Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

podman passes down http_proxy when it shouldnt #24838

Open
mattp- opened this issue Dec 13, 2024 · 7 comments
Open

podman passes down http_proxy when it shouldnt #24838

mattp- opened this issue Dec 13, 2024 · 7 comments
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@mattp-
Copy link

mattp- commented Dec 13, 2024

Issue Description

$ env HTTPS_PROXY=x podman run --rm -it --entrypoint printenv scrubbed.com/rhel8 | grep HTTPS
HTTPS_PROXY=x
$ env HTTPS_PROXY=x docker run --rm -it --entrypoint printenv scrubbed.com/rhel8 | grep HTTPS
$ 

outside of the difference in behavior with docker; it seems like strange behavior to pass down at runtime. setting http_proxy in container.conf would be more sensible; but taking the shell's proxy var could lead to unexpected failure.

Steps to reproduce the issue

see above excerpt

Describe the results you received

Describe the results you received

Describe the results you expected

Describe the results you expected

podman info output

(master)✗ % podman version
Client:       Podman Engine
Version:      4.9.4-rhel
API Version:  4.9.4-rhel
Go Version:   go1.21.11 (Red Hat 1.21.11-1.el9_4)
Built:        Thu Aug  8 04:51:41 2024
OS/Arch:      linux/amd64

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

No

Additional environment details

Additional environment details

Additional information

Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting

@mattp- mattp- added the kind/bug Categorizes issue or PR as related to a bug. label Dec 13, 2024
@rhatdan
Copy link
Member

rhatdan commented Dec 13, 2024

man podman run
...
   --http-proxy
       By default proxy environment variables are passed into the container if set for the Podman process. This can be disabled by setting the value to false.  The environment variables  passed
       in  include  http_proxy,  https_proxy,  ftp_proxy, no_proxy, and also the upper case versions of those. This option is only needed when the host system must use a proxy but the container
       does not use any proxy. Proxy environment variables specified for the container in any other way overrides the values that have been passed through from the host. (Other ways to  specify
       the  proxy  for the container include passing the values with the --env flag, or hard coding the proxy environment at container build time.)  When used with the remote client it uses the
       proxy environment variables that are set on the server process.

       Defaults to true.

@mattp-
Copy link
Author

mattp- commented Dec 13, 2024

should the default mimic docker for interchangeability? I'm not sure what the actual policy is for podman other than it seems to try to, most of the time.

@rhatdan
Copy link
Member

rhatdan commented Dec 13, 2024

Well I don't know, except that if we change the default it would be a breaking change. We could change it in Podman 6.0

@rhatdan
Copy link
Member

rhatdan commented Dec 13, 2024

You can modify the containers.conf to set this setting to false.

# Default proxy environment variables passed into the container.
# The environment variables passed in include:
# http_proxy, https_proxy, ftp_proxy, no_proxy, and the upper case versions of
# these. This option is needed when host system uses a proxy but container
# should not use proxy. Proxy environment variables specified for the container
# in any other way will override the values passed from the host.
#
#http_proxy = true

@mattp-
Copy link
Author

mattp- commented Dec 13, 2024

my humble opinion would be it would make sense in this scenario, one less thing for people in a corporate environment to fight with when doing an s/docker/podman/ attempt

@vrothberg
Copy link
Member

Well I don't know, except that if we change the default it would be a breaking change. We could change it in Podman 6.0

That's hard to balance. Since it impacts Docker compat, we could make an argument for a bug fix which wouldn't require a major version. On the other hand, we don't know who is already depending on that behavior.

@mattp- do you have a suggestion how to make the behavior easier to discover? Blog post, docs, etc?

@mattp-
Copy link
Author

mattp- commented Dec 16, 2024

@vrothberg I think if the behavior were to change it would make sense to couple it to a major version change, not a bug fix. I'm not sure how this would be easily discoverable other than stumbling upon it.

I will say back-compat aside, it was a bit unexpected for podman to leak this specific piece of config into the container without being asked. it broke in my workplace because we use tinyproxy , so our http_proxy=127.0.0.1, which of course did not work in container. maybe that's unlikely for other users that are behind a corporate proxy.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Development

No branches or pull requests

3 participants