Univention Bugzilla – Bug 55561
09_updater/18proxy-special: proxy/http used for https
Last modified: 2023-01-25 12:39:33 CET
test/ucs-test/tests/09_updater/18proxy-special is failing in our internal test setup since 257 runs: https://jenkins.knut.univention.de:8181/job/UCS-4.4/job/UCS-4.4-9/job/AutotestJoin/lastCompletedBuild/SambaVersion=s4,Systemrolle=master-part-II/testReport/09_updater/18proxy-special/master091/ > E: The repository 'https://updates-test.software-univention.de/4.4/maintained/component 4.4-9-errata-test/all/ Release' does not have a Release file. Actually in UCS 5.0-2 this is also failing, but APT seems to handle this more gracefully and only flags it as warnings: > W: Fehlschlag beim Holen von https://updates-test.software-univention.de/5.0/maintained/component/5.0-2-errata-test/all/InRelease Invalid response from proxy: HTTP/1.0 501 Unsupported method ('CONNECT') Server: UCSTestProxy/1.0 Python/3.7.3 Date: Wed, 11 Jan 2023 17:25:49 GMT Connection: close Content-Type: text/html;charset=utf-8 Content-Length: 500 [IP: 127.0.0.1 45581] > W: Einige Indexdateien konnten nicht heruntergeladen werden. Sie wurden ignoriert oder alte an ihrer Stelle benutzt. Only `18proxy-special` is failing as all other proxy tests use `config_repo proxy/http=` to configure the proxy already during the initial repository setup. This triggers UCR to re-generate `/etc/apt/sources.list.d/20_ucs-online-component.list`, where URL is validated then and thus dropped. Only for `18proxy-special` the URL is included as the validation happens BEFORE the proxy is configured. As Bug #12571 was never fixed the URL still gets used after configuring UCRV `proxy/http` and `apt-get update` does access the URL. For APT in UCS 4.4 this is an "Error", while for APT in UCS 5.0 this is only a "Warning". This probably happens since for Bug #55044 we changed `activate-errata-test-scope.sh` to setup that errata repository using `https://`, which is still used while running the tests. UCRV "proxy/https" is never set and since Bug #39922 the updater then defaults to UCRV `proxy/http` and uses the same dummy `proxy.py`, which does NOT implement HTTP `CONNECT`, which is required for proxying encrypted HTTP connections. Sadly the UCR template `base/univention-base-files/conffiles/etc/apt/apt.conf.d/80proxy` does not support setting an empty UCRV `proxy/https=""` to disable using any proxy for HTTPS, which the following patch would add: diff --git base/univention-base-files/conffiles/etc/apt/apt.conf.d/80proxy base/univention-base-files/conffiles/etc/apt/apt.conf.d/80proxy index bb6835cdf3..6ab6bfc6d4 100644 --- base/univention-base-files/conffiles/etc/apt/apt.conf.d/80proxy +++ base/univention-base-files/conffiles/etc/apt/apt.conf.d/80proxy @@ -17,10 +17,8 @@ if proxy: if '://' not in proxy: proxy = 'http://%s' % proxy print_proxy(proxy, 'http') - if not configRegistry.get('proxy/https', None): - print_proxy(proxy, 'https') -proxy = configRegistry.get('proxy/https', None) +proxy = configRegistry.get('proxy/https', proxy) if proxy: if '://' not in proxy: proxy = 'http://%s' % proxy
See https://git.knut.univention.de/univention/ucs/-/commits/phahn/55561_proxy5 [phahn/55561_proxy5] d507836882 test(updater): Always create Release files 1. Fixes my issues that running `./47component-auth` failed for me because `5.0/maintained/component/testXXXXX/all/Release` was not created, which `apt-get update` expected to find [phahn/55561_proxy5] c23fc3f1ef test(updater): proxy 2. Adds "HTTP CONNECT" support to proxy.py to make it usable as an proxy for https:// [phahn/55561_proxy5] f1eb543a8b fix: proxy/https defaulting 3. Move the fallback handling of UCRV "proxy/https" to "proxy/http" to the default layer instead of having it multiple times. [phahn/55561_proxy5] 81f2256dff fix(USS): Separate proxy/https setting 4. Allow to configure UCRV `proxy/https` explicitly [phahn/55561_proxy5] 556c5b5a4d style(ClamAV): proxy/http parsing 5. Use `urllib.parse.urlpase` instead of hand-crafted code [phahn/55561_proxy5] 8776d4acda doc: UCRV proxy/https 6. Update manuals to current state; will hopefully go in first by https://git.knut.univention.de/univention/ucs/-/merge_requests/613 [phahn/55561_proxy5] d405dbbc49 fix: Also handle UCRV proxy/https 7. Actually use the configures HTTPS proxy for HTTP, not the HTTP proxy. 1 & 2 & 6 should go in ASAP, the rest is for later on your convenience.
OK: ed949961 test(updater): Always create Release files OK: 0115afd3 test(updater): proxy ucs-test 10.0.7-31A~5.0.0.202301231127 No proxy tests fail currently. CLOSED directly, as there is nothing to be released separately