Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

settings.network: add new proxy settings #1204

Merged
merged 2 commits into from
Jan 5, 2021
Merged

settings.network: add new proxy settings #1204

merged 2 commits into from
Jan 5, 2021

Conversation

etungsten
Copy link
Contributor

@etungsten etungsten commented Nov 11, 2020
edited
Loading

Issue number:
Addresses #1178

Description of changes:

Author: Erikson Tung <etung@amazon.com>
Date:   Wed Nov 11 00:06:23 2020 -0800

    settings.network: add new proxy settings
    
    Add new settings for configuring HTTPS_PROXY/https_proxy and
    NO_PROXY/no_proxy environment variables.
    
    These environment variables will only be exposed to a limited set
    of services that need them.


Author: Erikson Tung <etung@amazon.com>
Date:   Tue Nov 10 23:49:38 2020 -0800

    schnauzer: add `host` helper
    
    Adds a new rendering-template helper that trims a fully qualified URL
    setting down to just its host portion.

Testing done:
Set up a simple HTTPS proxy server with tinyproxy with mostly default settings.

  • Kubernetes Variant testing

Built aws-k8s-1.17/arm64 AMI and launched several instances with the following settings in my userdata:

[settings.network]
https-proxy="myhttpserver:9898"
no-proxy=[".test"]

Host containers, both admin and control, come up fine.

All of the nodes came up fine in my EKS cluster. Can pull images and run pods.

Checked the HTTPS proxy server access logs and observed traffic from the instances I launched:

INFO      Dec 11 21:23:38 [18613]: Starting main loop. Accepting connections.
CONNECT   Dec 11 21:26:53 [18625]: Connect (file descriptor 7): ec2-18-236-101-17.us-west-2.compute.amazonaws.com [18.236.101.17]
CONNECT   Dec 11 21:26:53 [18625]: Request (file descriptor 7): CONNECT api.ecr.us-west-2.amazonaws.com:443 HTTP/1.1
INFO      Dec 11 21:26:53 [18625]: No upstream proxy for api.ecr.us-west-2.amazonaws.com
INFO      Dec 11 21:26:53 [18625]: opensock: opening connection to api.ecr.us-west-2.amazonaws.com:443
INFO      Dec 11 21:26:53 [18625]: opensock: getaddrinfo returned for api.ecr.us-west-2.amazonaws.com:443
CONNECT   Dec 11 21:26:53 [18625]: Established connection to host "api.ecr.us-west-2.amazonaws.com" using file descriptor 8.
INFO      Dec 11 21:26:53 [18625]: Not sending client headers to remote machine
INFO      Dec 11 21:26:54 [18625]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT   Dec 11 21:26:54 [18624]: Connect (file descriptor 7): ec2-18-236-101-17.us-west-2.compute.amazonaws.com [18.236.101.17]
CONNECT   Dec 11 21:26:54 [18624]: Request (file descriptor 7): CONNECT ec2.us-west-2.amazonaws.com:443 HTTP/1.1
INFO      Dec 11 21:26:54 [18624]: No upstream proxy for ec2.us-west-2.amazonaws.com
INFO      Dec 11 21:26:54 [18624]: opensock: opening connection to ec2.us-west-2.amazonaws.com:443
INFO      Dec 11 21:26:54 [18624]: opensock: getaddrinfo returned for ec2.us-west-2.amazonaws.com:443
CONNECT   Dec 11 21:26:54 [18624]: Established connection to host "ec2.us-west-2.amazonaws.com" using file descriptor 8.
INFO      Dec 11 21:26:54 [18624]: Not sending client headers to remote machine
INFO      Dec 11 21:26:54 [18624]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT   Dec 11 21:26:54 [18625]: Connect (file descriptor 7): ec2-18-236-101-17.us-west-2.compute.amazonaws.com [18.236.101.17]
CONNECT   Dec 11 21:26:54 [18625]: Request (file descriptor 7): CONNECT api.ecr.us-west-2.amazonaws.com:443 HTTP/1.1
INFO      Dec 11 21:26:54 [18625]: No upstream proxy for api.ecr.us-west-2.amazonaws.com
INFO      Dec 11 21:26:54 [18625]: opensock: opening connection to api.ecr.us-west-2.amazonaws.com:443
INFO      Dec 11 21:26:54 [18625]: opensock: getaddrinfo returned for api.ecr.us-west-2.amazonaws.com:443
CONNECT   Dec 11 21:26:54 [18625]: Established connection to host "api.ecr.us-west-2.amazonaws.com" using file descriptor 8.
INFO      Dec 11 21:26:54 [18625]: Not sending client headers to remote machine
INFO      Dec 11 21:26:54 [18625]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT   Dec 11 21:26:54 [18623]: Connect (file descriptor 7): ec2-18-236-101-17.us-west-2.compute.amazonaws.com [18.236.101.17]
CONNECT   Dec 11 21:26:54 [18623]: Request (file descriptor 7): CONNECT ec2.us-west-2.amazonaws.com:443 HTTP/1.1
INFO      Dec 11 21:26:54 [18623]: No upstream proxy for ec2.us-west-2.amazonaws.com
INFO      Dec 11 21:26:54 [18623]: opensock: opening connection to ec2.us-west-2.amazonaws.com:443
INFO      Dec 11 21:26:54 [18623]: opensock: getaddrinfo returned for ec2.us-west-2.amazonaws.com:443
CONNECT   Dec 11 21:26:54 [18623]: Established connection to host "ec2.us-west-2.amazonaws.com" using file descriptor 8.
INFO      Dec 11 21:26:54 [18623]: Not sending client headers to remote machine
INFO      Dec 11 21:28:02 [18623]: Closed connection between local client (fd:7) and remote client (fd:8)

Ran Kubernetes certified-conformance tests and all of them pass.

