Internet connectivity in containers behind corporate proxy

qkrijger · April 18, 2016, 3:51pm

Situation

Windows machine (provided by employer)
Ubuntu VM (which I actually use for all my work, except outlook etc.)
Docker installed on VM
Cntlm installed on VM

I put all my configuration in Cntlm so all my programs only need the correct http(s)_proxy.

I can find lots of information concerning a docker host in its own VM (like boot2docker), but none like this setup.

Part of cntlm config

NoProxy localhost, 127.0.0., 10., *.intranet, .company.net, /var/run/docker.sock, 172.17.
Gateway yes
Allow 0.0.0.0

ifconfig (VM) extract

docker0 Link encap:Ethernet HWaddr 02:42:e8:57:da:ea
inet addr:172.17.0.1 Bcast:0.0.0.0 Mask:255.255.0.0
enp0s3 Link encap:Ethernet HWaddr 08:00:27:ca:9e:6e
inet addr:10.0.2.15 Bcast:10.0.2.255 Mask:255.255.255.0
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0

Problem 1. Being able to pull private registry images and public images.

Answer, setup the http_proxy for the docker daemon according to Daemon proxy configuration | Docker Docs. Environment=“HTTP_PROXY=http://127.0.0.1:3128/” works. So, this problem is now fixed for me, but for completeness

Problem 2. Allow traffic from container to internet and intranet

Maybe this can be done by using run arguments from Running containers | Docker Docs. However, I want all my containers on my host to go through cntlm. This is especially important when building images (apt-get etc.), since you cannot pass runtime arguments then (and you do not want to persist an ENV). I cannot get this to work.

In the end, images that I build will only go on the intranet. The CI has no external network connection. And all my open source projects contain only links to the web. But I would like to be able to work with both on my corporate network.

How do I route the container traffic through cntlm on the VM?
For background: do my containers notice any effect from the Environment setting under problem 1?

Thanks for any help / insights.
Quinten

programmerq · April 18, 2016, 4:47pm

If you want to run containers that don’t know about the proxy, then your best bet will probably be to look into some sort of transparent proxifier solution.

I’ve never used it for docker containers, but it might be possible to make this work: https://github.com/darkk/redsocks

The environment variables you set in systemd are set for the docker daemon only. Part of the isolation that containers get includes not passing through environment variables. You’d have to set the environment during build to be able to build with an http proxy (or set up a transparent solution that happens outside of the container altogether)

qkrijger · April 19, 2016, 8:38am

Thanks,

It appears strange that my setup is so out of the ordinary. I would expect many people to run into these problems.

Redsocks looks nice. As a solution not as simple as I expect it to be, but it has the advantage of simpliying the proxy setup for all other applications in my VM (especially those that do not respect the proxy environment variables).

Is this something that we could document?

jancoop · November 21, 2016, 8:34am

Configure your proxy environment to excempt your docker server from proxy authentication and excempt SSL interception for *.docker.io

Topic		Replies	Views
Beginner having trouble with docker behind company proxy General	11	97097	January 23, 2017
Proxy network for container inside container General docker , build	1	486	September 23, 2022
Linux container Proxy Problem Docker Desktop docker , windows	2	3222	November 11, 2018
Route entire container traffic through a http proxy General docker	0	560	January 13, 2024
[Help] How to use a proxy running on host in one container? General docker	7	5568	December 20, 2022