Internet connectivity in containers behind corporate proxy

Situation

Windows machine (provided by employer)
Ubuntu VM (which I actually use for all my work, except outlook etc.)
Docker installed on VM
Cntlm installed on VM

I put all my configuration in Cntlm so all my programs only need the correct http(s)_proxy.

I can find lots of information concerning a docker host in its own VM (like boot2docker), but none like this setup.

Part of cntlm config

NoProxy localhost, 127.0.0., 10., *.intranet, .company.net, /var/run/docker.sock, 172.17.
Gateway yes
Allow 0.0.0.0

ifconfig (VM) extract

docker0 Link encap:Ethernet HWaddr 02:42:e8:57:da:ea
inet addr:172.17.0.1 Bcast:0.0.0.0 Mask:255.255.0.0
enp0s3 Link encap:Ethernet HWaddr 08:00:27:ca:9e:6e
inet addr:10.0.2.15 Bcast:10.0.2.255 Mask:255.255.255.0
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0

Problem 1. Being able to pull private registry images and public images.

Answer, setup the http_proxy for the docker daemon according to https://docs.docker.com/engine/admin/systemd/#http-proxy. Environment=“HTTP_PROXY=http://127.0.0.1:3128/” works. So, this problem is now fixed for me, but for completeness :slight_smile:

Problem 2. Allow traffic from container to internet and intranet

Maybe this can be done by using run arguments from https://docs.docker.com/engine/reference/run/#network-settings. However, I want all my containers on my host to go through cntlm. This is especially important when building images (apt-get etc.), since you cannot pass runtime arguments then (and you do not want to persist an ENV). I cannot get this to work.

In the end, images that I build will only go on the intranet. The CI has no external network connection. And all my open source projects contain only links to the web. But I would like to be able to work with both on my corporate network.

  • How do I route the container traffic through cntlm on the VM?
  • For background: do my containers notice any effect from the Environment setting under problem 1?

Thanks for any help / insights.
Quinten

1 Like

If you want to run containers that don’t know about the proxy, then your best bet will probably be to look into some sort of transparent proxifier solution.

I’ve never used it for docker containers, but it might be possible to make this work: https://github.com/darkk/redsocks

The environment variables you set in systemd are set for the docker daemon only. Part of the isolation that containers get includes not passing through environment variables. You’d have to set the environment during build to be able to build with an http proxy (or set up a transparent solution that happens outside of the container altogether)

Thanks,

It appears strange that my setup is so out of the ordinary. I would expect many people to run into these problems.

Redsocks looks nice. As a solution not as simple as I expect it to be, but it has the advantage of simpliying the proxy setup for all other applications in my VM (especially those that do not respect the proxy environment variables).

Is this something that we could document?

Configure your proxy environment to excempt your docker server from proxy authentication and excempt SSL interception for *.docker.io