To make sure that no_proxy'ing the Kubernetes API server works, I limited the API endpoint access to within the cluster's private VPC and the nodes fail to connect to the cluster as expected if I do not no_proxy the API server endpoint. Once I do (by rendering the proxy-env template with settings.kubernetes.apiserver), the node comes up fine.

  • ECS variant testing

Launched ECS variant with https-proxy set to my https proxy server. Started a simple nginx task and it runs fine. I'm able curl localhost:80 and get the nginx welcome page.
Observed traffic on my https server:

CONNECT   Dec 11 21:51:47 [19062]: Connect (file descriptor 7): ec2-52-36-254-125.us-west-2.compute.amazonaws.com [52.36.254.125]
CONNECT   Dec 11 21:51:47 [19062]: Request (file descriptor 7): CONNECT registry-1.docker.io:443 HTTP/1.1
INFO      Dec 11 21:51:47 [19062]: No upstream proxy for registry-1.docker.io
INFO      Dec 11 21:51:47 [19062]: opensock: opening connection to registry-1.docker.io:443
INFO      Dec 11 21:51:47 [19062]: opensock: getaddrinfo returned for registry-1.docker.io:443
CONNECT   Dec 11 21:51:47 [19062]: Established connection to host "registry-1.docker.io" using file descriptor 8.
INFO      Dec 11 21:51:47 [19062]: Not sending client headers to remote machine
CONNECT   Dec 11 21:51:47 [18625]: Connect (file descriptor 7): ec2-52-36-254-125.us-west-2.compute.amazonaws.com [52.36.254.125]
CONNECT   Dec 11 21:51:47 [18625]: Request (file descriptor 7): CONNECT auth.docker.io:443 HTTP/1.1
INFO      Dec 11 21:51:47 [18625]: No upstream proxy for auth.docker.io
INFO      Dec 11 21:51:47 [18625]: opensock: opening connection to auth.docker.io:443
INFO      Dec 11 21:51:47 [18625]: opensock: getaddrinfo returned for auth.docker.io:443
CONNECT   Dec 11 21:51:47 [18625]: Established connection to host "auth.docker.io" using file descriptor 8.
INFO      Dec 11 21:51:47 [18625]: Not sending client headers to remote machine
CONNECT   Dec 11 21:51:47 [19056]: Connect (file descriptor 7): ec2-52-36-254-125.us-west-2.compute.amazonaws.com [52.36.254.125]
CONNECT   Dec 11 21:51:47 [19056]: Request (file descriptor 7): CONNECT registry-1.docker.io:443 HTTP/1.1
INFO      Dec 11 21:51:47 [19056]: No upstream proxy for registry-1.docker.io
INFO      Dec 11 21:51:47 [19056]: opensock: opening connection to registry-1.docker.io:443
INFO      Dec 11 21:51:47 [19056]: opensock: getaddrinfo returned for registry-1.docker.io:443
CONNECT   Dec 11 21:51:47 [19056]: Established connection to host "registry-1.docker.io" using file descriptor 8.
INFO      Dec 11 21:51:47 [19056]: Not sending client headers to remote machine
INFO      Dec 11 21:51:48 [19056]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT   Dec 11 21:51:48 [19061]: Connect (file descriptor 7): ec2-52-36-254-125.us-west-2.compute.amazonaws.com [52.36.254.125]
CONNECT   Dec 11 21:51:48 [19061]: Request (file descriptor 7): CONNECT auth.docker.io:443 HTTP/1.1
INFO      Dec 11 21:51:48 [19061]: No upstream proxy for auth.docker.io
INFO      Dec 11 21:51:48 [19061]: opensock: opening connection to auth.docker.io:443
INFO      Dec 11 21:51:48 [19061]: opensock: getaddrinfo returned for auth.docker.io:443
CONNECT   Dec 11 21:51:48 [19061]: Established connection to host "auth.docker.io" using file descriptor 8.
INFO      Dec 11 21:51:48 [19061]: Not sending client headers to remote machine
CONNECT   Dec 11 21:51:48 [19066]: Connect (file descriptor 7): ec2-44-242-151-120.us-west-2.compute.amazonaws.com [44.242.151.120]
CONNECT   Dec 11 21:51:48 [19066]: Request (file descriptor 7): CONNECT registry.hub.docker.com:443 HTTP/1.1
INFO      Dec 11 21:51:48 [19066]: No upstream proxy for registry.hub.docker.com
INFO      Dec 11 21:51:48 [19066]: opensock: opening connection to registry.hub.docker.com:443
INFO      Dec 11 21:51:48 [19066]: opensock: getaddrinfo returned for registry.hub.docker.com:443
CONNECT   Dec 11 21:51:48 [19066]: Established connection to host "registry.hub.docker.com" using file descriptor 8.
INFO      Dec 11 21:51:48 [19066]: Not sending client headers to remote machine
CONNECT   Dec 11 21:51:48 [18624]: Connect (file descriptor 7): ec2-52-36-254-125.us-west-2.compute.amazonaws.com [52.36.254.125]
CONNECT   Dec 11 21:51:48 [18624]: Request (file descriptor 7): CONNECT registry-1.docker.io:443 HTTP/1.1
INFO      Dec 11 21:51:48 [18624]: No upstream proxy for registry-1.docker.io
INFO      Dec 11 21:51:48 [18624]: opensock: opening connection to registry-1.docker.io:443
INFO      Dec 11 21:51:48 [18624]: opensock: getaddrinfo returned for registry-1.docker.io:443
CONNECT   Dec 11 21:51:48 [18624]: Established connection to host "registry-1.docker.io" using file descriptor 8.
INFO      Dec 11 21:51:48 [18624]: Not sending client headers to remote machine
INFO      Dec 11 21:51:48 [19066]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT   Dec 11 21:51:48 [19066]: Connect (file descriptor 7): ec2-44-242-151-120.us-west-2.compute.amazonaws.com [44.242.151.120]
CONNECT   Dec 11 21:51:48 [19066]: Request (file descriptor 7): CONNECT auth.docker.io:443 HTTP/1.1
INFO      Dec 11 21:51:48 [19066]: No upstream proxy for auth.docker.io
INFO      Dec 11 21:51:48 [19066]: opensock: opening connection to auth.docker.io:443
INFO      Dec 11 21:51:48 [19066]: opensock: getaddrinfo returned for auth.docker.io:443
CONNECT   Dec 11 21:51:48 [19066]: Established connection to host "auth.docker.io" using file descriptor 8.
