Skip to content

Zincati ignores SOCKS proxy settings #2067

New issue
New issue
Open
coreos/zincati
#1322
Open
Zincati ignores SOCKS proxy settings#2067
coreos/zincati
#1322
Labels
kind/bug
@Clancy508

Description

@Clancy508
Clancy508
opened on Nov 19, 2025

Describe the bug

I'm setting up a handful of CoreOS nodes running behind a SOCKS5 proxy following this guide to setting up proxied access (https://docs.fedoraproject.org/en-US/fedora-coreos/proxy/) and I can't get the nodes to update. rpm-ostree seems to work properly, it can download and overlay new packages just fine, but running rpm-ostree update --bypass-driver fails due to verification (this seems intentional from the discussion of the OCI/bootc migration). Zincati just times out whenever it tries to run. Of note, if I open up the firewall for direct connections to the internet on a test system Zincati suddenly realises there's an update and triggers rpm-ostree to stage it. Tracking the proxy logs shows that rpm-ostree connects via the proxy but Zincati never hits it. The proxy logs remain empty if the firewall is up, if it's down then Zincati pulls the update manifest without any proxy logs with the subsequent rpm-ostree activity appearing in the logs.

Reproduction steps

  1. Set up a SOCKS5 proxy
  2. Set up a CoreOS node without direct internet access
  3. Configure the CoreOS node for proxied internet access per https://docs.fedoraproject.org/en-US/fedora-coreos/proxy/

Expected behavior

Zincati should use the proxy. The underlying request library Reqwest supports SOCKS5 proxies and rpm-ostree correctly uses the proxy with the exact same environment variables set.

Actual behavior

Zincati silently ignores the proxy and just times out. If direct internet access is allowed, Zincati connects directly to the update server without touching the proxy.

System details

  • Bare metal/ISO install on Proxmox VMs
  • Tested multiple versions of CoreOS stable all with latest released Zincati version 0.0.30

Butane or Ignition config

variant: fcos
version: 1.6.0
kernel_arguments:
  should_exist:
    - console=tty0 console=ttyS0,115200n8
passwd:
  users:
    - name: core
      ssh_authorized_keys:
        - [ssh key]
storage:
  files:
# Set Zincati update policy timing
    - path: /etc/zincati/config.d/90-strategy.toml
      contents:
        inline: |
          [identity]
          rollout_wariness = 0.1

# Set up proxy environment file
    - path: /etc/proxy.env
      contents:
        inline: |
          all_proxy="socks5h://192.168.0.10"
          http_proxy="socks5h://192.168.0.10"
          https_proxy="socks5h://192.168.0.10"
          no_proxy="127.0.0.1,192.168.0.10,localhost"

# Set up proxy for interactive sessions
    - path: /etc/profile.d/proxy.sh
      contents:
        inline: export $(cat /etc/proxy.env | xargs)

systemd:
  units:
# Set up proxy dropins for rpm-ostree, rpm-ostree-countme, and Zincati
    - name: rpm-ostreed.service
      dropins:
        - name: 90-proxy.conf
          contents: |
            [Service]
            EnvironmentFile=/etc/proxy.env
    - name: rpm-ostree-countme.service
      dropins:
        - name: 90-proxy.conf
          contents: |
            [Service]
            EnvironmentFile=/etc/proxy.env
    - name: zincati.service
      dropins:
        - name: 90-proxy.conf
          contents: |
            [Service]
            EnvironmentFile=/etc/proxy.env

Additional information

Zincati does work in an equivalent setup using a HTTP based proxy, although as mentioned it should just work with SOCKS5 given that Reqwest supports it

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions