http_proxy is used even for https

[tkopecek]

/kind bug

Description

When http_proxy is set in the environment, podman uses it (at least for communication with registry) even for https connections. Non/existence of https_proxy is not relevant. http_proxy should be used only for http requests.

Steps to reproduce the issue:

$ unset https_proxy HTTPS_PROXY
$ export http_proxy=localhost:3128
$ podman pull fedora:latest
Trying to pull registry.fedoraproject.org/fedora:latest...
  Get "https://registry.fedoraproject.org/v2/": x509: certificate signed by unknown authority
Trying to pull registry.access.redhat.com/fedora:latest...
  Get "https://registry.access.redhat.com/v2/": x509: certificate signed by unknown authority
Trying to pull registry.centos.org/fedora:latest...
  Get "https://registry.centos.org/v2/": x509: certificate signed by unknown authority
Trying to pull docker.io/library/fedora:latest...
  Get "https://registry-1.docker.io/v2/": x509: certificate signed by unknown authority
Error: unable to pull fedora:latest: 4 errors occurred:
        * Error initializing source docker://registry.fedoraproject.org/fedora:latest: error pinging docker registry registry.fedoraproject.org: Get "https://registry.fedoraproject.org/v2/": x509: certificate signed by unknown authority
        * Error initializing source docker://registry.access.redhat.com/fedora:latest: error pinging docker registry registry.access.redhat.com: Get "https://registry.access.redhat.com/v2/": x509: certificate signed by unknown authority
        * Error initializing source docker://registry.centos.org/fedora:latest: error pinging docker registry registry.centos.org: Get "https://registry.centos.org/v2/": x509: certificate signed by unknown authority
        * Error initializing source docker://fedora:latest: error pinging docker registry registry-1.docker.io: Get "https://registry-
1.docker.io/v2/": x509: certificate signed by unknown authority

$ unset http_proxy
$ podman pull fedora:latest
Trying to pull registry.fedoraproject.org/fedora:latest...
Getting image source signatures
Copying blob dd9f43919ba0 [--------------------------------------] 0.0b / 0.0b
Copying config 00ff39a8bf done  
Writing manifest to image destination
Storing signatures
00ff39a8bf19f810a7e641f7eb3ddc47635913a19c4996debd91fafb6b379069

Output of podman version:

podman version
Version:      2.0.4
API Version:  1
Go Version:   go1.14.6
Built:        Thu Jan  1 01:00:00 1970
OS/Arch:      linux/amd64

Package info (e.g. output of rpm -q podman or apt list podman):

podman-2.0.4-1.fc32.x86_64

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide?

Yes

Additional environment details (AWS, VirtualBox, physical, etc.):
Physical box, updated f32, proxy is squid with enabled https. Anyway, it has self-signed certificate which is not trusted in the environment where podman is running. So, maybe it is relevant - if it would be trusted you may not notice (except proxy log) that proxy is used.

[rhatdan]

I would think this is a golang bug, since we do not use the environment variables directly.

[rhatdan]

@giuseppe @mtrmac @vrothberg WDYT?

[mtrmac]

AFAICS this is just http.ProxyFromEnvironment. I think it’s hard to maintain and use if Podman invents its own behavior, or papers over Go differing from Linux, if that’s the case — instead, the Go standard library should be changed (or maybe patched by a Linux distribution).

[giuseppe]

I agree, I don't think we have to handle it differently from Podman

[mheon]

@tkopecek You'll probably need to file an issue against https://github.com/golang/go given this is behavior from the Go standard library

[tkopecek]

Filed golang/go#40909

[rhatdan]

We can follow this there.