INFO      Dec 11 21:51:48 [19066]: Not sending client headers to remote machine
INFO      Dec 11 21:51:48 [19066]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT   Dec 11 21:51:48 [19072]: Connect (file descriptor 7): ec2-44-242-151-120.us-west-2.compute.amazonaws.com [44.242.151.120]
CONNECT   Dec 11 21:51:48 [19072]: Request (file descriptor 7): CONNECT registry.hub.docker.com:443 HTTP/1.1
INFO      Dec 11 21:51:48 [19072]: No upstream proxy for registry.hub.docker.com
INFO      Dec 11 21:51:48 [19072]: opensock: opening connection to registry.hub.docker.com:443
INFO      Dec 11 21:51:48 [19072]: opensock: getaddrinfo returned for registry.hub.docker.com:443
CONNECT   Dec 11 21:51:48 [19072]: Established connection to host "registry.hub.docker.com" using file descriptor 8.
INFO      Dec 11 21:51:48 [19072]: Not sending client headers to remote machine
CONNECT   Dec 11 21:51:49 [19058]: Connect (file descriptor 7): ec2-52-36-254-125.us-west-2.compute.amazonaws.com [52.36.254.125]
CONNECT   Dec 11 21:51:49 [19058]: Request (file descriptor 7): CONNECT registry-1.docker.io:443 HTTP/1.1
INFO      Dec 11 21:51:49 [19058]: No upstream proxy for registry-1.docker.io
INFO      Dec 11 21:51:49 [19058]: opensock: opening connection to registry-1.docker.io:443
CONNECT   Dec 11 21:51:49 [18619]: Connect (file descriptor 7): ec2-52-36-254-125.us-west-2.compute.amazonaws.com [52.36.254.125]
INFO      Dec 11 21:51:49 [19058]: opensock: getaddrinfo returned for registry-1.docker.io:443
CONNECT   Dec 11 21:51:49 [18619]: Request (file descriptor 7): CONNECT registry-1.docker.io:443 HTTP/1.1
INFO      Dec 11 21:51:49 [18619]: No upstream proxy for registry-1.docker.io
INFO      Dec 11 21:51:49 [18619]: opensock: opening connection to registry-1.docker.io:443
INFO      Dec 11 21:51:49 [18619]: opensock: getaddrinfo returned for registry-1.docker.io:443
CONNECT   Dec 11 21:51:49 [19058]: Established connection to host "registry-1.docker.io" using file descriptor 8.
INFO      Dec 11 21:51:49 [19058]: Not sending client headers to remote machine
CONNECT   Dec 11 21:51:49 [18619]: Established connection to host "registry-1.docker.io" using file descriptor 8.
INFO      Dec 11 21:51:49 [18619]: Not sending client headers to remote machine
CONNECT   Dec 11 21:51:49 [19065]: Connect (file descriptor 7): ec2-52-36-254-125.us-west-2.compute.amazonaws.com [52.36.254.125]
CONNECT   Dec 11 21:51:49 [19065]: Request (file descriptor 7): CONNECT production.cloudflare.docker.com:443 HTTP/1.1
INFO      Dec 11 21:51:49 [19065]: No upstream proxy for production.cloudflare.docker.com
INFO      Dec 11 21:51:49 [19065]: opensock: opening connection to production.cloudflare.docker.com:443
INFO      Dec 11 21:51:49 [19065]: opensock: getaddrinfo returned for production.cloudflare.docker.com:443
CONNECT   Dec 11 21:51:49 [19065]: Established connection to host "production.cloudflare.docker.com" using file descriptor 8.
INFO      Dec 11 21:51:49 [19065]: Not sending client headers to remote machine
INFO      Dec 11 21:51:49 [19072]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT   Dec 11 21:51:49 [18623]: Connect (file descriptor 7): ec2-44-242-151-120.us-west-2.compute.amazonaws.com [44.242.151.120]
CONNECT   Dec 11 21:51:49 [18623]: Request (file descriptor 7): CONNECT registry.hub.docker.com:443 HTTP/1.1
INFO      Dec 11 21:51:49 [18623]: No upstream proxy for registry.hub.docker.com
INFO      Dec 11 21:51:49 [18623]: opensock: opening connection to registry.hub.docker.com:443
INFO      Dec 11 21:51:49 [18623]: opensock: getaddrinfo returned for registry.hub.docker.com:443
CONNECT   Dec 11 21:51:49 [19063]: Connect (file descriptor 7): ec2-52-36-254-125.us-west-2.compute.amazonaws.com [52.36.254.125]
CONNECT   Dec 11 21:51:49 [19063]: Request (file descriptor 7): CONNECT production.cloudflare.docker.com:443 HTTP/1.1
INFO      Dec 11 21:51:49 [19063]: No upstream proxy for production.cloudflare.docker.com
INFO      Dec 11 21:51:49 [19063]: opensock: opening connection to production.cloudflare.docker.com:443
INFO      Dec 11 21:51:49 [19063]: opensock: getaddrinfo returned for production.cloudflare.docker.com:443
CONNECT   Dec 11 21:51:49 [19063]: Established connection to host "production.cloudflare.docker.com" using file descriptor 8.
INFO      Dec 11 21:51:49 [19063]: Not sending client headers to remote machine
CONNECT   Dec 11 21:51:49 [18623]: Established connection to host "registry.hub.docker.com" using file descriptor 8.
INFO      Dec 11 21:51:49 [18623]: Not sending client headers to remote machine
INFO      Dec 11 21:51:49 [18619]: Closed connection between local client (fd:7) and remote client (fd:8)
INFO      Dec 11 21:51:49 [18623]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT   Dec 11 21:51:49 [19071]: Connect (file descriptor 7): ec2-44-242-151-120.us-west-2.compute.amazonaws.com [44.242.151.120]
CONNECT   Dec 11 21:51:49 [18623]: Connect (file descriptor 7): ec2-44-242-151-120.us-west-2.compute.amazonaws.com [44.242.151.120]
CONNECT   Dec 11 21:51:49 [19059]: Connect (file descriptor 7): ec2-44-242-151-120.us-west-2.compute.amazonaws.com [44.242.151.120]
CONNECT   Dec 11 21:51:49 [18621]: Connect (file descriptor 7): ec2-44-242-151-120.us-west-2.compute.amazonaws.com [44.242.151.120]
CONNECT   Dec 11 21:51:49 [19067]: Connect (file descriptor 7): ec2-44-242-151-120.us-west-2.compute.amazonaws.com [44.242.151.120]
CONNECT   Dec 11 21:51:49 [19070]: Connect (file descriptor 7): ec2-44-242-151-120.us-west-2.compute.amazonaws.com [44.242.151.120]
