PODMAN not able to tunnel thru Proxy in an Enterprise Proxy Environment

[kishorekkota]

/kind bug

Description

PODMAN running in local MacOS is not able to honor Proxy Env setting in a corporate proxy setting.

Steps to reproduce the issue:

1. brew install qemu

2. brew install podman

3. podman machine init

4. podman machine start

5. podman pull nginx:alpine
   6

Describe the results you received:

Resolving "nginx" using unqualified-search registries (/etc/containers/registries.conf.d/999-podman-machine.conf)
Trying to pull docker.io/library/nginx:alpine...
Error: initializing source docker://nginx:alpine: pinging container registry registry-1.docker.io: Get "https://registry-1.docker.io/v2/": dial tcp 3.229.227.53:443: i/o timeout

Describe the results you expected:

I am expecting it to be able to pull the image from Docker Library. I am suspecting Image Pull is run at the local VM machine spin up as part of PODMAN machine, if so, how can we get the PROXY setting pushed to the VM. Are there any command for debug in VM ? I am new to PODMAN, sorry if i am asking some of the basic questions.

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

○ → podman version
Client:
Version:      3.4.0
API Version:  3.4.0
Go Version:   go1.17.1
Built:        Thu Sep 30 13:44:31 2021
OS/Arch:      darwin/amd64

Server:
Version:      3.3.1
API Version:  3.3.1
Go Version:   go1.16.6
Built:        Mon Aug 30 15:46:36 2021
OS/Arch:      linux/amd64

Output of podman info --debug:

podman info --debug
host:
  arch: amd64
  buildahVersion: 1.22.3
  cgroupControllers: []
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.0.29-2.fc34.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.29, commit: '
  cpus: 1
  distribution:
    distribution: fedora
    version: "34"
  eventLogger: journald
  hostname: localhost
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 5.14.9-200.fc34.x86_64
  linkmode: dynamic
  logDriver: ""
  memFree: 1629442048
  memTotal: 2061860864
  ociRuntime:
    name: crun
    package: crun-1.0-1.fc34.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.0
      commit: 139dc6971e2f1d931af520188763e984d6cdfbf8
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    exists: true
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: true
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.1.12-2.fc34.x86_64
    version: |-
      slirp4netns version 1.1.12
      commit: 7a104a101aa3278a2152351a082a6df71f57c9a3
      libslirp: 4.4.0
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.0
  swapFree: 0
  swapTotal: 0
  uptime: 19m 49.04s
plugins:
  log: null
  network: null
  volume: null
registries:
  search:
  - docker.io
store:
  configFile: /var/home/core/.config/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /var/home/core/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 0
  runRoot: /run/user/1000/containers
  volumePath: /var/home/core/.local/share/containers/storage/volumes
version:
  APIVersion: 3.3.1
  Built: 1630356396
  BuiltTime: Mon Aug 30 20:46:36 2021
  GitCommit: ""
  GoVersion: go1.16.6
  OsArch: linux/amd64
  Version: 3.3.1

Package info (e.g. output of rpm -q podman or apt list podman):

DOES NOT APPLY.

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/master/troubleshooting.md)

Yes. Does not information on local Podman execution.

Additional environment details (AWS, VirtualBox, physical, etc.):

[mheon]

@ashley-cui @baude PTAL

[gclawes]

I think you can pass the proxy variables if you set up a custom ignition file, though it would be nice if podman auto-detected proxy settings and passed them through.

Some enterprise proxies also do SSL inspection, which requires loading a custom trusted CA into a user's workstation trust store. I believe tools commonly use the SSL_CERT_FILE env var to do this, similar to HTTP_PROXY/HTTPS_PROXY/etc variables to detect the proxy.

SSL_CERT_FILE is standard in openssl:
https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_default_verify_paths.html

[kishorekkota]

@gclawes Can you point me to any readme that can help with the steps and syntax for creating custom ignition file?

[bcg62]

another option would be to create a CA bundle directly from the osx keychain passed into the machine. It's transparent for the end user and less management overhead maintaining multiple bundles.

this is also the approach docker inevitably took.

https://docs.docker.com/desktop/mac/#add-custom-ca-certificates-server-side

[kishorekkota]

@bcg62 Issue i am seeing is with connectivity. I could not find details on setting up Ignition file - can someone point me to details on setting up Ignition file ?

