Base image can not be pulled when building, but can be pulled via docker pull on shell behind proxy

Open Source Projects DockerEngine
1

OS: Red Hat Enterprise Linux 8
Docker CE version: 24.0.6
Docker buildx: v0.11.2

I want to build an existing in-house docker image. I am behind a proxy.

I can pull the python base image via sudo docker pull python:3.11-bullseye, no problem.

But If I have a Dockerfile which has only FROM python:3.11-bullseye I get:

[+] Building 0.1s (3/3) FINISHED                                                                                                                                                                    docker:default
 => [internal] load .dockerignore                                                                                                                                                                             0.0s
 => => transferring context: 3.14kB                                                                                                                                                                           0.0s
 => [internal] load build definition from Dockerfile                                                                                                                                                          0.0s
 => => transferring dockerfile: 3.73kB                                                                                                                                                                        0.0s
 => ERROR [internal] load metadata for docker.io/library/python:3.11-bullseye                                                                                                                                 0.0s
------
 > [internal] load metadata for docker.io/library/python:3.11-bullseye:
------
Dockerfile:7
--------------------
   5 |
   6 |     # Pull base image
   7 | >>> FROM python:3.11-bullseye
   8 |
   9 |     # Get arguments from .yml file
--------------------
ERROR: failed to solve: python:3.11-bullseye: failed to authorize: failed to fetch anonymous token: Get "https://auth.docker.io/token?scope=repository%3Alibrary%2Fpython%3Apull&service=registry.docker.io": dial tcp 3.219.239.5:443: connect: connection refused

My proxy settings:

/etc/systemd/system/docker.service.d/http-proxy.conf:

[Service]
Environment="HTTP_PROXY=http://usr:pwd@proxy.org.ch:8080"
Environment="HTTPS_PROXY=http://usr:pwd@proxy.org.ch:8080"
Environment="NO_PROXY=localhost,127.0.0.1"

/etc/docker/daemon.json

{
    "http-proxy": "http://usr:pwd@proxy.org.ch:8080",
    "https-proxy": "http://usr:pwd@proxy.org.ch:8080"
}

What is different between pulling from shell and pulling when building and what is likely causing this?

2

First of all, is it really Docker Desktop as the category indicates?

3

No, it is docker running on a RHEL8 server without GUI. But did not find an appropriate category.
EDIT: Changed the category, does this make more sense?

4

Thank you for changing the category. This is indeed the correct one.

Have you found this documentation?

https://docs.docker.com/network/proxy/#build-with-a-proxy-configuration

It links to this part:

https://docs.docker.com/network/proxy/#configure-the-docker-client

You can add proxy configurations for the Docker client using a JSON configuration file, located in ~/.docker/config.json. Builds and containers use the configuration specified in this file.

{
 "proxies": {
   "default": {
     "httpProxy": "http://proxy.example.com:3128",
     "httpsProxy": "https://proxy.example.com:3129",
     "noProxy": "*.test.example.com,.example.org,127.0.0.0/8"
   }
 }
}
5

Thanks!

I tried to set config.json already. Does not work :frowning: How can I check if the proxy is actually loaded at build time?

Also, how can I check at which point the request fails?

6

Since the pull didn’t work, that seems to be an evidence of not using the proxy. You could run a proxy locally and check its logs. If you see a request in the local proxy logs, at least yu know the config is correct.

Years ago I didn’t like buildkit which is the default builder now. I don’t have problems with buildkit recently, but in case of build errors I still recommend trying to disable buildkit temporarily.

export DOCKER_BUILDKIT=0

docker build ...

The local proxy is one way, but you could try using tcpdump or tshark. I have an article i which I used it but only a little. Still, this is the best I can share as an example from me: https://dev.to/rimelek/docker-network-and-network-namespaces-in-practice-5h9#debugging-the-minotaur

In your case you don1t need to run tshark in a container’s network namespace, but on the host. If you don’t know tshark, it will probably take time to find the right command to debug your issue. It would to me too.

7

according to tcpdump the build indeed seems to “ignore” my proxy settings…

My “/root/.docker/config.json” is:

{
“proxies”: {
“default”: {
“httpProxy”: “http://proxy.org.com:8080”,
“httpsProxy”: “http://proxy.org.com:8080
}
}
}

8

Did you restart Docker daemon or the system after change?

9

Yes, I did.

  1. sudo systemctl daemon-reload
  2. sudo systemctl restart docker
10

And do you run the docker command as root?

Sorry, but it was long time ago when I used Docker behind proxy and later the environment was completely air-gapped. I don’t use RHEL either, so it is limited what I can answer regarding proxy settings for Docker. Not to mention how Docker changed since then.

11

I set config.json for root and my user. To be sure that I do not miss a required setting. Also set it individually for root/user. All did not help.