CONNECT   Dec 11 21:51:49 [18623]: Request (file descriptor 7): CONNECT registry.hub.docker.com:443 HTTP/1.1
CONNECT   Dec 11 21:51:49 [19071]: Request (file descriptor 7): CONNECT registry.hub.docker.com:443 HTTP/1.1
CONNECT   Dec 11 21:51:49 [18621]: Request (file descriptor 7): CONNECT registry.hub.docker.com:443 HTTP/1.1
CONNECT   Dec 11 21:51:49 [19059]: Request (file descriptor 7): CONNECT registry.hub.docker.com:443 HTTP/1.1
CONNECT   Dec 11 21:51:49 [19067]: Request (file descriptor 7): CONNECT registry.hub.docker.com:443 HTTP/1.1
INFO      Dec 11 21:51:49 [18621]: No upstream proxy for registry.hub.docker.com
CONNECT   Dec 11 21:51:49 [19070]: Request (file descriptor 7): CONNECT registry.hub.docker.com:443 HTTP/1.1
INFO      Dec 11 21:51:49 [19059]: No upstream proxy for registry.hub.docker.com
INFO      Dec 11 21:51:49 [19071]: No upstream proxy for registry.hub.docker.com
INFO      Dec 11 21:51:49 [18623]: No upstream proxy for registry.hub.docker.com
INFO      Dec 11 21:51:49 [18621]: opensock: opening connection to registry.hub.docker.com:443
INFO      Dec 11 21:51:49 [19067]: No upstream proxy for registry.hub.docker.com
INFO      Dec 11 21:51:49 [19070]: No upstream proxy for registry.hub.docker.com
INFO      Dec 11 21:51:49 [19071]: opensock: opening connection to registry.hub.docker.com:443
INFO      Dec 11 21:51:49 [19059]: opensock: opening connection to registry.hub.docker.com:443
INFO      Dec 11 21:51:49 [19067]: opensock: opening connection to registry.hub.docker.com:443
INFO      Dec 11 21:51:49 [18623]: opensock: opening connection to registry.hub.docker.com:443
INFO      Dec 11 21:51:49 [18621]: opensock: getaddrinfo returned for registry.hub.docker.com:443
INFO      Dec 11 21:51:49 [19071]: opensock: getaddrinfo returned for registry.hub.docker.com:443
INFO      Dec 11 21:51:49 [19070]: opensock: opening connection to registry.hub.docker.com:443
INFO      Dec 11 21:51:49 [19067]: opensock: getaddrinfo returned for registry.hub.docker.com:443
INFO      Dec 11 21:51:49 [19059]: opensock: getaddrinfo returned for registry.hub.docker.com:443
INFO      Dec 11 21:51:49 [18623]: opensock: getaddrinfo returned for registry.hub.docker.com:443
INFO      Dec 11 21:51:49 [19070]: opensock: getaddrinfo returned for registry.hub.docker.com:443
CONNECT   Dec 11 21:51:49 [19071]: Established connection to host "registry.hub.docker.com" using file descriptor 8.
CONNECT   Dec 11 21:51:49 [19059]: Established connection to host "registry.hub.docker.com" using file descriptor 8.
INFO      Dec 11 21:51:49 [19059]: Not sending client headers to remote machine
INFO      Dec 11 21:51:49 [19071]: Not sending client headers to remote machine
CONNECT   Dec 11 21:51:49 [18621]: Established connection to host "registry.hub.docker.com" using file descriptor 8.
CONNECT   Dec 11 21:51:49 [18623]: Established connection to host "registry.hub.docker.com" using file descriptor 8.
INFO      Dec 11 21:51:49 [18621]: Not sending client headers to remote machine
INFO      Dec 11 21:51:49 [18623]: Not sending client headers to remote machine
CONNECT   Dec 11 21:51:49 [19070]: Established connection to host "registry.hub.docker.com" using file descriptor 8.
INFO      Dec 11 21:51:49 [19070]: Not sending client headers to remote machine
CONNECT   Dec 11 21:51:49 [19067]: Established connection to host "registry.hub.docker.com" using file descriptor 8.
INFO      Dec 11 21:51:49 [19067]: Not sending client headers to remote machine
INFO      Dec 11 21:51:50 [19059]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT   Dec 11 21:51:50 [19056]: Connect (file descriptor 7): ec2-44-242-151-120.us-west-2.compute.amazonaws.com [44.242.151.120]
CONNECT   Dec 11 21:51:50 [19056]: Request (file descriptor 7): CONNECT production.cloudflare.docker.com:443 HTTP/1.1
INFO      Dec 11 21:51:50 [19070]: Closed connection between local client (fd:7) and remote client (fd:8)
INFO      Dec 11 21:51:50 [19056]: No upstream proxy for production.cloudflare.docker.com
CONNECT   Dec 11 21:51:50 [19070]: Connect (file descriptor 7): ec2-44-242-151-120.us-west-2.compute.amazonaws.com [44.242.151.120]
INFO      Dec 11 21:51:50 [19071]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT   Dec 11 21:51:50 [19070]: Request (file descriptor 7): CONNECT production.cloudflare.docker.com:443 HTTP/1.1
INFO      Dec 11 21:51:50 [19056]: opensock: opening connection to production.cloudflare.docker.com:443
CONNECT   Dec 11 21:51:50 [19066]: Connect (file descriptor 7): ec2-44-242-151-120.us-west-2.compute.amazonaws.com [44.242.151.120]
INFO      Dec 11 21:51:50 [19070]: No upstream proxy for production.cloudflare.docker.com
INFO      Dec 11 21:51:50 [19056]: opensock: getaddrinfo returned for production.cloudflare.docker.com:443
INFO      Dec 11 21:51:50 [19070]: opensock: opening connection to production.cloudflare.docker.com:443
CONNECT   Dec 11 21:51:50 [19066]: Request (file descriptor 7): CONNECT production.cloudflare.docker.com:443 HTTP/1.1
INFO      Dec 11 21:51:50 [19066]: No upstream proxy for production.cloudflare.docker.com
INFO      Dec 11 21:51:50 [19070]: opensock: getaddrinfo returned for production.cloudflare.docker.com:443
INFO      Dec 11 21:51:50 [18621]: Closed connection between local client (fd:7) and remote client (fd:8)
INFO      Dec 11 21:51:50 [19066]: opensock: opening connection to production.cloudflare.docker.com:443
