Docker Community Forums

Share and learn in the Docker community.

Installing DTR behind proxy


(Mando04) #1

Hi,

I’m trying to install DTR in my AWS account. I have to go through the proxy to connect to the ELB i set up for UCP and DTR from the ec2 instances. UCP install goes fine without issues but when trying to install dtr I get the following error
FATA[0030] Failed to get UCP CA: Get https://ucp-1867692573.us-west-2.elb.amazonaws.com/ca: dial tcp 54.68.18.195:443: i/o timeout

if I curl the elb i get a valid response through the proxy

[root@ip-10-123-237-198 ~]# curl -k https://$UCP_HOST/ca > ucp-ca.pem
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1842 100 1842 0 0 5204 0 --:–:-- --:–:-- --:–:-- 5218
[root@ip-10-123-237-198 ~]# echo $UCP_HOST
ucp-1867692573.us-west-2.elb.amazonaws.com

does the dtr install not honor the --https-proxy flag?

here is the command I am using to install DTR
[root@ip-10-123-237-198 ~]# docker run -it --rm docker/dtr install --ucp-url https://ucp-1867692573.us-west-2.elb.amazonaws.com --ucp-node 10.123.237.198 --dtr-external-url https://dtr-1219712803.us-west-2.elb.amazonaws.com --ucp-username admin --ucp-password ‘admin’ --ucp-ca “$(cat ucp-ca.pem)” --https-proxy internal-intuit-pl-ProxyInt-2204WZFO2XJJ-882357253.us-west-2.elb.amazonaws.com:80 --no-proxy=169.254.169.254 --debug


(Patrick Devine) #2

Assuming that you have HTTP_PROXY and HTTPS_PROXY environment variables set on ip-10-123-237-198, could you run the command again but after docker run -it could you add -e HTTP_PROXY -e HTTPS_PROXY and then the rest of the command?

I think what is happening is that the phase1 container isn’t getting the proxy set, however the rest of the install should set it correctly. By added the two environment variables to your install the phase1 container will use that when trying to check the CA cert.


(Mando04) #3

That seemed to fix the issue with validating the cert but now we have another issue when it tries to attach to the container on phase2. It tried to connect to the external ELB ip which is only able to listen on either https or TCP. Has anyone else found a workaround?


(Patrick Devine) #4

Could you describe the network topology you’re using? DTR is somewhat restrictive in the types of topologies that it will work with. It uses UCP for providing authentication, and it requires you to use the externally addressable URLs for both the --ucp-url and --dtr-external-url settings.