[ctml91]

I'm having the same issue, I am not able to use podman on my M1 which is behind a corporate proxy.

STEP 1/23: FROM registry.access.redhat.com/ubi8/ubi-minimal:latest
Trying to pull registry.access.redhat.com/ubi8/ubi-minimal:latest...
Error: error creating build container: initializing source docker://registry.access.redhat.com/ubi8/ubi-minimal:latest: pinging container registry registry.access.redhat.com: Get "https://registry.access.redhat.com/v2/": x509: certificate has expired or is not yet valid

[kishorekkota]

@ctml91 Looks like it is getting through Porxy in your case and SSL handshake is failing. Did you do anything specific to set HTTP_PROXY setting ? I have those in my ENV and also tried to mess with container.conf file to see if those are honored by PODMAN. None of attempts get past the connectivity issue.

[ctml91]

@ctml91 Looks like it is getting through Porxy in your case and SSL handshake is failing. Did you do anything specific to set HTTP_PROXY setting ? I have those in my ENV and also tried to mess with container.conf file to see if those are honored by PODMAN. None of attempts get past the connectivity issue.

This is the standard error I get when proxy is not configured. It may look a bit different than your error, but that's probably just dependent on network/proxy setup. I haven't been able to get proxy to work with podman + qemu. Tried copying the ignition config from the default vm stored under ~/.config/containers/podman/machine/qemu/podman-machine-default.ign and adding httpProxy and httpsProxy in the proxy stanza and init a new machine using the modified ign but the vm wouldn't even start. Probably something I've done wrong, but it would be nice for podman to handle this automatically.

$ proxy-on
$ curl https://registry.access.redhat.com > /dev/null
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0

$ proxy-off
$ curl https://registry.access.redhat.com > /dev/null
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

[pboushy]

This is interesting... podman build appears to have an argument that will pass http proxy envs to the machine, but podman pull doesn't?

Watching in case anyone finds out how to resolve this.

[rhatdan]

I think what you are saying is that
podman build --help | grep proxy
--http-proxy pass through HTTP Proxy environment variables (default true)
podman-remote build --help | grep proxy
--http-proxy pass through HTTP Proxy environment variables (default true)

Is happening on the server side not the client side.

[pboushy]

@rhatdan sorry about that. Made a critical typo. I've updated it in my original post.

Pulling containers with podman using either podman functionality doesn't work through a proxy using just an argument.
Creating a container appears to.

[rhatdan]

This is definitely a bug, and we have opened a discussion on how to fix it.

[pboushy]

Some thoughts on how podman can discover the proxy settings:

1. Ingest the system proxy settings on Mac. You can get the settings by running: scutil --proxy or in Objective-C using the SystemConfiguration framework (I suspect the same is available in Go): https://developer.apple.com/documentation/systemconfiguration/1517088-scdynamicstorecopyproxies
2. Ingest proxy settings from ENV.
3. Allow the user to override by adding an argument to the podman commands or configuring a setting somewhere.

Also, PLEASE support no_proxy stuff. Most companies that use proxies need to access stuff that's on the internal network and outside the network, but only outside requires proxy.

[znd4]

The way Docker engine handles this is obnoxious because it requires a GUI toggle and restarting the VM when you jump on / off a corporate network. If there were a way to have podman pull get proxy settings either from the environment or CLI arguments, that'd be sweet

[morgans2]

I'm having the same issue and have attempted several ways of modifying the proxy and cert files. Here the relevant portion of my ignition file. I'd be grateful for anyone who can spot an error.

{"verification":{}}},"proxy":"{"httpProxy": "http://myproxy:80/"}","{"httpsProxy":"http://myproxy:80/","{"noProxy":"somevals"}","security":{"tls":{"certificateAuthorities": [{"source":"https:/site.internal.com/my.pem"}

[cpolizzi]

We solved this in a corporate environment on MacOS that requires a secure proxy server to access all external resources. We use the podman managed machine via podman machine. All configuration takes place on the VM. We have been using this successfully now for almost two months now.