CONNECT   Dec 11 21:51:50 [19059]: Connect (file descriptor 7): ec2-44-242-151-120.us-west-2.compute.amazonaws.com [44.242.151.120]
CONNECT   Dec 11 21:51:50 [19059]: Request (file descriptor 7): CONNECT production.cloudflare.docker.com:443 HTTP/1.1
INFO      Dec 11 21:51:50 [19066]: opensock: getaddrinfo returned for production.cloudflare.docker.com:443
INFO      Dec 11 21:51:50 [19059]: No upstream proxy for production.cloudflare.docker.com
CONNECT   Dec 11 21:51:50 [19056]: Established connection to host "production.cloudflare.docker.com" using file descriptor 8.
INFO      Dec 11 21:51:50 [19059]: opensock: opening connection to production.cloudflare.docker.com:443
CONNECT   Dec 11 21:51:50 [19070]: Established connection to host "production.cloudflare.docker.com" using file descriptor 8.
INFO      Dec 11 21:51:50 [19056]: Not sending client headers to remote machine
INFO      Dec 11 21:51:50 [19059]: opensock: getaddrinfo returned for production.cloudflare.docker.com:443
INFO      Dec 11 21:51:50 [19070]: Not sending client headers to remote machine
CONNECT   Dec 11 21:51:50 [19066]: Established connection to host "production.cloudflare.docker.com" using file descriptor 8.
INFO      Dec 11 21:51:50 [19066]: Not sending client headers to remote machine
CONNECT   Dec 11 21:51:50 [19059]: Established connection to host "production.cloudflare.docker.com" using file descriptor 8.
INFO      Dec 11 21:51:50 [19059]: Not sending client headers to remote machine
INFO      Dec 11 21:51:50 [19067]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT   Dec 11 21:51:50 [18619]: Connect (file descriptor 7): ec2-44-242-151-120.us-west-2.compute.amazonaws.com [44.242.151.120]
CONNECT   Dec 11 21:51:50 [18619]: Request (file descriptor 7): CONNECT production.cloudflare.docker.com:443 HTTP/1.1
INFO      Dec 11 21:51:50 [18619]: No upstream proxy for production.cloudflare.docker.com
INFO      Dec 11 21:51:50 [18623]: Closed connection between local client (fd:7) and remote client (fd:8)
INFO      Dec 11 21:51:50 [18619]: opensock: opening connection to production.cloudflare.docker.com:443
CONNECT   Dec 11 21:51:50 [19067]: Connect (file descriptor 7): ec2-44-242-151-120.us-west-2.compute.amazonaws.com [44.242.151.120]
CONNECT   Dec 11 21:51:50 [19067]: Request (file descriptor 7): CONNECT production.cloudflare.docker.com:443 HTTP/1.1
INFO      Dec 11 21:51:50 [18619]: opensock: getaddrinfo returned for production.cloudflare.docker.com:443
INFO      Dec 11 21:51:50 [19067]: No upstream proxy for production.cloudflare.docker.com
INFO      Dec 11 21:51:50 [19067]: opensock: opening connection to production.cloudflare.docker.com:443
INFO      Dec 11 21:51:50 [19067]: opensock: getaddrinfo returned for production.cloudflare.docker.com:443
CONNECT   Dec 11 21:51:50 [18619]: Established connection to host "production.cloudflare.docker.com" using file descriptor 8.
INFO      Dec 11 21:51:50 [18619]: Not sending client headers to remote machine
CONNECT   Dec 11 21:51:50 [19067]: Established connection to host "production.cloudflare.docker.com" using file descriptor 8.
INFO      Dec 11 21:51:50 [19067]: Not sending client headers to remote machine
INFO      Dec 11 21:51:50 [19056]: Closed connection between local client (fd:7) and remote client (fd:8)
INFO      Dec 11 21:51:50 [19070]: Closed connection between local client (fd:7) and remote client (fd:8)
INFO      Dec 11 21:51:50 [19066]: Closed connection between local client (fd:7) and remote client (fd:8)
INFO      Dec 11 21:51:50 [18619]: Closed connection between local client (fd:7) and remote client (fd:8)
INFO      Dec 11 21:51:50 [19059]: Closed connection between local client (fd:7) and remote client (fd:8)
INFO      Dec 11 21:51:50 [19067]: Closed connection between local client (fd:7) and remote client (fd:8)
INFO      Dec 11 21:51:52 [18625]: Closed connection between local client (fd:7) and remote client (fd:8)
INFO      Dec 11 21:51:52 [19062]: Closed connection between local client (fd:7) and remote client (fd:8)
CONNECT   Dec 11 21:51:53 [19062]: Connect (file descriptor 7): ec2-44-242-151-120.us-west-2.compute.amazonaws.com [44.242.151.120]
CONNECT   Dec 11 21:51:53 [19062]: Request (file descriptor 7): CONNECT ecs.us-west-2.amazonaws.com:443 HTTP/1.1
INFO      Dec 11 21:51:53 [19062]: No upstream proxy for ecs.us-west-2.amazonaws.com
INFO      Dec 11 21:51:53 [19062]: opensock: opening connection to ecs.us-west-2.amazonaws.com:443
INFO      Dec 11 21:51:53 [19062]: opensock: getaddrinfo returned for ecs.us-west-2.amazonaws.com:443
CONNECT   Dec 11 21:51:53 [19062]: Established connection to host "ecs.us-west-2.amazonaws.com" using file descriptor 8.
INFO      Dec 11 21:51:53 [19062]: Not sending client headers to remote machine
INFO      Dec 11 21:51:53 [19061]: Closed connection between local client (fd:7) and remote client (fd:8)
INFO      Dec 11 21:51:54 [19058]: Closed connection between local client (fd:7) and remote client (fd:8)
INFO      Dec 11 21:51:54 [18624]: Closed connection between local client (fd:7) and remote client (fd:8)
INFO      Dec 11 21:51:59 [19062]: Closed connection between local client (fd:7) and remote client (fd:8)
  • Testing the restart commands
    Launched instance without specifying proxy settings.
    After host comes up, change proxy settings to route traffic through my https proxy server:
apiclient -u /settings -m PATCH -d '{"network": {"https-proxy": "myhttpsserver:9898", "no-proxy":[".local"]}}'
apiclient -u /tx/commit_and_apply -m POST

