] GCE provider behind proxy


#1

Hi,

I’m currently trying ManageIQ on a container (running in an OpenShift cluster with the official container docker.io/manageiq/manageiq:darga-2) to have a global view on several cloud providers (GCE/AWS/OpenStack).

I’m facing one issue when I try to add GCE as a cloud provider with connection error:

[----] E, [2016-07-26T11:50:02.147033 #64688:3fb5c69f0950] ERROR – : MIQ(ems_cloud_controller-create): Credential validation was not successful: Network is unreachable - connect(2) for “accounts.google.com” port 443

I think it is because I m behind a proxy. Indeed I tried the exact same process on another ManageIQ instance running on another OShift cluster with internet access where I was able to add GCE.

I read several thread and give a try to the http_proxy configuration variable in the config:

:http_proxy:
:host: 172.31.118.249
:password:
:port: 3128
:user:

(BTW I did not find too much documentation on this variable and on the fact that updating the config in the UI was done in real time or if I needed to restart the manageIq process)

I also try another variable in the config (which do not exists by default) :

:https_proxy:
:user:
:port: 3128
:password:
:host: 172.31.118.249

Just in case my error was due to https but it did not help.
Then I come across this discussion Add Azure Cloud Provider

It seems really similar to my issue (except they use AZURE instead of GCE) so I wonder if the proxy is supposed to work for GCE or if a change is require on the layer used to communicate with GCE (similarly of what is explain in the thread for AZURE with a PR open) ?

Thx, Charles Walker


#2

I dig a little more and if I’m correct ManageIQ has the following dependencies to interact with GCE:
ManageIQ >> FOG_GOOGLE >> GOOGLE-API-RUBY-CLIENT >> GOOGLE-AUTH-LIBRARY-RUBY >> FARADAY.

It seems that the PROXY support is in GOOGLE-API-RUBY-CLIENT since the following PR:


with:
proxy = options[:proxy] || Object::ENV["http_proxy"]

I did not find yet the exact place where FOG_GOOGLE call GOOGLE-API-RUBY-CLIENT yet but I was hoping that setting the ENV variable “http_proxy” in my container at creation time would allow me to use my proxy in manageIQ. I did not work since my container was no longer working (I think the VAR mess up the container starting process).

Then I tried to start the container, export the variable in it (simple export var) and restart the service evmserverd (don t remember the exact name) but I still had connection error in my logs files:

[2016-08-01T18:03:49.155341 #731:3fd3a168c0e0] ERROR – : MIQ(ems_cloud_controller-create): Credential validation was not successful: Network is unreachable - connect(2) for “accounts.google.com” port 443

Will continue to dig but any advice is welcome.


#3

@blomquisg can you review this question from @Charles_Walker and forward to a SME if necessary.


#4

Hi @Charles_Walker,

this is a feature that’s on the roadmap, but not yet complete. If you wanted to dabble, you could probably look at how we do this with our Azure provider today and setup something similar.

Our implementation that we’re working toward will allow each provider to use their own proxy configurations. But, a code change that mirrors how Azure uses the proxy would likely get you past your problems.


#5

Hi,

@blomquisg Thx a lot for the response and confirming that this was actually not possible.
I think it will help other people that could think of the “proxy” configuration parameter to be generic and working on all provider.

I had a look on the Azure PR which was mentioned in my first post but I fear that the change for GCE will be more complicated.
In fact for Azure you just add to retrieve the parameter from the config and give it to the AZURE API.

For GCE I tried to do the same and even end up hardcoding it in the library used by Manageiq to interact with GCE : fog-google with :

api_client_options = {
:application_name => application_name,
:application_version => Fog::Google::VERSION,
:proxy => “http://172.31.118.249:3128
}

In fog-google-0.3.2/lib/fog/google/shared.rb in the function new_pk12_google_client
and also put the proxy directly in the library used by fog-google to dialogue with GCE : google-api-ruby-client with :

>     logger.error {"Before hack"}                                              
>     proxy = options[:proxy] || Object::ENV["http_proxy"]                      
>     #proxy = URI.encode("172.31.118.249:3128")                                
>     proxy = "http://172.31.118.249:3128"  

in the file google-api-client-0.8.6/lib/google/api_client.rb in the function initialize

It seems to work a little better but still fails.
I think the issue comes more from FOG-GOOGLE than manageiq to be honest and I think it is because FOG-GOOGLE do not handle proxy setting properly.

The issue on FOG-GOOGLE seems to be very similar to the one describe here :


and link to the proxy support on the Oauth part.
At the end…… I dit not manage to have it working properly yet and I m now following another idea which would be the use of http_proxy env variable. It seems that Faraday itself is able to detect it :

so if I manage to “inject” this env variable in the manageiq environment it should works.
I tried to do an “export” and restart evmserverd service but it did not works so I m wondering if doing an export + restart service is enough to have the ENV used by ManageIQ or if there is any way to define and ENV so that ManageIQ see it ?

Thx again for the support and help, Charles.


#6

So I think I progress a little to inject the ENV var in the ManageIQ ENV with :
Environment="http_proxy=http://172.31.118.249:3128"
In the system service file : evmserverd.service and restart it.

It seems to go a little further but now I have a different error with the following message on the UI :

Credential validation was not successful: google has no compute service

I cannot spend more time investigating right now on this issue and will thus deploy a second ManageIQ instance on a server with direct internet access (no proxy) to be able to test it more and see if it fit my company need.

Thx for the support guys. Will kept you posted if I go back to this investigations.

I hope this post can help the future users who are trying to use ManageIQ behind a proxy.

Cheers, Charles.


#7

I manage to have it working fine by adding “proxy” environment variables. Just modify the file (in the container):

/usr/lib/systemd/system/evmserverd.service

With:

Environment="http_proxy=http://172.31.118.249:3128"
Environment="HTTP_PROXY=http://172.31.118.249:3128"
Environment="https_proxy=https://172.31.118.249:3128"
Environment=“HTTPS_PROXY=https://172.31.118.249:3128”

In the [Service] section and restart the process :

Systemctl restart evmserverd

And it works fine !


#8

Great!

To the ManageIQ team, should we implement a central proxy configuration somewhere? Maybe it is already an RFE?