Requires: Podman 3.4.0 at a minimum on MacOS host and managed machine.

Configure Proxy Support Globally for All Systemd Services

sudo mkdir /etc/systemd/system.conf.d

Place in /etc/systemd/system.conf.d/10-default-env.conf:

[Manager]
DefaultEnvironment="HTTP_PROXY=<your-proxy-URL>"
DefaultEnvironment="HTTPS_PROXY=<your-proxy-URL>"
DefaultEnvironment="NO_PROXY=.<set-of-host-domain-exclusion(s)>,localhost,127.0.0.1,0.0.0.0,::1"

DefaultEnvironment="http_proxy=<your-proxy-URL>"
DefaultEnvironment="https_proxy=<your-proxy-URL>"
DefaultEnvironment="no_proxy=.<set-of-host-domain-exclusion(s)>,localhost,127.0.0.1,0.0.0.0,::1"

Allow Interactive Login Sessions to VM to Use Proxy

Place in /etc/profile.d/proxy.sh:

PROXY_URL=<your-proxy-URL>

export http_proxy="$PROXY_URL"
export https_proxy="$PROXY_URL"
export ftp_proxy="$PROXY_URL"
export no_proxy=".<set-of-host-domain-exclusion(s)>,localhost,127.0.0.1,0.0.0.0,::1"

export HTTP_PROXY="$PROXY_URL"
export HTTPS_PROXY="$PROXY_URL"
export FTP_PROXY="$PROXY_URL"
export NO_PROXY=".<set-of-host-domain-exclusion(s)>,localhost,127.0.0.1,0.0.0.0,::1"

Configure Trusted Certificates

• Place each CA certificate into a separate PEM files in /etc/pki/ca-trust/source/anchors/ then update the certificate authority trust, for example:

install -o root -g root -m 0644 *.pem *.crt /etc/pki/ca-trust/source/anchors
sudo update-ca-trust

Restart Managed Machine

Unfortunately in order to have the Systemd configuration for proxy configuration to take effect you will have to restart the podman managed machine from the host:

podman machine stop
podman machine start

Works on both Catalina and Big Sur.

[kishorekkota]

@cpolizzi Thanks a bunch. This worked like a charm.

[rhatdan]

Is this still an issue then?

[kishorekkota]

Nope. Can be closed ?

[ctml91]

I don't know how feasible it is but it might be nice to have these managed through a set of flags, so one doesn't need to login the VM and update proxy variables as you switch networks (proxied and not)? Or would the preferred solution to be have two VM's spawned by podman, and have one dedicated for the proxied network and another for non proxied?

[cdnB8kn]

I would have hoped for passed in parameters (or maybe some other initialization handling/scripting? kind of like a vagrant file? maybe other things are needed beyond proxy?)... Just for a larger dev team, having a set of instructions to configure it every time is... painful (new hires, proxy change, etc). Especially if you can be in a proxy env and non-proxy environment at different times.

[gclawes]

Ideally the HTTP_PROXY/HTTPS_PROXY/NO_PROXY and SSL_CERT_FILE env vars should be picked up by the podman machine start command and automatically be passed into the ignition file. This is similar to how minikube operates (though I am unsure if it uses ignition):

$ minikube start
😄  minikube v1.23.0 on Darwin 11.6.1
✨  Using the hyperkit driver based on user configuration
👍  Starting control plane node minikube in cluster minikube
🔥  Creating hyperkit VM (CPUs=4, Memory=16384MB, Disk=20000MB) ...
🎉  minikube 1.24.0 is available! Download it: https://github.com/kubernetes/minikube/releases/tag/v1.24.0
💡  To disable this notice, run: 'minikube config set WantUpdateNotification false'

