Problem downloading extensions behind firewall

[mattboston]

Describe the bug

We use linux servers on-premise and have mirrored the RPM repo so that we can install the az cli onto Rocky Linux servers. This works great. But we are having an issue with sometimes logging in and/or downloading extensions. Trying to add all the domains listed in the az cli endpoint list (https://learn.microsoft.com/en-us/cli/azure/azure-cli-endpoints?tabs=azure-cloud) to our firewall is not an easy process, nor is it guaranteed to work since we have some special filtering in the Palo Alto firewalls. Also, we normally do not allow servers to connect to the internet.

Is there a way to mirror the extensions locally like we do with the RPMs? Or is there a way to use a single domain for all az cli commands? Like a proxy on MS side.

Related command

az extension add --name azure-devops

Errors

Please ensure you have network connection. Error detail: ('Connection aborted.', ConnectionResetError(104, 'Connection reset by peer'))

Issue script & Debug output

# az extension add --name azure-devops --debug
cli.knack.cli: Command arguments: ['extension', 'add', '--name', 'azure-devops', '--debug']
cli.knack.cli: __init__ debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x7f41d5870160>, <function OutputProducer.on_global_arguments at 0x7f41d5585d30>, <function CLIQuery.on_global_arguments at 0x7f41d53181f0>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'extension': ['azure.cli.command_modules.extension']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name                  Load Time    Groups  Commands
cli.azure.cli.core: extension                 0.002         1         7
cli.azure.cli.core: Total (1)                 0.002         1         7
cli.azure.cli.core: Loaded 1 groups, 7 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command  : extension add
cli.azure.cli.core: Command table: extension add
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x7f41d1c5db80>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/root/.azure/commands/2023-10-11.10-52-39.extension_add.1076373.log'.
az_command_data_logger: command args: extension add --name {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x7f41d1c06790>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x7f41d1c2a8b0>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x7f41d1bce670>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x7f41d5585dc0>, <function CLIQuery.handle_query_parameter at 0x7f41d5318280>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x7f41d1bce5e0>]
urllib3.connectionpool: Starting new HTTPS connection (1): aka.ms:443
urllib3.connectionpool: https://aka.ms:443 "GET /azure-cli-extension-index-v1 HTTP/1.1" 301 0
urllib3.connectionpool: Starting new HTTPS connection (1): azcliextensionsync.blob.core.windows.net:443
urllib3.connectionpool: https://azcliextensionsync.blob.core.windows.net:443 "GET /index1/index.json HTTP/1.1" 200 3282073
cli.azure.cli.core.extension._resolve: Candidates ['azure_devops-0.12.0-py2.py3-none-any.whl', 'azure_devops-0.17.0-py2.py3-none-any.whl', 'azure_devops-0.21.0-py2.py3-none-any.whl', 'azure_devops-0.26.0-py2.py3-none-any.whl']
cli.azure.cli.core.extension._resolve: Candidates ['azure_devops-0.12.0-py2.py3-none-any.whl', 'azure_devops-0.17.0-py2.py3-none-any.whl', 'azure_devops-0.21.0-py2.py3-none-any.whl', 'azure_devops-0.26.0-py2.py3-none-any.whl']
cli.azure.cli.core.extension._resolve: Candidates ['azure_devops-0.12.0-py2.py3-none-any.whl', 'azure_devops-0.17.0-py2.py3-none-any.whl', 'azure_devops-0.21.0-py2.py3-none-any.whl', 'azure_devops-0.26.0-py2.py3-none-any.whl']
cli.azure.cli.core.extension._resolve: Candidates ['azure_devops-0.12.0-py2.py3-none-any.whl', 'azure_devops-0.17.0-py2.py3-none-any.whl', 'azure_devops-0.21.0-py2.py3-none-any.whl', 'azure_devops-0.26.0-py2.py3-none-any.whl']
cli.azure.cli.core.extension._resolve: Chosen {'downloadUrl': 'https://github.com/Azure/azure-devops-cli-extension/releases/download/20230127.2/azure_devops-0.26.0-py2.py3-none-any.whl', 'filename': 'azure_devops-0.26.0-py2.py3-none-any.whl', 'metadata': {'azext.minCliCoreVersion': '2.30.0', 'classifiers': ['Development Status :: 4 - Beta', 'Intended Audience :: Developers', 'Intended Audience :: System Administrators', 'Programming Language :: Python', 'Programming Language :: Python :: 3', 'Programming Language :: Python :: 3.4', 'Programming Language :: Python :: 3.5', 'Programming Language :: Python :: 3.6', 'License :: OSI Approved :: MIT License'], 'extensions': {'python.details': {'contacts': [{'email': 'VSTS_Social@microsoft.com', 'name': 'Microsoft', 'role': 'author'}], 'document_names': {'description': 'DESCRIPTION.rst'}, 'project_urls': {'Home': 'https://github.com/Microsoft/azure-devops-cli-extension'}}}, 'extras': [], 'generator': 'bdist_wheel (0.30.0)', 'license': 'MIT', 'metadata_version': '2.0', 'name': 'azure-devops', 'run_requires': [{'requires': ['distro (==1.3.0)']}], 'summary': 'Tools for managing Azure DevOps.', 'version': '0.26.0'}, 'sha256Digest': '565fc207f1740c26957f382fe2eefabec254011fb2d1b50c0e540f894f47dcbe'}
cli.azure.cli.core.extension.operations: Extension source is url? True
cli.azure.cli.core.extension.operations: Downloading https://github.com/Azure/azure-devops-cli-extension/releases/download/20230127.2/azure_devops-0.26.0-py2.py3-none-any.whl to /tmp/tmp_bah_tmd/azure_devops-0.26.0-py2.py3-none-any.whl
urllib3.connectionpool: Starting new HTTPS connection (1): github.com:443
cli.azure.cli.core.azclierror: Traceback (most recent call last):
  File "/lib64/az/lib/python3.9/site-packages/urllib3/connectionpool.py", line 714, in urlopen
    httplib_response = self._make_request(
  File "/lib64/az/lib/python3.9/site-packages/urllib3/connectionpool.py", line 403, in _make_request
    self._validate_conn(conn)
  File "/lib64/az/lib/python3.9/site-packages/urllib3/connectionpool.py", line 1053, in _validate_conn
    conn.connect()
  File "/lib64/az/lib/python3.9/site-packages/urllib3/connection.py", line 419, in connect
    self.sock = ssl_wrap_socket(
  File "/lib64/az/lib/python3.9/site-packages/urllib3/util/ssl_.py", line 449, in ssl_wrap_socket
    ssl_sock = _ssl_wrap_socket_impl(
  File "/lib64/az/lib/python3.9/site-packages/urllib3/util/ssl_.py", line 493, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib64/python3.9/ssl.py", line 501, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib64/python3.9/ssl.py", line 1041, in _create
    self.do_handshake()
  File "/usr/lib64/python3.9/ssl.py", line 1310, in do_handshake
    self._sslobj.do_handshake()
ConnectionResetError: [Errno 104] Connection reset by peer

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/lib64/az/lib/python3.9/site-packages/requests/adapters.py", line 486, in send
    resp = conn.urlopen(
  File "/lib64/az/lib/python3.9/site-packages/urllib3/connectionpool.py", line 798, in urlopen
    retries = retries.increment(
  File "/lib64/az/lib/python3.9/site-packages/urllib3/util/retry.py", line 550, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/lib64/az/lib/python3.9/site-packages/urllib3/packages/six.py", line 769, in reraise
    raise value.with_traceback(tb)
  File "/lib64/az/lib/python3.9/site-packages/urllib3/connectionpool.py", line 714, in urlopen
    httplib_response = self._make_request(
  File "/lib64/az/lib/python3.9/site-packages/urllib3/connectionpool.py", line 403, in _make_request
    self._validate_conn(conn)
  File "/lib64/az/lib/python3.9/site-packages/urllib3/connectionpool.py", line 1053, in _validate_conn
    conn.connect()
  File "/lib64/az/lib/python3.9/site-packages/urllib3/connection.py", line 419, in connect
    self.sock = ssl_wrap_socket(
  File "/lib64/az/lib/python3.9/site-packages/urllib3/util/ssl_.py", line 449, in ssl_wrap_socket
    ssl_sock = _ssl_wrap_socket_impl(
  File "/lib64/az/lib/python3.9/site-packages/urllib3/util/ssl_.py", line 493, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib64/python3.9/ssl.py", line 501, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib64/python3.9/ssl.py", line 1041, in _create
    self.do_handshake()
  File "/usr/lib64/python3.9/ssl.py", line 1310, in do_handshake
    self._sslobj.do_handshake()
urllib3.exceptions.ProtocolError: ('Connection aborted.', ConnectionResetError(104, 'Connection reset by peer'))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/lib64/az/lib/python3.9/site-packages/azure/cli/core/extension/operations.py", line 125, in _add_whl_ext
    _whl_download_from_url(url_parse_result, ext_file)
  File "/lib64/az/lib/python3.9/site-packages/azure/cli/core/extension/operations.py", line 69, in _whl_download_from_url
    r = requests.get(url, stream=True, verify=(not should_disable_connection_verify()))
  File "/lib64/az/lib/python3.9/site-packages/requests/api.py", line 73, in get
    return request("get", url, params=params, **kwargs)
  File "/lib64/az/lib/python3.9/site-packages/requests/api.py", line 59, in request
    return session.request(method=method, url=url, **kwargs)
  File "/lib64/az/lib/python3.9/site-packages/requests/sessions.py", line 589, in request
    resp = self.send(prep, **send_kwargs)
  File "/lib64/az/lib/python3.9/site-packages/requests/sessions.py", line 703, in send
    r = adapter.send(request, **kwargs)
  File "/lib64/az/lib/python3.9/site-packages/requests/adapters.py", line 501, in send
    raise ConnectionError(err, request=request)
requests.exceptions.ConnectionError: ('Connection aborted.', ConnectionResetError(104, 'Connection reset by peer'))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/lib64/az/lib/python3.9/site-packages/knack/cli.py", line 233, in invoke
    cmd_result = self.invocation.execute(args)
  File "/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/__init__.py", line 663, in execute
    raise ex
  File "/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/__init__.py", line 726, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
  File "/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/__init__.py", line 697, in _run_job
    result = cmd_copy(params)
  File "/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/__init__.py", line 333, in __call__
    return self.handler(*args, **kwargs)
  File "/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/command_operation.py", line 121, in handler
    return op(**command_args)
  File "/lib64/az/lib/python3.9/site-packages/azure/cli/command_modules/extension/custom.py", line 16, in add_extension_cmd
    return add_extension(cli_ctx=cmd.cli_ctx, source=source, extension_name=extension_name, index_url=index_url,
  File "/lib64/az/lib/python3.9/site-packages/azure/cli/core/extension/operations.py", line 344, in add_extension
    extension_name = _add_whl_ext(cli_ctx=cmd_cli_ctx, source=source, ext_sha256=ext_sha256,
  File "/lib64/az/lib/python3.9/site-packages/azure/cli/core/extension/operations.py", line 127, in _add_whl_ext
    raise CLIError('Please ensure you have network connection. Error detail: {}'.format(str(err)))
knack.util.CLIError: Please ensure you have network connection. Error detail: ('Connection aborted.', ConnectionResetError(104, 'Connection reset by peer'))

