microsoft
azcmagent: Extension Service (extd) does not honour proxy settings, causing extension installation failures (e.g. AADSSHLogin)
Describe the issue
When a proxy is configured in azcmagent using:
azcmagent config set proxy.url http://example.com:8080
The configuration is not honoured by the Extension Service (extd).
As a result, extensions that require internet access fail during installation if the host is behind strict egress controls.
For example, the AADSSHLoginForLinux extension relies on curl to download packages from packages.microsoft.com.
Without proxy support in extd, this call fails.
When did the issue occur?
The issue occurs after:
- Installing
azcmagent(with a proxy configured viaazcmagent config set proxy.url …). - Attempting to deploy the AADSSHLoginForLinux extension from Azure.
Environment
Ubuntu 24.04, Arc onboarded server
apt-cache policy azcmagent
azcmagent:
Installed: 1.56.03167.593
Steps to Reproduce
-
On a host with strict egress controls (internet only accessible via proxy), install
azcmagent. -
Configure the proxy:
azcmagent config set proxy.url http://example.com:8080 -
Attempt to deploy the AADSSHLoginForLinux extension: https://learn.microsoft.com/en-us/entra/identity/devices/howto-vm-sign-in-azure-ad-linux
-
Observe the failure.
Actual Result
Extension deployment fails with errors similar to:
curl: (28) Failed to connect to packages.microsoft.com port 443: Connection timed out
Cannot access https://packages.microsoft.com/. Make sure this URL is not blocked by a firewall
Expected Result
Extensions installed via extd should respect the proxy configuration set in azcmagent.
Additional Context / Workaround
Manually setting proxy environment variables for the extd service allows extension installation to succeed (tested on Ubuntu 24.04):
sudo systemctl edit extd.service
[Service]
Environment="HTTPS_PROXY=http://example.com:3128"
Environment="HTTP_PROXY=http://example.com:3128"
Environment="NO_PROXY=localhost,127.0.0.1,::1,169.254.169.254"
sudo systemctl daemon-reload
sudo systemctl restart extd
This workaround suggests that the underlying issue is that extd does not consume the proxy configuration managed by azcmagent.
Proposed Fix
- Ensure that the
extdservice automatically inherits proxy settings configured viaazcmagent config set proxy.url. - Alternatively, provide a documented and supported way to configure proxy settings for
extdthat remains consistent withazcmagent(to avoid administrators having to configure multiple, divergent proxy settings).
This relates to https://github.com/microsoft/linux-package-repositories/issues/247 But I don't think it belongs here because the actual extensions or packages are not part of this GitHub space. I have an open support case about the same issue, I suggest you do the same. Aadsshloginforlinux does not have a (public?) github
and maybe for completeness: my current workaround is just install the aadsshlogin package(s), in the case of aadsshloginforlinux the extension does not actually do anything except install the packages you can just install aadsshlogin (speaking for rhel here, have not verfied on ubuntu). On RHEL there is another problem, the aadsshlogin-selinux is not properly required by aadsshlogin so you have to install it in a separate command before you install aadsshlogin, but ubuntu does not use selinux by default.
@nopslider we (the PMC team) maintain packages.microsoft.com but we don't build or publish packages. We've forwarded this issue internally to the package owners but as @Klaas- mentions, your best is to contact customer support.
According to the agent design, the http proxy settings from the agent config are not sent to the extensions, but proxy settings from the .service file are. The current suggestion is to add proxy settings to the service file to ensure that they are honored not only by the agent but also to all extensions that may need it. Since this behavior is highly confusing, we are in talks with the agent team to either remove proxy settings from the config file or to start passing them to the extensions.