🌐  Found network options:
    ▪ HTTP_PROXY=http://proxy.example.com:8080
    ▪ HTTPS_PROXY=http://proxy.example.com:8080
    ▪ NO_PROXY=.<set-of-host-domain-exclusion(s)>,localhost,127.0.0.1,0.0.0.0,::1
    ▪ http_proxy=http://proxy.example.com:8080
    ▪ https_proxy=http://proxy.example.com:8080
    ▪ no_proxy=.<set-of-host-domain-exclusion(s)>,localhost,127.0.0.1,0.0.0.0,::1
❗  This VM is having trouble accessing https://k8s.gcr.io
💡  To pull new external images, you may need to configure a proxy: https://minikube.sigs.k8s.io/docs/reference/networking/proxy/
🐳  Preparing Kubernetes v1.22.1 on Docker 20.10.8 ...
    ▪ env HTTP_PROXY=http://proxy.example.com:8080
    ▪ env HTTPS_PROXY=http://proxy.example.com:8080
    ▪ env NO_PROXY=.<set-of-host-domain-exclusion(s)>,localhost,127.0.0.1,0.0.0.0,::1
    ▪ Generating certificates and keys ...
    ▪ Booting up control plane ...
    ▪ Configuring RBAC rules ...
🔎  Verifying Kubernetes components...
    ▪ Using image gcr.io/k8s-minikube/storage-provisioner:v5
🌟  Enabled addons: storage-provisioner, default-storageclass
🏄  Done! kubectl is now configured to use "minikube" cluster and "default" namespace by default

[matt314]

FWIW, CodeReady containers from RedHat handles this by having config options cover this.

mpiechot@krell 1211 11:26:46 ~/Documents% crc config view | grep proxy | sed 's/secretstuff/g'
- http-proxy                            : http://proxy.external.example.com:80
- https-proxy                           : http://proxy.external.example.com:80
- no-proxy                              : example.com,127.0.0.0/8,localhost,10.0.0.0/8,192.168.0.0/16,172.16.0.0/12,.testing

If that's too much to implement, any chance the machine init could create a config file per machine that environment/arbitrary files could be added to ignition?

[mheon]

Can you open a feature request issue about this?

[gclawes]

Opened: #12739

[JdKock]

I'm having the same issue, I am not able to do a podman pull from behind a corporate proxy.
It seems that podman (v3.4.4) is not using my HTTP_PROXY, HTTPS_PROXY, NO_PROXY settings from my MacOS (Monterey).

Is the solution for this to set all these proxy environment settings and certificates manually in the Podman machine?

[gclawes]

@JdKock see the discussion in the PR #12739

[matt314]

Is the solution for this to set all these proxy environment settings and certificates manually in the Podman machine?

That's what worked for me. I set the systemd default environment as above in this comment: #11941 (comment)

Only difference (and it's a preference) is I use /etc/environment for the variables instead of a proxy.sh so non-interactive sessions have access to them as well.

[mdavis-xyz]

I'm assuming that @cpolizzi 's solution was to modify those files inside the podman VM, not the mac. (Since my Mac doesn't have that first directory, because systemd is not installed.)

I note that by default my proxy env vars were already present in the virtual machine, but all in one line, which I'm guessing is fine.

proxy.sh did not exist. I added that. It didn't resolve my problem.

[mdavis-xyz]

In my use case, my proxy is actually CNTLM running on the host (which in turn forwards traffic to my corporate proxy.) I suspect the issue is that there's no path for traffic from the VM to the host? I tried swapping HTTP_PROXY=http://127.0.0.1:3128 for http://localhost:3128. I get the same error.
Which address should I use if my proxy server is on the Mac host?

[cpolizzi]

@mdavis-xyz Yes my solution is as follows for the proxy: https://cpolizzi.github.io/podman/podman-as-a-replacement-for-docker-desktop.html#_corporate_network_considerations. This covers both proxying and privately issued certificates. Note that the only real workable solution is to configure SystemD globally for the needed proxy environment variables. If Podman supported / honored SystemD drop in units then configuring SystemD globally would be unnecessary (I also provide an example of what that would look like).

[cpolizzi]

@mdavis-xyz By default the podman managed machine cannot make outbound connections from the VM to the host. However, here is how to do it: https://cpolizzi.github.io/podman/orchestrating-podman-vm-to-host-communication.html

[mdavis-xyz]

Yes those two instructions together worked for me. Thanks!