podman: PODMAN not able to tunnel thru Proxy in an Enterprise Proxy Environment

/kind bug

Description

PODMAN running in local MacOS is not able to honor Proxy Env setting in a corporate proxy setting.

Steps to reproduce the issue:

brew install qemu
brew install podman
podman machine init
podman machine start
podman pull nginx:alpine 6

Describe the results you received:

Resolving “nginx” using unqualified-search registries (/etc/containers/registries.conf.d/999-podman-machine.conf) Trying to pull docker.io/library/nginx:alpine… Error: initializing source docker://nginx:alpine: pinging container registry registry-1.docker.io: Get “https://registry-1.docker.io/v2/”: dial tcp 3.229.227.53:443: i/o timeout

Describe the results you expected:

I am expecting it to be able to pull the image from Docker Library. I am suspecting Image Pull is run at the local VM machine spin up as part of PODMAN machine, if so, how can we get the PROXY setting pushed to the VM. Are there any command for debug in VM ? I am new to PODMAN, sorry if i am asking some of the basic questions.

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

○ → podman version
Client:
Version:      3.4.0
API Version:  3.4.0
Go Version:   go1.17.1
Built:        Thu Sep 30 13:44:31 2021
OS/Arch:      darwin/amd64

Server:
Version:      3.3.1
API Version:  3.3.1
Go Version:   go1.16.6
Built:        Mon Aug 30 15:46:36 2021
OS/Arch:      linux/amd64

Output of podman info --debug:

podman info --debug
host:
  arch: amd64
  buildahVersion: 1.22.3
  cgroupControllers: []
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.0.29-2.fc34.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.29, commit: '
  cpus: 1
  distribution:
    distribution: fedora
    version: "34"
  eventLogger: journald
  hostname: localhost
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 5.14.9-200.fc34.x86_64
  linkmode: dynamic
  logDriver: ""
  memFree: 1629442048
  memTotal: 2061860864
  ociRuntime:
    name: crun
    package: crun-1.0-1.fc34.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.0
      commit: 139dc6971e2f1d931af520188763e984d6cdfbf8
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    exists: true
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: true
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.1.12-2.fc34.x86_64
    version: |-
      slirp4netns version 1.1.12
      commit: 7a104a101aa3278a2152351a082a6df71f57c9a3
      libslirp: 4.4.0
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.0
  swapFree: 0
  swapTotal: 0
  uptime: 19m 49.04s
plugins:
  log: null
  network: null
  volume: null
registries:
  search:
  - docker.io
store:
  configFile: /var/home/core/.config/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /var/home/core/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 0
  runRoot: /run/user/1000/containers
  volumePath: /var/home/core/.local/share/containers/storage/volumes
version:
  APIVersion: 3.3.1
  Built: 1630356396
  BuiltTime: Mon Aug 30 20:46:36 2021
  GitCommit: ""
  GoVersion: go1.16.6
  OsArch: linux/amd64
  Version: 3.3.1

Package info (e.g. output of rpm -q podman or apt list podman):

DOES NOT APPLY.

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/master/troubleshooting.md)

Yes. Does not information on local Podman execution.

Additional environment details (AWS, VirtualBox, physical, etc.):

About this issue

Original URL
State: closed
Created 3 years ago
Reactions: 4
Comments: 33 (5 by maintainers)

Most upvoted comments

We solved this in a corporate environment on MacOS that requires a secure proxy server to access all external resources. We use the podman managed machine via podman machine. All configuration takes place on the VM. We have been using this successfully now for almost two months now.

Requires: Podman 3.4.0 at a minimum on MacOS host and managed machine.

Configure Proxy Support Globally for All Systemd Services

sudo mkdir /etc/systemd/system.conf.d

Place in /etc/systemd/system.conf.d/10-default-env.conf:

[Manager]
DefaultEnvironment="HTTP_PROXY=<your-proxy-URL>"
DefaultEnvironment="HTTPS_PROXY=<your-proxy-URL>"
DefaultEnvironment="NO_PROXY=.<set-of-host-domain-exclusion(s)>,localhost,127.0.0.1,0.0.0.0,::1"

DefaultEnvironment="http_proxy=<your-proxy-URL>"
DefaultEnvironment="https_proxy=<your-proxy-URL>"
DefaultEnvironment="no_proxy=.<set-of-host-domain-exclusion(s)>,localhost,127.0.0.1,0.0.0.0,::1"

Allow Interactive Login Sessions to VM to Use Proxy

Place in /etc/profile.d/proxy.sh:

PROXY_URL=<your-proxy-URL>

export http_proxy="$PROXY_URL"
export https_proxy="$PROXY_URL"
export ftp_proxy="$PROXY_URL"
export no_proxy=".<set-of-host-domain-exclusion(s)>,localhost,127.0.0.1,0.0.0.0,::1"

export HTTP_PROXY="$PROXY_URL"
export HTTPS_PROXY="$PROXY_URL"
export FTP_PROXY="$PROXY_URL"
export NO_PROXY=".<set-of-host-domain-exclusion(s)>,localhost,127.0.0.1,0.0.0.0,::1"

Configure Trusted Certificates

Place each CA certificate into a separate PEM files in /etc/pki/ca-trust/source/anchors/ then update the certificate authority trust, for example:

install -o root -g root -m 0644 *.pem *.crt /etc/pki/ca-trust/source/anchors
sudo update-ca-trust

Restart Managed Machine

Unfortunately in order to have the Systemd configuration for proxy configuration to take effect you will have to restart the podman managed machine from the host:

podman machine stop
podman machine start

Works on both Catalina and Big Sur.

cpolizzi on Dec 18, 2021

Some thoughts on how podman can discover the proxy settings:

Ingest the system proxy settings on Mac. You can get the settings by running: scutil --proxy or in Objective-C using the SystemConfiguration framework (I suspect the same is available in Go): https://developer.apple.com/documentation/systemconfiguration/1517088-scdynamicstorecopyproxies
Ingest proxy settings from ENV.
Allow the user to override by adding an argument to the podman commands or configuring a setting somewhere.

Also, PLEASE support no_proxy stuff. Most companies that use proxies need to access stuff that’s on the internal network and outside the network, but only outside requires proxy.

pboushy on Nov 5, 2021

Ideally the HTTP_PROXY/HTTPS_PROXY/NO_PROXY and SSL_CERT_FILE env vars should be picked up by the podman machine start command and automatically be passed into the ignition file. This is similar to how minikube operates (though I am unsure if it uses ignition):

$ minikube start
😄  minikube v1.23.0 on Darwin 11.6.1
✨  Using the hyperkit driver based on user configuration
👍  Starting control plane node minikube in cluster minikube
🔥  Creating hyperkit VM (CPUs=4, Memory=16384MB, Disk=20000MB) ...
🎉  minikube 1.24.0 is available! Download it: https://github.com/kubernetes/minikube/releases/tag/v1.24.0
💡  To disable this notice, run: 'minikube config set WantUpdateNotification false'

🌐  Found network options:
    ▪ HTTP_PROXY=http://proxy.example.com:8080
    ▪ HTTPS_PROXY=http://proxy.example.com:8080
    ▪ NO_PROXY=.<set-of-host-domain-exclusion(s)>,localhost,127.0.0.1,0.0.0.0,::1
    ▪ http_proxy=http://proxy.example.com:8080
    ▪ https_proxy=http://proxy.example.com:8080
    ▪ no_proxy=.<set-of-host-domain-exclusion(s)>,localhost,127.0.0.1,0.0.0.0,::1
❗  This VM is having trouble accessing https://k8s.gcr.io
💡  To pull new external images, you may need to configure a proxy: https://minikube.sigs.k8s.io/docs/reference/networking/proxy/
🐳  Preparing Kubernetes v1.22.1 on Docker 20.10.8 ...
    ▪ env HTTP_PROXY=http://proxy.example.com:8080
    ▪ env HTTPS_PROXY=http://proxy.example.com:8080
    ▪ env NO_PROXY=.<set-of-host-domain-exclusion(s)>,localhost,127.0.0.1,0.0.0.0,::1
    ▪ Generating certificates and keys ...
    ▪ Booting up control plane ...
    ▪ Configuring RBAC rules ...
🔎  Verifying Kubernetes components...
    ▪ Using image gcr.io/k8s-minikube/storage-provisioner:v5
🌟  Enabled addons: storage-provisioner, default-storageclass
🏄  Done! kubectl is now configured to use "minikube" cluster and "default" namespace by default

gclawes on Jan 4, 2022

I think you can pass the proxy variables if you set up a custom ignition file, though it would be nice if podman auto-detected proxy settings and passed them through.

Some enterprise proxies also do SSL inspection, which requires loading a custom trusted CA into a user’s workstation trust store. I believe tools commonly use the SSL_CERT_FILE env var to do this, similar to HTTP_PROXY/HTTPS_PROXY/etc variables to detect the proxy.

SSL_CERT_FILE is standard in openssl: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_default_verify_paths.html

gclawes on Jan 4, 2022

I’m assuming that @cpolizzi 's solution was to modify those files inside the podman VM, not the mac. (Since my Mac doesn’t have that first directory, because systemd is not installed.)

I note that by default my proxy env vars were already present in the virtual machine, but all in one line, which I’m guessing is fine.

proxy.sh did not exist. I added that. It didn’t resolve my problem.

mdavis-xyz on Nov 3, 2022

@gclawes Can you point me to any readme that can help with the steps and syntax for creating custom ignition file?

kishorekkota on Oct 12, 2021