Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Using Docker behind a firewall #402

Closed
vikhyat opened this issue Apr 12, 2013 · 9 comments

Comments

Projects
None yet
5 participants
@vikhyat
Copy link

commented Apr 12, 2013

I'm trying to use Docker, but I am behind a restrictive firewall, which results in the following error while trying to use the docker registry:

2013/04/12 16:10:14 Get https://registry.docker.io/v1/library/base: dial tcp 107.22.120.54:443: connection timed out

From the little bit of looking around I did, there are some places that suggest that Go understands the HTTP_PROXY environment variable by default, but that isn't what seems to be happening here. This is the specific place where the request is made using http.NewRequest, and looking at the source code (around line XXX) it does look like the default transport used by Go honors the HTTP_PROXY and NO_PROXY environment variables.

I noticed that registry.go contains a number of lines like this one:

client := &http.Client{}

If I understand correctly, that line should initialize a new client that is equivalent to DefaultClient, which uses DefaultTransport which does fetch the proxy environment variables.

That's what I understand so far. I haven't tried making any changes to the source code yet but I intend to do so soon, but I figured I'd check if anyone has any insights into what exactly the problem might be?

@vikhyat

This comment has been minimized.

Copy link
Author

commented Apr 12, 2013

OK, I feel pretty stupid now. It turns out the problem was that I was running

HTTP_PROXY=http://x.x.x.x:x/ sudo ./docker run -i -t base /bin/bash

instead of

sudo HTTP_PROXY=http://x.x.x.x:x/ ./docker run -i -t base /bin/bash

However that hasn't completely fixed the problem, now I get this error message:

2013/04/12 16:46:11 use of closed network connection:

I'm not sure if this is related to the fact that I'm using an HTTP proxy, does anyone have an idea what's going on?

@creack

This comment has been minimized.

Copy link
Contributor

commented Apr 12, 2013

This message occurs when the server close the socket, so it might be the proxy that does not support some of the http requests performed by docker in order to import the base image.
See #364, try not to use the stand alone mode.
You could try to start docker in server mode with sudo HTTP_PROXY=http://xx:x/ ./docker -d &
then you can simple run ./docker run -i -t base /bin/bash without sudo nor proxy.

If it still doesn't work, you can try to strart docker server with -d and -D in order to enable the debug mode and see what's going on.

@vikhyat

This comment has been minimized.

Copy link
Author

commented Apr 12, 2013

The problem persisted even after using docker in server mode, but then I tried compiling from source (so that I could add additional debug statements to figure out what the problem was) and it worked without any issues.

So it was either an intermittent issue with the proxy server, or maybe the binary was out of date. Either way, thanks for the help!

@vikhyat vikhyat closed this Apr 12, 2013

@vikhyat

This comment has been minimized.

Copy link
Author

commented Apr 12, 2013

I just tried pulling another image with the binary running as the server, and it failed again. Pulling the same image with the compiled version running as the server succeeded, so we can rule out it being an intermittent proxy issue.

I'm guessing this probably means the binary is out of date?

@creack

This comment has been minimized.

Copy link
Contributor

commented Apr 12, 2013

the binaries are updated often, but not all the time. The current binaries are maybe 36h old, which makes it way outdated ;) Docker grows fast :)

@benkirkley

This comment has been minimized.

Copy link

commented Jun 4, 2013

I am also behind a firewall and I've been trying to get Docker 0.4.0 to work using a proxy. I've followed the commands listed above and I get a certificate error. Here is what I see on the command line:

# sudo HTTP_PROXY=http://172.18.56.12:3128/ ./docker -d &
2013/06/04 14:53:00 WARNING: Your kernel does not support cgroup swap limit.
2013/06/04 14:53:00 Listening for HTTP on 127.0.0.1:4243

Then I ran:

# docker pull base
2013/06/04 14:57:01 POST /v1.1/images/create?tag=&registry=&fromImage=base
Pulling repository base from https://index.docker.io/v1
2013/06/04 14:57:01 Get https://index.docker.io/v1/repositories/base/images: certificate is valid for *.docker.io, docker.io, not 172.18.56.12
@kencochrane

This comment has been minimized.

Copy link
Contributor

commented Jun 19, 2013

@creack @samalba @vieux any update on this?

@vieux

This comment has been minimized.

Copy link
Collaborator

commented Jun 20, 2013

It was fixed by #810 , @benkirkley can you confirm ?

@benkirkley

This comment has been minimized.

Copy link

commented Jun 21, 2013

@vieux Confirmed that this is working on my end now. I can use the HTTP_PROXY to reach the repositories.

Many thanks!

mavenugo pushed a commit to mavenugo/docker that referenced this issue Jun 14, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.