Observed that containerd, kubelet, host-containerd all restarted successfully and pod workloads continued without problems.

Please let me know if there is anything else that needs to be tested.

Note: The migration for the new settings will fast-follow this PR.

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

@etungsten etungsten changed the title Network config settings.network: add new proxy settings Nov 11, 2020
@etungsten etungsten linked an issue Nov 11, 2020 that may be closed by this pull request
Add support for HTTP_PROXY environment variable configuration into various services #1178
Closed
webern
webern reviewed Nov 11, 2020
View reviewed changes
packages/ecs-agent/ecs.config Outdated Show resolved Hide resolved
sources/models/defaults.toml Outdated Show resolved Hide resolved
sources/api/schnauzer/src/lib.rs Outdated Show resolved Hide resolved
sources/models/src/aws-k8s-1.15/override-defaults.toml Show resolved Hide resolved
sources/models/src/lib.rs Outdated Show resolved Hide resolved
@etungsten
Copy link
Contributor Author

I should look into supporting CIDR notations for the no-proxy setting seeing as docker and containerd support it.

tjkirch
tjkirch reviewed Nov 11, 2020
View reviewed changes
packages/release/proxy-env Outdated Show resolved Hide resolved
packages/release/proxy-env Outdated Show resolved Hide resolved
packages/ecs-agent/ecs.config Outdated Show resolved Hide resolved
packages/ecs-agent/ecs.config Outdated Show resolved Hide resolved
sources/api/schnauzer/Cargo.toml Outdated Show resolved Hide resolved
sources/api/schnauzer/src/helpers.rs Show resolved Hide resolved
sources/models/defaults.toml Outdated Show resolved Hide resolved
sources/models/src/aws-ecs-1/override-defaults.toml Outdated Show resolved Hide resolved
sources/models/src/lib.rs Outdated Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
@etungsten
Copy link
Contributor Author

etungsten commented Nov 11, 2020
edited
Loading

Push above and below addresses @tjkirch and @webern 's comments.

