Installing Rancher Agent on Ubuntu Hosts running behind HAProxy

We have the Rancher Hosts running behind an http proxy for internet access.

  1. Base OS - Ubuntu 16.04
  2. We have enabled the http_proxy variable in /etc/environment and also in the /etc/default/docker file.
  3. Updated the the Environment (http_proxy) variable in /etc/systemd/system/docker.service.d/http-proxy.conf

When we launch a container with the above setting in place, the http_proxy doesn’t show up any values inside the container. The container is not able to access the internet. But once we set the http_proxy variable from inside the container, it is working fine.

When we use this setup for installing Rancher Agent, it is not able to install successfully as Rancher Agent launches multi containers and tries to download from internet which is failing. We can pass the http_proxy as an environmental variable during launch but this is working only for the first container and download of subsequent containers are getting timed out.

Can someone let me know if anything being missed in the setup. How can we install Rancher Agent with this setup ?

Hi @gsethu

As I understand you have HAProxy before your rancher host, and your network require proxy to connect outside world?

Could you tell how do you run your Rancher server? Do you run it with advertise rancher IP?
Could you provide log?

Yes correct. The setup is given below.

Rancher Server - Sitting behind HAProxy for inbound/outbound access in one AWS region.
Rancher Hosts - Sitting behind HAProxy for inbound/outbound access in another AWS region.

While installing the rancher agent, the following error is displayed. If we keep the hosts to have direct access to outside world then agent is getting installed successfully.

=========
INFO: Running Agent Registration Process, CATTLE_URL=https://rancherserver/v1
INFO: Attempting to connect to: https://rancherserver/v1

ERROR: https://rancherserver/v1 is not accessible

=========

Could you paste your docker run command for docker server with stripped data(but leave first part of ip, because on AWS there can be an error.

Also are you sure good routing rules are in place and propper aws restrictions are in place? (You can check it trying to connect manualy cia curl to domain, doing traceroute etc.)

On the rancher hosts, we are running the following commands:

sudo docker run -d --privileged -v /var/run/docker.sock:/var/run/docker.sock -v /var/lib/rancher:/var/lib/rancher rancher/agent:v1.2.1 https://rancherserver-dnsname/v1/scripts/token-string

We also raised a request in docker forums on the proxy issue.If we use the http_proxy variable explicitly, the first container gets launched successfully but subsequent containers doesn’t get launched successfully.

I was talking about ranche server run command, this one is +/- ok.
When you use rancher server behind HAProxy use --advertise-address <IP_of_the_Node>, and ensure that containers can connect rancher servers behind HAProxy(more in HA Documentation)

About your request to Docker team. Setting http_proxy envs in docker dameon is only for docker engine(mainly pulling images), this parameter is not passed into docker containers. We treat them as separate operating systems, also it’s not used during builds(you should use --build-arg and then pass proxy parameters per build).

Our setup is as follows:

Rancher server is in a AWS VPC. We can access the Rancher Server via HAProxy and it uses squid proxy for external access. We also have configured HA for Rancher as mentioned in the document (with the advertise-address option). Rancher server got installed successfully.

Rancher hosts sits in another AWS VPC. The hosts can be accessed via HAProxy and it also uses squid proxy to access internet.

On the Rancher hosts, when we try to install the Rancher Agent (as given above), it is not able to download all the containers as the host need to reach internet via squid proxy. If we specify the option -e http_proxy=“a.b.c.d”, the first container (rancher agent) gets downloaded but it is not able to reach internet to download the subsequent containers (network, ipsec etc).

If the hosts is provided direct access to internet, all the containers are downloaded and installed successfully.

Can you let me know how do we install rancher agent on host that uses a proxy for internet access ? Are we missing any setting here ?