Using Docker behind a firewall #402

Closed
vikhyat opened this Issue Apr 12, 2013 · 9 comments

Projects

None yet

5 participants

@vikhyat
vikhyat commented Apr 12, 2013

I'm trying to use Docker, but I am behind a restrictive firewall, which results in the following error while trying to use the docker registry:

2013/04/12 16:10:14 Get https://registry.docker.io/v1/library/base: dial tcp 107.22.120.54:443: connection timed out

From the little bit of looking around I did, there are some places that suggest that Go understands the HTTP_PROXY environment variable by default, but that isn't what seems to be happening here. This is the specific place where the request is made using http.NewRequest, and looking at the source code (around line XXX) it does look like the default transport used by Go honors the HTTP_PROXY and NO_PROXY environment variables.

I noticed that registry.go contains a number of lines like this one:

client := &http.Client{}

If I understand correctly, that line should initialize a new client that is equivalent to DefaultClient, which uses DefaultTransport which does fetch the proxy environment variables.

That's what I understand so far. I haven't tried making any changes to the source code yet but I intend to do so soon, but I figured I'd check if anyone has any insights into what exactly the problem might be?

@vikhyat
vikhyat commented Apr 12, 2013

OK, I feel pretty stupid now. It turns out the problem was that I was running

HTTP_PROXY=http://x.x.x.x:x/ sudo ./docker run -i -t base /bin/bash

instead of

sudo HTTP_PROXY=http://x.x.x.x:x/ ./docker run -i -t base /bin/bash

However that hasn't completely fixed the problem, now I get this error message:

2013/04/12 16:46:11 use of closed network connection:

I'm not sure if this is related to the fact that I'm using an HTTP proxy, does anyone have an idea what's going on?

@creack
Contributor
creack commented Apr 12, 2013

This message occurs when the server close the socket, so it might be the proxy that does not support some of the http requests performed by docker in order to import the base image.
See #364, try not to use the stand alone mode.
You could try to start docker in server mode with sudo HTTP_PROXY=http://xx:x/ ./docker -d &
then you can simple run ./docker run -i -t base /bin/bash without sudo nor proxy.

If it still doesn't work, you can try to strart docker server with -d and -D in order to enable the debug mode and see what's going on.

@vikhyat
vikhyat commented Apr 12, 2013

The problem persisted even after using docker in server mode, but then I tried compiling from source (so that I could add additional debug statements to figure out what the problem was) and it worked without any issues.

So it was either an intermittent issue with the proxy server, or maybe the binary was out of date. Either way, thanks for the help!

@vikhyat vikhyat closed this Apr 12, 2013
@vikhyat
vikhyat commented Apr 12, 2013

I just tried pulling another image with the binary running as the server, and it failed again. Pulling the same image with the compiled version running as the server succeeded, so we can rule out it being an intermittent proxy issue.

I'm guessing this probably means the binary is out of date?

@creack
Contributor
creack commented Apr 12, 2013

the binaries are updated often, but not all the time. The current binaries are maybe 36h old, which makes it way outdated ;) Docker grows fast :)

@benkirkley

I am also behind a firewall and I've been trying to get Docker 0.4.0 to work using a proxy. I've followed the commands listed above and I get a certificate error. Here is what I see on the command line:

# sudo HTTP_PROXY=http://172.18.56.12:3128/ ./docker -d &
2013/06/04 14:53:00 WARNING: Your kernel does not support cgroup swap limit.
2013/06/04 14:53:00 Listening for HTTP on 127.0.0.1:4243

Then I ran:

# docker pull base
2013/06/04 14:57:01 POST /v1.1/images/create?tag=&registry=&fromImage=base
Pulling repository base from https://index.docker.io/v1
2013/06/04 14:57:01 Get https://index.docker.io/v1/repositories/base/images: certificate is valid for *.docker.io, docker.io, not 172.18.56.12
@kencochrane
Member

@creack @samalba @vieux any update on this?

@vieux
Member
vieux commented Jun 20, 2013

It was fixed by #810 , @benkirkley can you confirm ?

@benkirkley

@vieux Confirmed that this is working on my end now. I can use the HTTP_PROXY to reach the repositories.

Many thanks!

@bhack bhack referenced this issue in BVLC/caffe Jul 24, 2014
Closed

CMake - rebase + travis-ci integration #768

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment