Configuring a Proxy in Photon OS

I’ve been playing around recently with VMware’s new Photon OS platform. Thanks to it’s incredibly small footprint and virtualization-specific tuning, it looks like an excellent building block for a custom appliance I’m hoping to build. To keep the appliance as small as possible, I used the minimal deployment and then planned to install packages as required.

After deploying the appliance, I hit a roadblock as the package management tool called tdnf couldn’t reach any of the repositories. This was expected as my home lab is isolated and I have to go through a squid proxy server to get to the outside world.

root@photon-machine [ ~ ]# tdnf repolist
curl#7: Couldn't connect to server
Error: Failed to synchronize cache for repo 'VMware Photon Linux 2.0(x86_64) Updates' from 'https://dl.bintray.com/vmware/photon_updates_2.0_x86_64'
Disabling Repo: 'VMware Photon Linux 2.0(x86_64) Updates'
curl#7: Couldn't connect to server
Error: Failed to synchronize cache for repo 'VMware Photon Linux 2.0(x86_64)' from 'https://dl.bintray.com/vmware/photon_release_2.0_x86_64'
Disabling Repo: 'VMware Photon Linux 2.0(x86_64)'
curl#7: Couldn't connect to server
Error: Failed to synchronize cache for repo 'VMware Photon Extras 2.0(x86_64)' from 'https://dl.bintray.com/vmware/photon_extras_2.0_x86_64'
Disabling Repo: 'VMware Photon Extras 2.0(x86_64)'

When trying to build the package cache, you can see that the the synchronization fails to specific HTTPS locations over port 443.

After having a quick look through the Photon administration guide, I was surprised to see that there wasn’t anything regarding proxy configuration listed – at least not at the time of writing. Doing some digging online turned up several possibilities. There seems to be numerous places in which a proxy can be defined – including in the kubernetes configuration, or specifically for the tdnf package manager.

The simplest way to get your proxy configured for tdnf, as well as other tools like WGET and Curl is to define a system-wide proxy. You’ll find the relevant configuration in the /etc/sysconfig/proxy file:

root@photon-machine [ ~ ]# ls -lha /etc/sysconfig/
total 20K
drwxr-xr-x 2 root root 4.0K Mar 5 17:01 .
drwxr-xr-x 33 root root 4.0K Mar 5 17:36 ..
-rw-r--r-- 1 root root 189 Oct 26 01:09 clock
-rw-r--r-- 1 root root 272 Oct 26 01:09 console
-rw-r--r-- 1 root root 770 Mar 5 18:35 proxy

There are at least three settings you’ll likely want to change in this file. You’ll need to set PROXY_ENABLED to “yes” and then define an HTTP and HTTPS proxy. Remember that tdnf’s default repositories use HTTPS, so you will need to define an HTTPS proxy for package installation.

Here is what my /etc/sysconfig/proxy file looks like after making the necessary changes:

# Enable a generation of the proxy settings to the profile.
# This setting allows to turn the proxy on and off while
# preserving the particular proxy setup.
#
PROXY_ENABLED="yes"

# Some programs (e.g. wget) support proxies, if set in
# the environment.
# Example: HTTP_PROXY="http://proxy.provider.de:3128/"
HTTP_PROXY="http://pfsense.lab.local:3128"

# Example: HTTPS_PROXY="https://proxy.provider.de:3128/"
HTTPS_PROXY="http://pfsense.lab.local:3128"

# Example: FTP_PROXY="http://proxy.provider.de:3128/"
FTP_PROXY=""

# Example: GOPHER_PROXY="http://proxy.provider.de:3128/"
GOPHER_PROXY=""

# Example: SOCKS_PROXY="socks://proxy.example.com:8080"
SOCKS_PROXY=""

# Example: SOCKS5_SERVER="office-proxy.example.com:8881"
SOCKS5_SERVER=""

# Example: NO_PROXY="www.me.de, do.main, localhost"
NO_PROXY="localhost, 127.0.0.1, lab.local"

Focusing only on the lines I changed:

PROXY_ENABLED="yes"
HTTP_PROXY=http://pfsense.lab.local:3128
HTTPS_PROXY=http://pfsense.lab.local:3128
NO_PROXY="localhost, 127.0.0.1, lab.local"

Notice that for an HTTPS proxy I use http in the address and the same port number. I do not use https as the example in the file implies. With squid, everything funnels through port 3128, including both HTTP and HTTPS so the config is the same for both. This may vary depending on the type or proxy you use.

Also, it’s worth mentioning that you should add your internal domain suffix to the NO_PROXY entry. This ensures that traffic destined to internal addresses won’t get forwarded to the proxy. In my case, I added lab.local.

In my testing, doing a systemctl restart system-networkd as you normally would for IP address changes does not make the change take effect. I’m sure there is some way to refresh the configuration but I just did a quick reboot. After that, I was able to install packages using tdnf without issue.

root@photon-machine [ ~ ]# tdnf repolist
repo id repo name status
photon-updates VMware Photon Linux 2.0(x86_64) Updates enabled
photon VMware Photon Linux 2.0(x86_64) enabled
photon-extras VMware Photon Extras 2.0(x86_64) enabled

root@photon-machine [ ~ ]# tdnf makecache
Refreshing metadata for: 'VMware Photon Linux 2.0(x86_64) Updates'
Refreshing metadata for: 'VMware Photon Linux 2.0(x86_64)'
Refreshing metadata for: 'VMware Photon Extras 2.0(x86_64)'
Metadata cache created. 106 100%

root@photon-machine [ ~ ]# tdnf install iputils

Installing:
iputils x86_64 20151218-4.ph2 photon 262.51k 268810

Total installed size: 262.51k 268810
Is this ok [y/N]:y

Downloading:
iputils 129855 100%
Testing transaction
Running transaction
Installing/Updating: iputils-20151218-4.ph2.x86_64

Complete!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s