I have been wanting to write this blog to summarize the challenges that I had with proxy when installing OpenShift. The truth is that I don’t have the complete list of how to solve every problem in a proxy environment. I will try to list out what I did in my past and help you to avoid or debug the proxy related issues as much as I can.
- Whitelisting hosts that the platform will be accessing, for example:
If you are using subscription manager on a RHEL, you will need to whitelist the following hosts.
For RHSM/RHN (rpms):
For RH’s docker registry:
Example of other access that you may need:
- maven.org (Maven Central)
- docker.io (dockerhub connection)
- npmjs.org (node js build)
- Setup /etc/profile.d/proxy.sh on all the nodes for your platform
#cat /etc/profile.d/proxy.sh export http_proxy=http://host.name:port/ export https_proxy=http://host.name:port/ export no_proxy=.example.com,.svc
Note: “.svc” is needed with you want to install Service Catalog
Add Proxy Information into Ansible Hosts File
Here is the list of parameters for proxy environment
openshift_http_proxy=http://IPADDR:PORT openshift_https_proxy=https://IPADDR:PORT openshift_no_proxy='.example.com,some-internal-hosts.com'
Update Dockerfile with Proxy Information
After installing, the internal docker registry service IP will need to add to the docker configuration in /etc/sysconfig/docker for NO_PROXY parameter.
Getting the service IP of docker-register on OpenShift
oc get svc docker-registry -n default
Append the service IP to the NO_PROXY list in the file.
Testing Build and Pushing Images to Registry
After the installation, it is always good to test out the build and make sure image can be pushed into the internal registry.
Here is my check list if the build failed or image cannot be pushed.
- Check if the hosts that you are trying to access are on the whitelist for your proxy
- Check if the
gitNoProxyis configured correctly under the BuildDefaults plug-in in the /etc/origin/master/master-config.yaml. For example, if you are access to an internal git repo location, please make sure they repository server is on the gitNoProxy list.
- In 3.7, you will also need to add the kubernetes service IP to the NO_PROXY environment variable and redeploy the docker-register. Otherwise, you will get error when trying to push images to the internal docker register. See this link for more details: https://bugzilla.redhat.com/show_bug.cgi?id=1511870.
Note: to get the service IP for kubernetes:
oc get svc kubernetes -n default
Hopefully, the checklist will help you to avoid any proxy related issue during installation.