In the era of automation everyone is deploying on Docker(52%) & Kubernetes (30%) globally.
sounds cool too.
But what about security and proxy set ups?
In the Docker container environment too, proxy is very important and is used to handle connections originating from the local machine, which might otherwise not pass through the iptables rules that Docker configures to handle port forwarding or when Docker has been configured such that it does not manipulate iptables at all.
The Docker and Ubuntu versions used for this article are:
1.Docker client 18.03.1-ce Community edition
2.Docker server 18.03.1-ce Community edition
3.Ubuntu 18.04.1 LTS Bionic release
On host proxy setup
1) Problem: apt-get updates and install will not work behind a proxy. When $ sudo apt-get is executed, an error ‘407 Proxy Authentication is required’ is thrown up.
To solve this, ensure that the proxy has been set up properly. To make apt-get to work behind the proxy, we need to follow the two-step process mentioned below.
a. Create a /etc/apt/apt.conf file and add the following entries to the file:
$ vi /etc/apt/apt.conf
Acquire::http::Proxy “http://username:password@proxy:port/”;
Acquire::https::Proxy “https://username:password@proxy:port/”;
b. Create a /etc/apt/apt.conf.d/proxy.conf file and add the following entries in the file:
$ vi /etc/apt/apt.conf.d/proxy.conf
Acquire::http::Proxy “http://username:password@proxy:port/”;
Acquire::https::Proxy “https://username:password@proxy:port/”;
2) Problem: Sometimes one keeps on facing errors even after setting apt config, as mentioned earlier. The installation or update will fail and might not work again behind the proxy or sometimes, the pull operation of the Docker image will have issues.
The following step will resolve this issue.
Ensure that the proper DNS is set up by entering the name servers in the file /etc/resolv.conf:
$ vi /etc/resolv.conf
nameserver xx.xx.xx.xx
nameserver xx.xx.xx.xx
nameserver 127.0.0.53
search company.com
Note: This is based on the host IP and gateway used, and will differ based on the configuration.
Pre-configured proxy on container images (migration/normal set-up scenarios)
When the container image is built and carried to a different environment, it should work fine (like DNS, routing, etc).
1) Problem: In some cases, apt-get or internet will not work during the building of container images.
This problem can be solved in the following way. The environment variable should be set up properly by using the following procedure.
a.
Verify that the http_proxy, https_proxy, HTTP_PROXY and HTTPS_PROXY variables are set up by using the following echo command:
ubuntu@test-vm1:/etc/apt$ echo $http_proxy
http://username:password@proxy:port/
Ensure that the output is as shown above. If the output is empty, then proceed to set up the environment variable as shown in Step 2 below.
b.
export http_proxy=http://username:password@proxy:port
export https_proxy=https:// username:password@proxy:port
Then verify again with the echo command to ensure that the environment variable is updated properly.
c.
Repeat the above steps for all environment variables like https_proxy, HTTP_PROXY and HTTPS_PROXY.
2) Problem: Sometimes the proxy will not persist across environments and configurations.
If the config.json file is updated with the following proxy parameters, this problem will be overcome.
a.Update the ~/.docker/config.json file.
b.Further to the above step, please update the daemon file
/etc/default/docker with all environment variables.
c.Now add the reference of the /etc/default/docker file as
a variable in the file /lib/systemd/system/docker.
d.Restart the Docker services, as follows:
ubuntu@test-vm1:~$ sudo systemctl daemon-reload
ubuntu@test-vm1:~$ sudo systemctl restart docker
ubuntu@test-vm1:~$ sudo systemctl show --property Environment docker
How to override proxy configuration (during runtime)
This method helps in building Docker container images and further helps to override the host proxy to avoid future problems related to the proxy setup.
The following set of commands and configurations are used to set up this proxy:
$ sudo docker build --build-arg \ http_proxy=”http://username:password@proxy:port/” --build-arg \ https_proxy=”https:// username:password@proxy:port /” --network=host.
We can use the –build-arg argument without the values as well. These values can be populated from the environment variables like http_proxy, as shown below:
$ export http_proxy=http://proxyaddress:port
$ docker build --build-arg http_proxy .
Top comments (0)