Configuring virt-who to support a different proxy from Satellite
Overview
In many environments, proxy servers are used to restrict (and sometimes inspect) traffic from servers destined to the Internet.
Background
By default, both subscription-manager and virt-who, leverage python-rhsm for their proxy configuration. This configuration is stored in /etc/rhsm/rhsm.conf, and can be set by editing this configuration file, or via the subscription-manager config command.
When configuring virt-who, sometimes it is desired to use a different proxy (or NO proxy at all) when virt-who connects to the virtualization fabric.
Default configuration.
In the default configuration, virt-who will use the proxy settings as defined in /etc/rhsm/rhsm.conf to connect to any virtualization fabrics. See the example configuration below.
# grep proxy /etc/rhsm/rhsm.conf
# an http proxy server to use
proxy_hostname = proxy.example.com
# port for http proxy server
proxy_port = 3128
# user name for authenticating to an http proxy, if needed
proxy_user =
# password for basic http proxy auth, if needed
proxy_password =
Both virt-who and RHSM traffic (such as to subscription.rhsm.redhat.com) will traverse the proxy server.
Click to enlarge
Scenario 1: Configuring virt-who to use NO proxy.
Sometimes it is desired to NOT use the same proxy for both virt-who and RHSM traffic. In many environments, the proxy server doesn't allow itself to contact systems which are also on the local network. It is only allowed to be used to connect to systems which are external (such as the Internet). In this scenario, it is desired to negate or disable the proxy that is defined in /etc/rhsm/rhsm.conf and use no proxy at all.
Click to enlarge
Requirements
- python-rhsm >= 1.17.9-1
- virt-who >= 0.17-11
Example Configuration
In this example, Satellite is configured to use a proxy as per the following in /etc/rhsm/rhsm.conf
# grep proxy /etc/rhsm/rhsm.conf
# an http proxy server to use
proxy_hostname = proxy.example.com
# port for http proxy server
proxy_port = 3128
# user name for authenticating to an http proxy, if needed
proxy_user =
# password for basic http proxy auth, if needed
proxy_password =
Additionally, virt-who is installed on the Satellite with the following configuration
cat /etc/virt-who.d/fabric_1.conf
[fabric_1]
type=esx
server=vmware.example.com
sername=administrator@vSphere.local
encrypted_password=[REDACTED]
owner=Example
env=Library
hypervisor_id=hostname
rhsm_hostname=satellite.example.com
# Username in Satellite
rhsm_username=admin
rhsm_encrypted_password=[REDACTED]
To effectively negate the proxy configuration, forcing Satellite to connect directly to the virtualization provider, add NO_PROXY=* to the /etc/sysconfig/virt-who file.
# grep PROXY /etc/sysconfig/virt-who
NO_PROXY=*
If virt-who service is installed directly on satellite server which has proxy configured between itself and CDN, it is also required to set rhsm_no_proxy=* in /etc/virt-who.d/example.conf config files or in /etc/virt-who.conf, so the virt-who will not attempt to send guest-host mapping to the satellite over the proxy, which may fail.
#grep no_proxy /etc/virt-who.d/fabric_1.conf
rhsm_no_proxy=*
Note: the values in /etc/sysconfig/virt-who are environmental variables, and usually sourced only during daemon runs. If it is desired to run virt-who in one-shot mode, the values in /etc/sysconfig/virt-who need to be explicitly exported.
Set bash to export variables by default
set -a
source the variables
source /etc/sysconfig/virt-who
run virt-who in one-shot mode.
virt-who -o
Scenario 2: Configuring virt-who to use a different proxy than the Satellite
Sometimes it is desired to NOT use the same proxy for both virt-who and RHSM traffic. In many environments, the proxy server doesn't allow itself to contact systems which are also on the local network. It is only allowed to be used to connect to systems which are external (such as the Internet). In this scenario, an organization may have a separate proxy used to connect to other internal resources, which is different from the proxy used to connect externally. This requires an proxy to be set for virt-who data which differs from that the Satellite users.
Click to enlarge
Requirements
- virt-who >= 0.14
Example Configuration
In this example, Satellite is configured to use a proxy as per the following in /etc/rhsm/rhsm.conf
# grep proxy /etc/rhsm/rhsm.conf
# an http proxy server to use
proxy_hostname = proxy.example.com
# port for http proxy server
proxy_port = 3128
# user name for authenticating to an http proxy, if needed
proxy_user =
# password for basic http proxy auth, if needed
proxy_password =
Additionally, virt-who is installed on the Satellite with the following configuration
cat /etc/virt-who.d/fabric_1.conf
[fabric_1]
type=esx
server=vmware.example.com
sername=administrator@vSphere.local
encrypted_password=[REDACTED]
owner=Example
env=Library
hypervisor_id=hostname
rhsm_hostname=satellite.example.com
# Username in Satellite
rhsm_username=admin
rhsm_encrypted_password=[REDACTED]
Lastly, add the rhsm_proxy_hostname, rhsm_proxy_port, and (if needed) the rhsm_proxy_user, rhsm_proxy_password and/or rhsm_encrypted_proxy_password options to the virt-who configuration file in /etc/virt-who.d/*.conf
From virt-who-config(5):
rhsm_proxy_hostname
Optional proxy host name for the Subscription Asset Manager or Satellite 6 server to use in place of the proxy host name defined in the sys‐
tem's rhsm.conf.
rhsm_proxy_port
Optional proxy port for the Subscription Asset Manager or Satellite 6 server to use in place of the proxy port defined in the system's
rhsm.conf.
rhsm_proxy_user
Optional proxy username for the Subscription Asset Manager or Satellite 6 server to use in place of the proxy username defined in the sys‐
tem's rhsm.conf.
rhsm_proxy_password
Optional proxy password for the Subscription Asset Manager or Satellite 6 server to use in place of the proxy password defined in the sys‐
tem's rhsm.conf.
rhsm_encrypted_proxy_password
Alternative to the rhsm_proxy_password option; encrypted password generated by the virt-who-password(8) utility.
For this example, add to /etc/virt-who.d/fabric-1.conf
rhsm_proxy_hostname = internal-proxy.example.com
rhsm_proxy_port = 3128
For more KB articles/solutions related to Virt-who and Virtual Datacenter (VDC) Subscriptions Issues, please refer to the Consolidated Troubleshooting Article for Virt-who and Virtual Datacenter (VDC) Subscriptions Issues