Tested changes in EKS and they work as described in the PR description still.

tjkirch
tjkirch reviewed Nov 11, 2020
View reviewed changes
packages/ecs-agent/ecs.config Outdated Show resolved Hide resolved
packages/docker-engine/docker.service Outdated Show resolved Hide resolved
sources/api/schnauzer/src/helpers.rs Outdated Show resolved Hide resolved
sources/api/schnauzer/src/helpers.rs Outdated Show resolved Hide resolved
sources/api/schnauzer/src/helpers.rs Outdated Show resolved Hide resolved
sources/api/schnauzer/src/helpers.rs Show resolved Hide resolved
sources/models/defaults.toml Outdated Show resolved Hide resolved
sources/models/src/lib.rs Outdated Show resolved Hide resolved
packages/ecs-agent/ecs.config Outdated Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
@etungsten
Copy link
Contributor Author

etungsten commented Nov 12, 2020
edited
Loading

Push above and below addresses @tjkirch 's comments.

  • Removed defaults for no-proxy.
  • Added localhost, 127.0.0.1 and imds endpoint directly to the no_proxy list in the proxy-env file template
  • Other minor tweaks and fixes

@etungsten etungsten marked this pull request as ready for review November 12, 2020 17:23
@etungsten
Copy link
Contributor Author

Updated PR description with additional ECS testing info.

tjkirch
tjkirch reviewed Nov 12, 2020
View reviewed changes
README.md Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
README.md Show resolved Hide resolved
@etungsten
Copy link
Contributor Author

Push above addresses @tjkirch 's comments.
Mostly documentation changes.
Added a few more default no_proxy entries to proxy.env for ECS.
Instead of setting up the proxy env vars in ecs.config, ecs-agent.service will just source proxy.env.

tjkirch
tjkirch approved these changes Nov 12, 2020
View reviewed changes
packages/release/proxy-env Outdated
HTTPS_PROXY={{settings.network.https-proxy}}
https_proxy={{settings.network.https-proxy}}
{{/if}}
NO_PROXY={{#each settings.network.no-proxy}}{{this}},{{/each}}localhost,127.0.0.1,169.254.169.254,169.254.170.2,/var/run/docker.sock{{#if settings.kubernetes.api-server}},{{host settings.kubernetes.api-server}},.svc,.default,.local,.cluster.local{{/if}}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My only remaining concern is that we list /var/run/docker.sock but not /run/docker.sock, even though our docker.socket unit lists /run/docker.sock. Is there a chance we wouldn't proxy requests because we're using one instead of the other, even though they're symlinked? Do we need to list both?

Copy link
Contributor Author

@etungsten etungsten Nov 12, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All I know is ECS agent explicitly dials /var/run/docker.sock. As for how that gets resolved is unclear to me. I do know from testing that the ECS variant currently works with what's currently there.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@samuelkarp any thoughts?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I haven't seen any problems with using /var/run/docker.sock on other platforms with symlinks (like Amazon Linux 2).

We should have test coverage for the ECS agent in the agent's test suite, so I'm comfortable relying on that for validation.

Copy link
Contributor

@tjkirch tjkirch Nov 12, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know that we're seeing the basics work, I guess my concern is that I'm not sure whether there could be any other components called by Docker (or whatever) that are assuming /run/docker.sock, and they've just worked for us because of the symlink, but suddenly they'd fail (or do horrible things) because they're being proxied. (I don't know of anything, and we can fix it if we find it, hence my ship-it)

README.md Outdated Show resolved Hide resolved
samuelkarp
samuelkarp reviewed Nov 12, 2020
View reviewed changes
README.md Outdated
* [host-containerd.service](packages/host-ctr/host-containerd.service)
* For Kubernetes variants:
* [kubelet.service](packages/kubernetes-1.18/kubelet.service)
* For ECS variants:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since there's only one ECS variant, should we say "For the ECS variant"?

README.md Outdated
* `settings.network.http-proxy`: The HTTP proxy server to be used by services listed above.
* `settings.network.https-proxy`: The HTTPS proxy server to be used by services listed above.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want these to be separately-configurable at this point?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can't really think of a use-case for configuring http_proxy and https_proxy differently. But then again there really is no harm in letting them be separately-configurable.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's more overhead for someone who wants to enable a proxy; now they have to configure both. My preference is to have just one right now and we can always add a second one later if it becomes desirable.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would we still be setting the HTTPS_PROXY env var? Setting HTTPS_PROXY to the same contents as what's being set for HTTP_PROXY?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would we still be setting the HTTPS_PROXY env var? Setting HTTPS_PROXY to the same contents as what's being set for HTTP_PROXY?

Yep.

Perhaps the hardest question - what to call the setting? :P

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, same value for both. I'd probably call the setting "https-proxy" to imply that the proxy needs to be able to transparently handle TLS traffic.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What if the user wants to use a http proxy that can't handle https traffic though? Wouldn't https-proxy be misleading and discourage the user from using the setting?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we're using the same setting for both, the proxy needs to be able to handle HTTPS traffic. I think the naming should reflect that.

Most of the traffic that will be generated from the software in Bottlerocket (pulling container images, log forwarding, talking to API endpoints) is going to be over HTTPS. cri-containerd and Docker both require HTTPS when pulling images (without manual overrides that we don't enable in Bottlerocket), and the Kubelet and ECS agent talk to their respective API endpoints over HTTPS as well.

packages/release/proxy-env Outdated Show resolved Hide resolved
tjkirch
tjkirch reviewed Nov 12, 2020
View reviewed changes
packages/docker-engine/docker.service
@@ -10,6 +10,7 @@ StartLimitIntervalSec=60s

[Service]
Type=notify
EnvironmentFile=/etc/network/proxy.env
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just realized that if docker is now depending on settings, we need to restart it on changes, i.e. make a docker service in the model.

I guess the service has to be defined separately in the aws-dev and aws-ecs-1 defaults-overrides, since we probably shouldn't have it in the defaults..?

It should probably be restarted before ecs, in the ecs model, though, and we don't have dependencies between services. Maybe in the ecs model, docker is just a restart-command in the ecs service, rather than being its own?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should probably be restarted before ecs, in the ecs model, though, and we don't have dependencies between services.

There's maybe a race while you're configuring/restarting, but it shouldn't really matter? The ECS agent should tolerate Docker going down and coming back up already. There's also a dependency listed in the unit itself, though I know that our model isn't reading that.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ugh, this also applies to containerd, host-containerd, and kubelet, I believe. We haven't dynamically affected the configuration of {host-,}containerd before. kubelet we technically could, and it seems like it wouldn't have worked without a reboot, but they're mostly dynamic settings generated at boot that you wouldn't change. (Maybe labels/taints are the worst offender?)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@samuelkarp would containerd be similarly safe to restart? No lost containers, logs, etc.?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bcressey found that restarting host-containerd kills SSH sessions, implying that the admin container is stopped. Not sure if it's a necessary kill, or if our setup is wrong.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would containerd be similarly safe to restart? No lost containers, logs, etc.?

Containerd when used either directly through its API or with Docker does no networking and wouldn't need to be restarted.

Containerd when used with Kubernetes (through cri-containerd) does networking to pull images, and would need to be restarted.

By default, containerd will not stop containers when it exits, but systemd might be killing them.

@etungsten
Copy link
Contributor Author

etungsten commented Nov 13, 2020
edited
Loading

Push above adds restart commands for all services ingesting the templated proxy.env EnvironmentFile.

Here's how I tested the changes for Kubernetes:

  1. Launched several nodes, with the http-proxy setting unset (no proxying).
  2. I applied the bottlerocket update operator on all nodes.
  3. Waited for all the agent pods and the controller pods to start running
  4. Used apiclient from the admin container to set settings.network.http-proxy to my squid http proxy server.
  5. Re-logged into the admin container and saw containerd.service and kubelet.service both restarted successfully.
  6. Checked the agent pods and controller pod and saw them all still running with the same name (meaning they didn't die)

For testing ECS, I did the following:

  1. Launched an ECS instance with the http-proxy setting unset (no proxying).
  2. Ran a simple ECS task that simply started an nginx server with host networking.
  3. Got into the admin container as curl'ed localhost:80 and saw nginx running successfully.
[ec2-user@ip- ~]$ curl localhost:80
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>
  1. Used apiclient from the admin container to set settings.network.http-proxy to my squid http proxy server.
  2. Re-logged into admin container saw both docker.service and ecs.service both restarted successfully
  3. curl'd localhost:80 and saw nginx is still running fine.
  4. Checked ECS console and saw the task still running fine.

Let me know if there's anything else I should test.

@etungsten etungsten requested a review from tjkirch November 13, 2020 00:35
@etungsten etungsten requested a review from samuelkarp November 13, 2020 00:35
@etungsten etungsten marked this pull request as draft December 3, 2020 21:35
@etungsten
Copy link
Contributor Author

Converting this pull request to draft as it now depends on #1230 and #1231

@etungsten
schnauzer: add host helper
d72e22a 
Adds a new rendering-template helper that trims a fully qualified URL
setting down to just its host portion.
@etungsten
Copy link
Contributor Author

Push above rebases onto develop

@etungsten etungsten force-pushed the network-config branch 3 times, most recently from 5ea2642 to 97bf5a6 Compare December 11, 2020 20:55
@etungsten
Copy link
Contributor Author

Pushes above removes http_proxy as a settings option. Some minor formatting changes and commit message change.

PR description updated with the latest testing information.

@etungsten etungsten marked this pull request as ready for review December 11, 2020 23:24
bcressey
bcressey reviewed Dec 16, 2020
View reviewed changes
sources/models/defaults.toml Outdated Show resolved Hide resolved
packages/release/proxy-env Outdated Show resolved Hide resolved
sources/models/src/modeled_types/shared.rs Show resolved Hide resolved
@etungsten
Copy link
Contributor Author

Push above addresses #1204 (comment) and #1204 (comment)

@etungsten
settings.network: add new proxy settings
e60b2fb 
Add new settings for configuring HTTPS_PROXY/https_proxy and
NO_PROXY/no_proxy environment variables.

These environment variables will only be exposed to a limited set
of services that need them.
@etungsten
Copy link
Contributor Author

Push above recovers the restart commands for containerd and host-containerd

@bcressey bcressey mentioned this pull request Dec 17, 2020
Open
zmrow
zmrow approved these changes Dec 18, 2020
View reviewed changes
Copy link
Contributor

@zmrow zmrow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🦠

@tjkirch tjkirch removed their request for review January 4, 2021 16:03
@etungsten etungsten merged commit 15de839 into bottlerocket-os:develop Jan 5, 2021
@etungsten etungsten deleted the network-config branch January 5, 2021 02:32
@etungsten etungsten mentioned this pull request Jan 5, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@webern webern webern left review comments

@tjkirch tjkirch tjkirch approved these changes

@zmrow zmrow zmrow approved these changes

@samuelkarp samuelkarp samuelkarp approved these changes

@bcressey bcressey bcressey approved these changes

@jahkeup jahkeup Awaiting requested review from jahkeup

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add support for HTTP_PROXY environment variable configuration into various services
6 participants
@etungsten @tjkirch @bcressey @samuelkarp @zmrow @webern