please add support for socks5 proxy

[yunfan]

hi, i live behind the GFW, and unfortunately the cdn-registry-1 has been block at my location.

i hope you could add support for socks5 proxy , i knew you have HTTP_PROXY support,

but i think socks5 proxy are more popular and convenient, cause everyone could simply use ssh user@host -D 9999 to launch a simple proxy server at once

[absolute8511]

+1， We need this too

[shuaiming]

+10086 , i got this fucking gfw problems too...

[gaolei-gl]

+1
That would be very useful.

[thaJeztah]

Just linking in case it's useful; another issue related to GFW; #11093 (possibly useful tip as well here: #11093 (comment))

[GeorgeZhai]

+1
Thanks

[94Bo]

+12306

[utyagi24]

+1 #$%$!

[win-t]

+1,
I need this,

Thanks

[RomainSF]

+6

[VPaulV]

+1
Thank you.

[ghost]

+1
I have a Systemd unit file in place for permanent SSH tunnel that I would like to be used by Docker.

[thaJeztah]

@usertaken perhaps you are interested in creating a PR to describe this? Thinking of an extra section in https://github.com/docker/docker/blob/master/docs/articles/systemd.md (similar to the proxy example/section)?

[smiller171]

👍

[GordonTheTurtle]

USER POLL

The best way to get notified when there are changes in this discussion is by clicking the Subscribe button in the top right.

The people listed below have appreciated your meaningfull discussion with a random +1:

@uzxmx
@pstinghua
@intothephone
@h12w

[raintean]

+1

[edx903]

+1
desire for freedom

[gitchs]

+1

[curtiszimmerman]

+1 this machine could kill fascists.

[shinigami1992]

+1

[bluesalt]

+1

[gaocegege]

It's useful!

[nathanleclaire]

Submitted a PR to support this: #18373

Try it out!

[smiller171]

thanks @nathanleclaire !

[KellerFuchs]

@nathanleclaire Awesome.
I will give it a spin and check for on-network leakage (I plan to use it over Tor); does it avoid doing DNS queries?

[nathanleclaire]

@KellerFuchs I'm not 100% sure. My PR routes the requests from the Docker client to the Docker API through the SOCKS proxy by controlling the low-level net.Dial, so I would expect that if there were a DNS lookup as part of that (e.g. if you request API at host.mydomain.com:2376) it should go through the proxy as well. However, I'm not an expert on networking and any analysis of leakage is encouraged.

[nathanleclaire]

@KellerFuchs I think actually it will not route DNS requests, because the Golang Dialer does not support socks5h so far, just socks5. I've filed an issue here: golang/go#13454

[KellerFuchs]

Awesome, thanks.

[cpuguy83]

Closed by #20366

[samos123]

@cpuguy83 could you tell how we enable socks5 proxies? I saw that you closed the ticket but didn't find any reference to docs or configurations on how to enable here nor in #20366 . Thanks!

[nathanleclaire]

@samos123 Use http_proxy / https_proxy environment variable, along the lines of:

$ HTTP_PROXY=socks5://localhost:5000 docker info

[xbaran]

+1

[cpuguy83]

@xbaran +1 for what? This is already added.

[thaJeztah]

@xbaran adding "+1" doesn't help, this is already implemented for 1.11; see #20366

edit: oops, see @cpuguy83 just commented the same

[tom-bowles]

Setting the environment variable for the execution of the docker command line utility, as described by @nathanleclaire, doesn't appear to work. I had to add it to the docker daemon.

[nathanleclaire]

HTTP_PROXY and ALL_PROXY, if set where the docker client executable is invoked will dictate how the client attempts to contact the server (docker daemon). As you noted, if you need a proxy for image pulls, etc., you have to configure the daemon's environment to support this.

[windowsair]

How to use it in image？ For example use it in "docker run centos: latest"@nathanleclaire

[nathanleclaire]

@windowsair You can't configure it in an image level setting, it's something that gets set to dictate the behavior of the docker CLI client.

[smiller171]

@nathanleclaire couldn't you do $ HTTP_PROXY=socks5://localhost:5000 docker run centos:latest to get it to pull that one image from the right host? You could then utilize aliases if you need to do that frequently I think

[nathanleclaire]

@smiller171 If you mean will HTTP_PROXY=<authority> docker pull pull the image through that proxy, then no, it won't. (Unless the code is doing something excessively clever since last time I was there)

The Docker daemon pulls the images. The Docker client (the binary you are invoking when you type docker run, docker pull, etc.) will send requests to the Docker daemon to indicate what actions should be taken. Those API (HTTP-ish) requests will be routed / proxied according to the environment variables set where it is invoked but the Docker daemon has its own settings. See https://docs.docker.com/engine/admin/systemd/ for info how to configure.

[windowsair]

@nathanleclaire
Thanks a lot! But I feel the existing document is very confusing. I still do not know how to configure the socks proxy for the running container.

[smiller171]

@windowsair You're asking about the traffic from the container going over the proxy? AFAIK this would need to be configured either in the container, or configuring a Docker network that forces all traffic over the proxy.

These settings are for configuring how the client talks to the daemon, or how the daemon talks to the registry.