Configure Docker to use a host proxy inside of a container

Posted by danielksan81 on

In the previous post we configured Docker to use a proxy by accessing for example the docker hub for searching/pulling containers.

If we are inside of a container and want to install for example additional packages or software by using a provided package manager like apt, we run into the next problem that the container is not able to access the internet, if you need to have a dedicated proxy (which is the case if you are behind a firewall)

We will enhance our previous proxy configuration, so the container can make use of an existing cntm proxy at the host.

Used environment:

  • Ubuntu 14.04
  • cntlm
  • Docker

Docker generates a new virtual network called docker0 for the containers to communicate. If you run

ifconfig

you will recognize it at the output. It will look like the following:

docker0 Link encap:Ethernet HWaddr 56:84:7a:fe:97:99
inet addr:172.17.42.1 Bcast:0.0.0.0 Mask:255.255.0.0
inet6 addr: fe80::5484:7aff:fefe:9799/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2469501 errors:0 dropped:0 overruns:0 frame:0
TX packets:2183978 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3411641564 (3.4 GB) TX bytes:421520538 (421.5 MB)

The important entry we need to know there is the inet addr, which is in this case 172.17.42.1.

The cntlm proxy is mostly configured to listen to localhost:3128 by default.

We need to enhance it to listen also to the provided docker0 net interface, so the containers are able to access it and make use of it. Therefore we need to extend the cntlm configuration under /etc/cntlm.conf with the following entries:

# Specify the port cntlm will listen on
# You can bind cntlm to specific interface by specifying
# the appropriate IP address also in format :
# Cntlm listens on 127.0.0.1:3128 by default
#
Listen 3128
Listen 172.17.42.1:3128

Recognize that the ip from the docker0 interface is here used.

After this reatart the cntlm proxy.

sudo service cntlm restart

After this we can configure inside of a container the proxy by using the entry http://172.17.42.1:3128.

As a sample, inside of an ubuntu container you can add in /etc/apt/apt.conf.d/99proxy

Acquire::http::proxy "http://172.17.42.1:3128";

After this,

apt-get update

should be able to run inside of your container by using the cntlm proxy of the host machine.

Running Docker behind a proxy

Posted by danielksan81 on

Running Docker behind a firewall, which is often the case inside of a company, requires you to do additional configurations to do. I will show you step by step what is needed.

The following environment / tools are used:

  • Ubuntu 14.04
  • cntlm as local proxy
  • Docker

First we need to install cntlm on the machine. It works as a local proxy, which forwards then the local traffic to your configured proxy.

sudo apt-get install cntlm

After this we need to configure the cntlm proxy to use our specific proxy we want to use. Therefore we need to edit the file /etc/cntlm.conf for the user details, if authentication in the target proxy is used:

Username   =       <YOUR USERNAME>
Domain        =       <YOUR DOMAIN>
#Password  =       password

After this generate the password hash with the following command:

sudo cntlm -u <YOUR USERNAME>@<YOUR DOMAIN> -H

Copy/paste one of the resulted password hashes to /etc/cntlm.conf in the password section and uncomment the line by removing the # at the beginning of the line.

After this start/restart the cntlm service.

sudo service cntlm start/restart

The cntlm proxy is now running by default on port 3128.

 If your proxy or company uses own certificates, it is necessary to add these to the local store of the machine, otherwise you will end up with errors later on by accessing the docker hub, like wrong certificate…

For this we need to copy the proper certificates to /usr/local/share/ca-certificates and update the store with

sudo update-ca-certificates

Finally we can install docker by following the installation instructions on the official site.

After the installation, Docker needs to know to use the local cntlm proxy. Therefore we need to make an entry in /etc/default/docker

# If you need Docker to use an HTTP proxy, it can also be specified here.

export http_proxy="http://127.0.0.1:3128/"

Restart the docker service with

sudo service docker restart

Finally you should now be able to pull or search containers from the official docker hub!