ignition: propagate proxy settings from a host into a vm

[esendjer]

PR solves the need of setting proxy for systemd and the whole guest system.

Set proxy settings (such as HTTP_PROXY, and others) for the whole guest OS with setting up DefaultEnvironment with a systemd configuration file default-env.conf, a profile.d scenario file - default-env.sh and a environment.d configuration file default-env.conf.

The actual environment variables are read by podman at a start, then they are encrypted with base64 into a single string and after are provided into a VM through QEMU Firmware Configuration (fw_cfg) Device

Inside a VM a systemd service envset-fwcfg.service reads the providead encrypted string from fw_cfg, decrypts and then adds to the files:

• /etc/systemd/system.conf.d/default-env.conf
• /etc/profile.d/default-env.sh
• /etc/environment.d/default-env.conf

At the end, this service execute systemctl daemon-reload to propagate new variables for systemd manager

[NO NEW TESTS NEEDED]

Closes #13168

Also related to #11941 #12739

[baude]

LGTM

[rhatdan]

/lgtm
/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: esendjer, rhatdan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [rhatdan]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ctml91]

Any trick to making this work on a mac?

podman version 4.0.2

$ podman machine stop
$ podman machine rm
$ env | grep -i proxy
HTTPS_PROXY=myproxy
HTTP_PROXY=myproxy
https_proxy=myproxy
http_proxy=myproxy
$ podman machine init
$ podman machine start
$ podman machine list
NAME                     VM TYPE     CREATED         LAST UP            CPUS        MEMORY      DISK SIZE
podman-machine-default*  qemu        2 minutes ago  Currently running  1           2.147GB     107.4GB
$ podman build -t test:latest ./
Error: error creating build container: initializing source docker://registry.access.redhat.com/ubi8/ubi-minimal:latest: pinging container registry registry.access.redhat.com: Get "https://registry.access.redhat.com/v2/": x509: certificate signed by unknown authority

This is the error when requests do not go to proxy and go to our honeypot instead, so it is not using the host proxy.

[amilanoski]

This is still an issue with MacOS Ventura 13.3.1 with fresh installation and Corporate proxies set in my zsh shell.

The only thing that worked was having to manually run

1. podman machine ssh then run the configuration setup found here. PODMAN not able to tunnel thru Proxy in an Enterprise Proxy Environment #11941 (comment)

I have not found any other documentation around that can solve this with out having users manually go in and configure this. Keeping the scope only with proxies these should be pulled into the podman machine init or better yet podman machine start.

podman -v podman version 4.5.1

[esendjer]

@amilanoski
I see. Let me check it on my Macs.
But until I've done, could you please share how do you set proxies in your zsh shell. Here, I'm wondering commands and variable names, it allows me to repeat this on my side.

[esendjer]

The check is done, and unfortunately the problem has come back.
A brief research led me to the next:

• the issue was not until v4.5.1 release
• as far as I can tell, the issue is caused by some of the changes within the PR Add support for HVSOCK on hyperv #18167

I want to dive deeper to understand how it could be solved.

[esendjer]

@amilanoski FYI
PR that fixes the issue #18759 has just been opened