Puppet, proxies and PCI

If you’ve ever had to work in a PCI environment, you’ll know they’re secure (or at least, they should be). A good PCI environment will be firewalled off from the rest of your network and what gets installed on those machines is very strictly controlled.

Or, you might have a secure environment where none of your machines have direct connection to the internet and go via a proxy.. anyway this presents a bit of a problem in the puppet world.

Puppet can use apt / yum / whatever your package manager is, but in many cases on CentOS/Redhat systems, puppet will use the rpm command. This in turn also uses curl for the downloading bit. Now you might have already configured yum with a proxy, and you might have set the http_proxy environment variable but it still doesn’t work. The problem now is that we need a proxy to get out of the network, and even with a proxy set elsewhere, the rpm command when run by puppet will fail and puppet will give you a message like

Execution of ‘/usr/bin/rpm -i’ … returned 1: curl: (7) Failed to connect to <some IP> : Network is unreachable error: skipping <url> – transfer failed

yet when you did a curl on the command line from that machine, it worked (because you’ve got the http_proxy variable set right?) to make matters even more cryptic, if you happen to have IPv6 working properly, you might even see a message that it failed to connect to an IPv6 address leaving you thinking this is an IPv6 problem … but it isn’t. You’ll only see this message if IPv4 failed as well.

The solution to our problem, is the “install-options” parameter which we can use in puppet like this

package { "some-package":
  ensure => installed, 
  provider => 'rpm',
  source => "https://somewebsite.com/somepackage"
  install_options => [{'--httpproxy' => 'http://myproxy.mycompany.com:3128'}],
}

Now things install properly. Just remember that you need to be able to hit that proxy now in order for things to work. If you use vagrant for development, you might want to add in an if statement that checks to see what environment you are in and sets the proxy accordingly.

Related Post

Leave a Reply

Your email address will not be published. Required fields are marked *