Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Docker VM Incorrect use of Proxy URL #1511

Closed
pbrooko opened this issue Apr 5, 2017 · 11 comments

Comments

@pbrooko
Copy link

commented Apr 5, 2017

Expected behavior

On a corporate/university network with NTLM based authenticating proxy, a user should be able to download images from the Docker hub, given the correct proxy details.

Actual behavior

Attempting to pull an image fails with the following error using the system proxy settings:

Error response from daemon: Get https://registry-1.docker.io/v2/: http: error connecting to proxy http://localhost:3128: dial tcp [::1]:3128: getsockopt: connection refused

Note: This appears very similar to the issue raised in #1238, except the problem has nothing to do with SCOKS5 as discussed there, and instead appears to utilizing the incorrect IP / host string for the proxy server.

Background

Many *nix applications have trouble correctly dealing with NTLM authenticating proxies, and so often the CNTLM project is used to allow programs to instead connect to a simple http proxy running on localhost, which transparently handles communicating/authenticating with the upstream NTLM proxy.

Steps to reproduce the behavior

  1. Run an http proxy on the Mac localhost (such as CNTLM)
  2. Set the Mac system proxy to point at the local proxy, eg: http://localhost:3128
  3. Configure Docker for Mac to use the system proxy settings
  4. Attempt to pull an image from Docker Hub

Workaround

I have managed to work around the issue by manually setting the Docker For Mac proxy to point to the Mac's host IP within the Docker for Mac VM network (in my case http://192.168.65.1:3128). This fixes the issue, and allows the VM to connect to the actual proxy and download images.

It appears that the proxy settings are simply copied verbatim into the Docker VM, and as a result if the proxy points to localhost, the Docker daemon tries to connect to a proxy running within the Docker VM, and not on the host the Mac. This is confusing to the user as Docker for Mac tries to abstract away the VM running the the Docker daemon, and expects the error to have come from their Mac and not from within the VM.

Proposed steps to fix the behavior

Instead of simply copying the proxy string into the VM, it should first be checked for strings pointing at the Mac host such as:

  • localhost
  • 127.0.0.1
  • ::1

and be automatically substituted with the IP of the host Mac on the Docker VM <--> Mac network (in my case 192.168.65.1). This will allow the user to keep the illusion of Docker actually running on their Mac without digging to find the internal VM IP's.

@jeanlaurent

This comment has been minimized.

Copy link
Member

commented Apr 5, 2017

Thanks @pbrooko for the very detailed report.

We completely agree with your proposed solution, and we have an already ongoing ticket open in the development team to implement it.

We're going to let you know about the progress in there.

@mi-hol

This comment has been minimized.

Copy link

commented Apr 6, 2017

@jeanlaurent re 'we have an already ongoing ticket open in the development team to implement it.

We're going to let you know about the progress in there.' would you mind to reference the bug ID here? This would allow for tracking progress easily :)

@jeanlaurent

This comment has been minimized.

Copy link
Member

commented Apr 7, 2017

@mi-hol it's already the case, i wish you could see it, but actually this is a closed source repo, so you won't see it.

@djs55

This comment has been minimized.

Copy link
Contributor

commented May 12, 2017

@pbrooko thanks for your suggestion -- I have implemented this policy in the master branch of Docker for Mac. I tested it by running a squid proxy on 127.0.0.1:3128 on my Mac, setting the system http proxy setting to http://localhost:3128 and then observing both Safari and an alpine container use the proxy (the latter via 192.168.65.1). I'll let you know when there's a build you can try.

@djs55

This comment has been minimized.

Copy link
Contributor

commented May 12, 2017

We now have a special channel of Docker for Mac which contains builds from the master branch which have passed the test suite. It's only intended for testing and not for production. The latest build can be installed from here: https://download-stage.docker.com/mac/master/Docker.dmg

I installed this version:

Version 17.05.0-ce-mac9 (17691)
Channel: master
672b42570d

and then ran a local proxy with docker run --name squid --restart always -d -p 127.0.0.1:3128:3128 sameersbn/squid:3.3.8-23. I then set System Preferences -> Network -> Advanced -> Proxies -> Web Proxy (HTTP) to localhost port 3128 and hit apply -- this caused Docker for Mac to restart.

Now I see this environment variable in containers:

$ docker run -it alpine sh -c 'echo $http_proxy'
http://docker.for.mac.localhost:3128

where docker.for.mac.localhost resolves to 192.168.65.1. I can browse the web on the host via the proxy, and my alpine container apk update also uses the proxy.

@pbrooko

This comment has been minimized.

Copy link
Author

commented May 15, 2017

Awesome, thank you @djs55! I've just installed the Edge version, and can also confirm that everything is working as expected now. Images pull down correctly, and containers are able to grab packages without any hackery 👍

@mmucklo

This comment has been minimized.

Copy link

commented Jun 29, 2017

@djs55 Is there an equivalent "docker.for.mac.localhost" for linux / windows based installations?

@djs55

This comment has been minimized.

Copy link
Contributor

commented Jun 29, 2017

@mmucklo unfortunately there's no docker.for.x.localhost anywhere else at the moment -- it's currently only available in Docker for Mac and Docker for Windows. If you have a Linux/Windows machine with an existing stable IP or DNS name you could use that as a workaround.

@mmucklo

This comment has been minimized.

Copy link

commented Jun 30, 2017

@djs55 Okay, thanks for the reply -

The docker.for.mac.localhost is great, btw. - I think what I'm looking for now is some hostname that would be common across all platforms (to refer back to the hosted OS), that way I could have a common configuration for all installations of docker...

@levin-du

This comment has been minimized.

Copy link

commented Jan 7, 2018

when will this to be released? Docker ce mac version 17.09.1-ce-mac42 (21090) still unfixed.

Version 
Channel: stable
3176a6af01
@docker-desktop-robot

This comment has been minimized.

Copy link
Collaborator

commented Apr 16, 2018

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale comment.
Stale issues will be closed after an additional 30d of inactivity.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so.

Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows.
/lifecycle stale

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
7 participants
You can’t perform that action at this time.