We have moved to a new Sailfish OS Forum. Please start new discussions there.
0

Can not refresh packages on SOS emulator behind corporate firewall (proxy) [answered]

asked 2014-08-01 17:06:33 +0200

Nekron gravatar image

updated 2015-01-23 18:34:14 +0200

I am trying to refresh packages on SOS emulator. I ssh'ed into the emu and added "export https_proxy", "export http_proxy" and "export ftp_proxy" to my corporate http(s)-proxy.

However when I try to update packages by executing "pkcon refresh" I get the following error:

[root@SailfishEmul connman]# pkcon refresh
Refreshing cache
Waiting in queue
Waiting for authentication
Waiting in queue
Starting
Refreshing software list
Fatal error: Download (curl) error for 'https://releases.jolla.com/releases/1.0.8.19/nemo/adaptation-  x86-common/i486/repodata/repomd.xml':
Error code: Connection failed
Error message: Failed to connect to releases.jolla.com port 443: Connection timed out

Why is pkcon not using my exported http(s) proxy settings? I know that there are issues with proxy settings stated on SDK release notes, but is there a way to fix it manually?

EDIT: Added proxy to question.

edit retag flag offensive close delete

Comments

Exporting proxy settings does not work with pkcon because pkcon is just a command line utility to send dbus messages to the packagekitd daemon process, which is the one that is actually talking to the network.

kaltsi ( 2014-08-19 13:25:59 +0200 )edit

SOS-emulator? I guess you mean SFOS or SailfishOS SDK emulator, right?

foss4ever ( 2015-01-25 03:12:27 +0200 )edit

1 Answer

Sort by » oldest newest most voted
0

answered 2015-01-23 18:31:53 +0200

Nekron gravatar image

updated 2015-01-23 18:32:59 +0200

Ok, found a solution, however this is more than a hack, but works in my case.

Things to do:

#1. Modify repositories to use HTTP connection instead of HTTPS

Execute the following commands as [root]#:

ssu ar jolla http://dvvwui2qyedk6.cloudfront.net/releases/1.1.1.26/jolla/i486/
ssu ar mer-tools http://dvvwui2qyedk6.cloudfront.net/releases/1.1.1.26/mer-tools/builds/i486/packages/
ssu dr adaptation0
ssu dr adaptation1
ssu dr hotfixes
ssu dr sdk

Now only the jolla and mer-tools repositories are enabled via HTTP. The URI of http://release.jolla.com will be redirected to cloudfront with HTTPS. So this is why changing the repository URL from https to http for http://release.jolla.com/... doesnt work and the cryptic cloudfront url has to be used.

#2. Setup iptables forwarding

Since PackageKit used libzyp as a backend and libzyp uses libcurl to fetch packages, proxy env settings are not honored like curl does. Nor is .curlrc honored. So what I have done next is to create a small IP tables entry to forward all HTTP-connections to my corporate firewall.

#!/bin/bash
# IP address and port number of the webcache
WEBCACHE=<my corporate proxy>:<port>

# Flush any previous rules
iptables -t nat --flush

# Delete and recreate the chain
iptables -t nat -X HTTPFORCE
iptables -t nat -N HTTPFORCE

# Don't touch local traffic (localhost and internal network)
iptables -t nat -A HTTPFORCE -o lo -j RETURN
iptables -t nat -A HTTPFORCE --dst 127.0.0.1/8 -j RETURN
iptables -t nat -A HTTPFORCE --dst 10.0.0.0/8 -j RETURN
# Add any other local networks here.

# Now we have two options. Please uncomment out one of them
# 1) Redirect packets on port 80 to the webcache
#    This may not work unless the webcache is generous with its input
iptables -t nat -A HTTPFORCE -p tcp --dport 80 -j DNAT --to $WEBCACHE

# 2) Redirect packets on port 80 to localhost port 1234
#    On port 1234 you need to run a local web proxy, which forwards
#    requests to the real webcache
#iptables -t nat -A HTTPFORCE -p tcp --dport 443 -j REDIRECT --to-port 3128

# Capture all outgoing TCP syns
iptables -t nat -A OUTPUT -p tcp --syn -j HTTPFORCE

Now you can do pkcon refresh and pkcon install zypper etc. for your pleasure behind a corporate firewall!

edit flag offensive delete publish link more
Login/Signup to Answer

Stats

Asked: 2014-08-01 17:06:33 +0200

Seen: 603 times

Last updated: Jan 23 '15