Configuring Triton to use a proxy
This document explains how to configure Triton to use a proxy. Both authenticated and unauthenticated proxies are supported.
Requirements
Proxy support requires versions of the following core services with version strings newer than 20150901.
- sdc
- imagapi
- sdc-docker
- sdcadm
Customers with a current Triton support contract who have questions about the ability of their current core service release components to handle proxy traffic should contact MNX support via portal.mnxsolutions.com.
Required Sites
Your proxy will, at a minimum, need to allow access to the following sites:
| Site | Purpose | Notes |
|---|---|---|
| updates.tritondatacenter.com | Updates for Triton core services | Required for Triton to operate |
| images.smartos.org | MNX seed images | Required for Triton to operate |
| index.docker.io | Docker images | Optional; needed if you wish to pull from Docker Hub |
| registry.hub.docker.com | Docker images | Optional; needed if you wish to pull from Docker Hub |
Additionally, you will need to allow access to any other docker repositories that you will pull from.
Configuring Triton to use your proxy
For an unauthenticated proxy:
headnode# sapiadm update $(sdc-sapi /applications?name=sdc | json -H 0.uuid) \
metadata.http_proxy=http://YourProxy:YourProxyPortFor an authenticated proxy:
headnode# sapiadm update $(sdc-sapi /applications?name=sdc | json -H 0.uuid) \
metadata.http_proxy=http://YourProxyUser:YourProxyPassword@YourProxy:YourProxyPortThis change will take up to five minutes to propagate to the relevant core services.
Note: The Triton config variable is http_proxy whether your proxy URL is http:// or https://.
Check and test your configuration
You can run the following tests to confirm proxy access and validate your configuration. If you have custom sites, you will need to adjust accordingly.
-
The following command should return the URL for your proxy:
headnode# sdc-sapi /applications?name=sdc | json -H 0.metadata.http_proxy -
Testing the image server endpoints from the head node
headnode# updates-imgadm ping pong headnode# joyent-imgadm ping pong -
Testing the
sdcadmtool to verify we are able to contact the update server; this should return without errors. Note that the number of images and the versions returned may vary depending on the contents of the update channels.headnode# sdcadm avail SERVICE IMAGE VERSION portolan 81faa870-a96b-11e5-a150-b75f8f0ccedd portolan@release-20151224-20151223T114815Z-g7028219 rabbitmq 17038a46-a96b-11e5-acff-3b5a22d9aa45 rabbitmq@release-20151224-20151223T114438Z-gb1ad38d
Additional troubleshooting
The following tests use curl directly for testing, and are designed to help diagnose proxy issues by providing the actual response codes and responses received.
-
Testing the images.smartos.org and updates.tritondatacenter.com
pingendpoints using curl- Unauthenticated:
headnode# https_proxy=http://YourProxy:YourProxyPort curl -vi https://images.smartos.org/ping headnode# https_proxy=http://YourProxy:YourProxyPort curl -vi https://updates.tritondatacenter.com/ping- Authenticated:
headnode# https_proxy=http://YourProxyUser:YourProxyPassword@YourProxy:YourProxyPort curl -vi https://images.smartos.org/ping headnode# https_proxy=http://YourProxyUser:YourProxyPassword@YourProxy:YourProxyPort curl -vi https://updates.tritondatacenter.com/ping -
Testing access to index.docker.io
- Unauthenticated:
headnode# https_proxy=https://YourProxy:YourProxyPort curl -vi https://index.docker.io/v2- Authenticated:
headnode# https_proxy=https://YourProxyUser:YourProxyPassword@YourProxy:YourProxyPort curl -vi https://index.docker.io/v2
