神刀安全网

Running Docker behind a proxy

When it comes to Docker and proxies, you will mostly not need them for running things locally or to just test something. However, we at Cron spend a lot of time managing production environments at corporations where everything is behind a proxy. Here in this post, I will share some basics and few tips on how to set up Docker daemons, build images and finally run Docker containers behind a proxy that doesn’t use authentication.

Pulling images

To be able to pull public images you need to set proxy settings to Docker configuration file. Also, keep in mind that if you are using a private registry you need to add the no_proxy variable. Otherwise, pull/push to private Docker registry will not be possible. Setting up those settings depends on the OS and Docker version you are using. Here are some examples of running Docker version 1.9.0 and above:

For RedHat/CentOS version 6:

cat <<EOF | sudotee -a /etc/sysconfig/docker exporthttp_proxy="http://myproxy.example.com:8080" exporthttps_proxy="https://myproxy.example.com:8080" exportno_proxy=<REGISTRY_IP> EOF   sudoservicedockerrestart 

For RedHat/CentOS version 7, remove export:

cat <<EOF | sudotee -a /etc/sysconfig/docker http_proxy="http://myproxy.example.com:8080" https_proxy="https://myproxy.example.com:8080" no_proxy=<REGISTRY_IP> EOF   sudoservicedockerrestart 

For Ubuntu 14.04:

cat <<EOF | sudotee -a /etc/default/docker exporthttp_proxy="http://myproxy.example.com:8080" exporthttps_proxy="https://myproxy.example.com:8080" exportno_proxy=<REGISTRY_IP> EOF   sudorestartdocker 

For most operating systems above example will do the job.

Building images

Building Docker images behind a corporate proxy was a challenge since there wasn’t a way to set build-time variables while building the images. Sure, you could hardcode your proxy settings to Dockerfile, but what if you are using different proxies for different environments, or you don’t need a proxy if building images locally?

Docker, with version 1.9.0 introduced --build-arg option for build-time variables which solves this problem. Building Ubuntu based image is quite simple now:

sudodockerbuild -t Cron/ubuntu /             --build-arghttp_proxy="http://myproxy.example.com:8080" /             --build-arghttps_proxy="https://myproxy.example.com:8080" /             . 

Even if you have an HTTP proxy only, for Ubuntu to be able to update and install packages via apt-get , you need to set https_proxy variable also. It could point to the same HTTP proxy server, though.

For RedHat based images you may need to set proxy settings in /etc/yum.conf as additional step. You could put something like this in your Dockerfile:

RUN /   echo -e "proxy=$http_proxy/nproxy=$https_proxy" >> /etc/yum.conf 

Running containers

Eventually, you will need to run Docker containers behind a proxy. Now, it depends on whether your containers are using some external service outside of your network or not. If not, you don’t need to set proxies at all.

Each Docker container will run just one process, in most cases. How to pick up http_proxy and https_proxy variables to that process depends on what process you need to run. In this case test.sh script will start just one Java process. This Java process also connects to Postgres deployed locally for which we need to skip the proxy server. This is just a part of test.sh run script:

if [[ ! -z "$http_proxy" ]] || [[ ! -z "$https_proxy" ]]; then   exportJAVA_OPTS="-Djava.net.useSystemProxies=true $JAVA_OPTS -Dhttp.noProxyHosts=${POSTGRES_IP}" fi 

Then we need to set environment variables with docker run command:

sudodockerrun -e "http_proxy=http://myproxy.example.com:8080" /                 -e "https_proxy=https://myproxy.example.com:8080" /                 -e "POSTGRES_IP=192.168.100.101" /                 -d Cron/ubuntutest.sh 

As noted at the beginning, those are just a few examples and basic settings to get started with Docker and proxies. Questions and comments are always welcome.

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » Running Docker behind a proxy

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址
分享按钮