cli.azure.cli.core.azclierror: Please ensure you have network connection. Error detail: ('Connection aborted.', ConnectionResetError(104, 'Connection reset by peer'))
az_command_data_logger: Please ensure you have network connection. Error detail: ('Connection aborted.', ConnectionResetError(104, 'Connection reset by peer'))
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7f41d1c5ddc0>]
az_command_data_logger: exit code: 1
cli.__main__: Command ran in 1.790 seconds (init: 0.169, invoke: 1.621)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 3689 in cache
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "/bin/python3.9 /usr/lib64/az/lib/python3.9/site-packages/azure/cli/telemetry/__init__.py /root/.azure"
telemetry.process: Return from creating process
telemetry.main: Finish creating telemetry upload process.

Expected behavior

I expect a way to be able to download the extensions even with tight enterprise security policies.

Environment Summary

azure-cli 2.53.0 core 2.53.0 telemetry 1.1.0 Dependencies: msal 1.24.0b2 azure-mgmt-resource 23.1.0b2

Python location '/bin/python3.9' Extensions directory '/root/.azure/cliextensions'

Python (Linux) 3.9.16 (main, Jul 3 2023, 20:07:32) [GCC 8.5.0 20210514 (Red Hat 8.5.0-18)]

Additional context

No response

[yonzhan]

Thank you for opening this issue, we will look into it.

[microsoft-github-policy-service[bot]]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @v-anvashist, @V-hmusukula.