Docker Subordinate Charm

Install fails when juju-no-proxy has large subnets

Bug #1846551 reported by Andrey Grebennikov
28
This bug affects 4 people
Affects Status Importance Assigned to Milestone
Containerd Subordinate Charm
Triaged
Medium
Unassigned
Docker Subordinate Charm
Triaged
Medium
Unassigned

Bug Description

Charm revision 25.
INstalling with no aadditional settings, proxy settings are not set up.

The install hook is failing with:

unit-dockerd-1: 18:19:49 WARNING unit.dockerd/1.juju-log Passing NO_PROXY string that includes a cidr. This may not be compatible with software you are running in your shell.
unit-dockerd-1: 18:23:11 ERROR unit.dockerd/1.juju-log Hook error:
Traceback (most recent call last):
  File "/var/lib/juju/agents/unit-dockerd-1/.venv/lib/python3.6/site-packages/charms/reactive/__init__.py", line 74, in main
    bus.dispatch(restricted=restricted_mode)
  File "/var/lib/juju/agents/unit-dockerd-1/.venv/lib/python3.6/site-packages/charms/reactive/bus.py", line 390, in dispatch
    _invoke(other_handlers)
  File "/var/lib/juju/agents/unit-dockerd-1/.venv/lib/python3.6/site-packages/charms/reactive/bus.py", line 359, in _invoke
    handler.invoke()
  File "/var/lib/juju/agents/unit-dockerd-1/.venv/lib/python3.6/site-packages/charms/reactive/bus.py", line 181, in invoke
    self._action(*args)
  File "/var/lib/juju/agents/unit-dockerd-1/charm/reactive/docker.py", line 189, in install
    validate_config(charm_config)
  File "/var/lib/juju/agents/unit-dockerd-1/charm/reactive/docker.py", line 919, in validate_config
    raise ConfigError('no_proxy longer than {} chars.'.format(remain_len))
reactive.docker.ConfigError: no_proxy longer than 2024 chars.

In pdb the no_proxy setting comes out as follows:

> /var/lib/juju/agents/unit-dockerd-1/.venv/lib/python3.6/site-packages/charmhelpers/core/hookenv.py(1471)env_proxy_settings()->{'NO_PROXY': '10.0.0.0/8,1...172.16.0.0/12', 'no_proxy': '10.0.0.0/8,1...172.16.0.0/12'}

Revision history for this message
George Kraft (cynerva) wrote :

The charm is automatically expanding a CIDR from juju-no-proxy and the resulting no_proxy line is longer than 2024 chars.

First of all, I think we can remove that 2024 character limit. I believe it was fixed in the version of systemd that we ship with Ubuntu 18.04.

Second, the charm probably shouldn't be expanding CIDRs from juju-no-proxy anyway. It causes more problems than it solves.

Changed in charm-docker:
importance: Undecided → Medium
status: New → Triaged
Changed in charm-containerd:
importance: Undecided → Medium
status: New → Triaged
Revision history for this message
George Kraft (cynerva) wrote :

Adding containerd as well. While I don't believe it has the 2024 character limit, it does have the same problem with juju-no-proxy CIDR expansion and should probably get the same treatment there.

Revision history for this message
George Kraft (cynerva) wrote :

This bug was also raised here: https://bugs.launchpad.net/layer-container-runtime-common/+bug/1896068

summary: - Install is failing complaining about no_proxy settings
+ Install fails when juju-no-proxy has large subnets
Revision history for this message
Paul Goins (vultaire) wrote :

I've encountered this in a test environment where the containerd charm is a dependency. The test environment subnet is a /16 network, and the charm ends up generating a 799501 byte /etc/systemd/system/containerd.service.d/proxy.conf file. This results in "Argument list too long" errors on the containerd systemd service.

Revision history for this message
George Kraft (cynerva) wrote :

Also reported here: https://bugs.launchpad.net/charm-containerd/+bug/1955658

I recommend working around this by setting the no_proxy config of the containerd charm. When the no_proxy config is set, the charm will ignore the juju-no-proxy model config, and it will *not* expand CIDRs. Assuming your juju-no-proxy looks like this:

localhost,127.0.0.1,::1,10.0.0.0/8

You can set no_proxy to this:

$ juju config containerd no_proxy="localhost,127.0.0.1,::1,10.0.0.0/8"

Containerd itself will ignore the 10.0.0.0/8 entry because it doesn't understand CIDRs. Including it can still be helpful since there are child processes, like Calico CNI, that will inherit the environment and can handle CIDRs.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.