Web Proxy Requirements

HPE Ezmeral Runtime Enterprise hosts use the system web proxy configuration for all Internet access. The proxy configuration must be the same on each host in the deployment.

If your deployment is not an air-gapped deployment, HPE Ezmeral Runtime Enterprise use the Docker service to pull images from various public registries on the Internet.

If your environment requires a web proxy, you must configure the web proxy on all hosts, as follows:
  • On the Controller, Shadow Controller, Arbiter, and Gateway hosts, configure the web proxy for the Docker service, even if all the other hosts in the deployment use the containerd runtime.
  • On Kubernetes hosts that use the Docker runtime, configure the web proxy for the Docker service.

    For example, if a Kubernetes cluster was created in a deployment of an HPE Ezmeral Runtime Enterprise release prior to 5.5.0, the hosts in that cluster continue to use the Docker runtime, even after you upgrade HPE Ezmeral Runtime Enterprise. If you expand that cluster, the hosts you add to that cluster must also use the Docker runtime. The hosts continue to use the Docker runtime until you manually migrate the cluster to the HPE distribution of Kubernetes.

  • On hosts that use the containerd runtime, configure the web proxy for the containerd service.

    For example, hosts on which you install the HPE Kubernetes distribution use the containerd runtime.

NO_PROXY Settings

When you configure web proxy settings, you can also configure NO_PROXY settings to specify what is not to be accessed through the web proxy. Hewlett Packard Enterprise recommends that you include the following items in the NO_PROXY settings:

  • The IP address of the Controller and Shadow Controller.
  • The Fully Qalified Domain Name (FQDN) of the Gateway or Gateway sets.
  • The pod DNS domain name. For example: cluster.local
  • The localhost name and IP address. For example: localhost,127.0.0.1
  • The private IP address range in CIDR format. For example: 192.168.0.0/16

Configuring the Proxy for the containerd Service

Required access rights: Platform Administrator

The web proxy for the containerd service is configured using the same method for all the host OSs supported by HPE Ezmeral Runtime Enterprise.

  1. If the following file does not exist, create the file: /etc/sysconfig/proxy

  2. Open the /etc/sysconfig/proxy file for editing.

  3. Set PROXY_ENABLED="yes"
  4. Enter the HTTP_PROXY values. For example:
    # Some programs (e.g. lynx, arena and wget) support proxies, if set in
    # the environment.
    # Example: HTTP_PROXY="http://proxy.provider.de:3128/"
    HTTP_PROXY="http://web-proxy.corp.mycorp.net:8080"
  5. Enter the HTTPS_PROXY values. For example:
    # This setting is for https connections
    HTTPS_PROXY="http://web-proxy.corp.mycorp.net:8080"
  6. Enter the NO_PROXY values. For example:
    
    # Example: NO_PROXY="www.me.de, .do.main, localhost"
    #
    NO_PROXY=".svc,localhost,10.96.0.0/12,192.168.0.0/16,.default.svc,.storage.mycorp.net,127.0.0.1,.cluster.local"
  7. Save and close the file.
  8. If containerd was already installed and running, then restart the service:
    systemctl daemon-reload
     systemctl restart containerd
    NOTE
    Restarting containerd brings down all running containerd containers, which disrupts any running services.

    Otherwise, when you install HPE Ezmeral Runtime Enterprise, containerd will be installed and will use the /etc/sysconfig/proxy file.

Example Proxy File for SLES/SUSE

The following is an example of a /etc/sysconfig/proxy file for SLES/SUSE:

## Path:	Network/Proxy
## Description:
## Type:	yesno
## Default:	no
## Config:      kde,profiles
#
# Enable a generation of the proxy settings to the profile.
# This setting allows to turn the proxy on and off while
# preserving the particular proxy setup.
#
PROXY_ENABLED="yes"

## Type:	string
## Default:	""
#
# Some programs (e.g. lynx, arena and wget) support proxies, if set in
# the environment.
# Example: HTTP_PROXY="http://proxy.provider.de:3128/"
HTTP_PROXY="http://web-proxy.corp.mycorp.net:8080"

## Type:	string
## Default:	""
#
# Some programs (e.g. lynx, arena and wget) support proxies, if set in
# the environment.
# This setting is for https connections
HTTPS_PROXY="http://web-proxy.corp.mycorp.net:8080"

## Type:	string
## Default:	""
#
# Example: FTP_PROXY="http://proxy.provider.de:3128/"
#
FTP_PROXY="http://web-proxy.corp.mycorp.net:8080"

## Type:	string
## Default:	""
#
# Example: GOPHER_PROXY="http://proxy.provider.de:3128/"
#
GOPHER_PROXY=""

## Type:	string
## Default:	""
#
# Example: SOCKS_PROXY="socks://proxy.example.com:8080"
#
SOCKS_PROXY=""

## Type:	string
## Default:	""
#
# Example: SOCKS5_SERVER="office-proxy.example.com:8881"
#
SOCKS5_SERVER=""

## Type:	string(localhost)
## Default:	localhost
#
# Example: NO_PROXY="www.me.de, .do.main, localhost"
#
NO_PROXY=".svc,localhost,10.96.0.0/12,192.168.0.0/16,.default.svc,.storage.mycorp.net,127.0.0.1,.cluster.local"

Configuring the Proxy for the Docker Service (RHEL/CentOS)

Required access rights: Platform Administrator

Create any needed directories as the root user.

You can complete this task either before or after you install Docker and HPE Ezmeral Runtime Enterprise.

  1. Create the /etc/systemd/system/docker.service.d/docker-proxy.conf file that contains your HTTP_PROXY, HTTPS_PROXY, and NO_PROXY parameters:

    cat <<EOF >  /etc/systemd/system/docker.service.d/docker-proxy.conf 
    > [Service] 
    >Environment="HTTP_PROXY= @@@YOUR_HTTP_PROXY_PARAM@@@" 
    >Environment="HTTPS_PROXY= @@@YOUR_HTTPS_PROXY_PARAM@@@" 
    >Environment="NO_PROXY= @@@YOUR_NO_PROXY_PARAMS@@@" 
    >EOF
  2. If the Docker daemon was already installed and running, then restart it:

    systemctl daemon-reload 
    systemctl restart docker
    NOTE
    Restarting the Docker daemon brings down all running Docker containers, which disrupts any running services.

    Otherwise, when you install HPE Ezmeral Runtime Enterprise, Docker will be installed and will use the docker-proxy.conf file.

Configuring the Proxy for the HTTP/HTTPS and FTP services (RHEL/CentOS only)

Add the following lines to /etc/profile.d/set_proxy.sh, replacing items in placeholders, such as <web_proxy_url>, with your own values:

export http_proxy=<web_proxy_url>:<port>
export https_proxy=<web_proxy_url>:<port>
export ftp_proxy=<web_proxy_url>:<port>
export no_proxy="localhost,127.0.0.1, <controller_ip>, <gateway_ip>, <worker1_ip>, …, <worker_ip>"

Configuring the Proxy for the YUM packaging service (RHEL/CentOS only)

Add the proxy setting to: /etc/yum.conf replacing items in placeholders, such as <web_proxy_url>, with your own values:

For example:

proxy = <web_proxy_url>:<port>