https://get.docker.io/ubuntu breaks apt-cacher #9592

Closed
mgcrea opened this Issue Dec 10, 2014 · 22 comments

Comments

Projects
None yet

mgcrea commented Dec 10, 2014

Following #7422

Since the recent switch from http to https, it broke any setup relying on apt-cacher-ng.

Your get HTTP code 403 from proxy after CONNECT when performing an apt update.

In my case, with ansible, it breaks any further apt commands.

Removing the apt-cacher is not an option (orchestrating hundreds of machines).

Contributor

mbentley commented Dec 16, 2014

I have also had the same issue. For anyone not aware, if you are using Acquire::http::Proxy to set your apt-cacher-ng proxy, you can bypass the apt proxy setting by adding a line in /etc/apt/apt.conf or /etc/apt/apt.conf.d/<your-config-file> (whichever you prefer) on a per-machine basis:

Acquire::HTTP::Proxy::get.docker.com "DIRECT";
or if you use get.docker.io:
Acquire::HTTP::Proxy::get.docker.io "DIRECT";

I've attempted to configure a direct proxy connection from the apt-cacher-ng configuration on my caching server so that it does not have to be defined per server but I haven't been successful yet/haven't spent much time trying.

Collaborator

tiborvass commented Dec 16, 2014

@mgcrea @mbentley I'm curious to know: do you have the same problem with get.docker.com ?

Contributor

mbentley commented Dec 16, 2014

Contents of my /etc/apt/sources.list.d/docker.list:
deb https://get.docker.com/ubuntu docker main

The same error occurs whether I am using get.docker.com or get.docker.io.

Here is my full apt-get update output on my Debian Jessie box (this exact error occurs on Ubuntu 14.04):

> apt-get update
Ign https://get.docker.com docker InRelease
Ign https://get.docker.com docker Release.gpg
Ign https://get.docker.com docker Release
Ign https://get.docker.com docker/main amd64 Packages/DiffIndex
Hit http://ftp.us.debian.org jessie InRelease
Hit http://security.debian.org jessie/updates InRelease
Hit http://ftp.us.debian.org jessie-updates InRelease
Hit http://security.debian.org jessie/updates/main Sources
Hit http://ftp.us.debian.org jessie-backports InRelease
Get:1 http://ftp.us.debian.org jessie/main Sources/DiffIndex [7,876 B]
Get:2 http://ftp.us.debian.org jessie/main amd64 Packages/DiffIndex [7,876 B]
Get:3 http://ftp.us.debian.org jessie/main Translation-en/DiffIndex [7,876 B]
Hit http://security.debian.org jessie/updates/main amd64 Packages
Hit http://security.debian.org jessie/updates/main Translation-en
Hit http://ftp.us.debian.org jessie-updates/main Sources
Hit http://ftp.us.debian.org jessie-updates/main amd64 Packages
Ign https://get.docker.com docker/main Translation-en_US
Ign https://get.docker.com docker/main Translation-en
Hit http://ftp.us.debian.org jessie-updates/main Translation-en
Err https://get.docker.com docker/main amd64 Packages
  Proxy CONNECT aborted
Hit http://ftp.us.debian.org jessie-backports/main Sources
Hit http://ftp.us.debian.org jessie-backports/main amd64 Packages
Hit http://ftp.us.debian.org jessie-backports/main Translation-en
Fetched 23.6 kB in 3s (7,026 B/s)
W: Failed to fetch https://get.docker.com/ubuntu/dists/docker/main/binary-amd64/Packages  Proxy CONNECT aborted

E: Some index files failed to download. They have been ignored, or old ones used instead.

coulix commented Jan 1, 2015

Same issue on Trusty following with a simple curl -sSL https://get.docker.com/ubuntu/ | sudo sh.

Contributor

jessfraz commented Feb 26, 2015

I think this has been resolved right?

Contributor

jessfraz commented Feb 26, 2015

or is it an actual problem with the install script

Contributor

mbentley commented Feb 26, 2015

This is still a problem. It is something with how the apt repo is configured. It isn't a problem with the curl install script, just when you're pulling through an apt proxy like apt-cacher-ng.

Contributor

jessfraz commented Feb 26, 2015

gotcha thanks for explaining

@jessfraz jessfraz added the bug label Feb 26, 2015

Contributor

mbentley commented Feb 27, 2015

Just as a quick example of this working in action if anyone wants to look for any sort of testing:

  1. Start apt-cacher-ng:
    • docker run -d --name acng tianon/apt-cacher-ng
  2. Start a docker container and add the docker repo and perform an apt-get update while using the proxy:
    • docker run -it --link acng:acng debian:jessie /bin/bash
  3. Run the following commands in your debian container:
    • apt-get update && apt-get install -y apt-transport-https
    • echo 'deb https://get.docker.com/ubuntu docker main' > /etc/apt/sources.list.d/docker.list
    • echo 'Acquire::http::Proxy "http://acng:80";' > /etc/apt/apt.conf
    • apt-get update
  4. Enjoy your 403 errors

I don't believe apt-cache-ng supports ssl.

I cheated and switched deb https://get.docker.com/ubuntu docker main to deb http://get.docker.com.s3-website-us-west-1.amazonaws.com/ubuntu docker main

Contributor

mbentley commented Mar 3, 2015

@lancehudson - Ah yes, you're correct. I am not sure why I didn't even think about that.

So there are four possibly solutions. These must be done per server as there isn't anything that can be done to fix it Docker side as there isn't anything wrong:

  1. Add a PassThroughPattern to your acng.conf (thanks @mandoonandy):

    PassThroughPattern: get\.docker\.com
    
  2. Disable your apt proxy for HTTPS:

    Acquire::http::Proxy "http://<url-to-apt-cacher-ng>:3142";
    Acquire::https::Proxy "false";
    
  3. Configure apt to bypass the proxy just for get.docker.com (works for get.docker.io too but it is probably a good idea to update to .com anyway...):

    Acquire::http::Proxy "http://<url-to-apt-cacher-ng>:3142";
    Acquire::HTTP::Proxy::get.docker.com "DIRECT";
    
  4. Change your /etc/apt/sources.list.d/docker.list to use http instead of https:

    deb http://get.docker.com/ubuntu docker main
    

Or even better. Follow the notes in the apt-cacher-ng config file that show how SSL can be passed through.

In your apt-cacher-ng config file (acng.conf) add the following line:

PassThroughPattern: get\.docker\.com

Contributor

mbentley commented Mar 5, 2015

Well huh... I could have sworn that I had tried that previously without any luck but here I am with that working perfectly. I think I attempted to use the patterns I found here unsuccessfully: saltstack-formulas/docker-formula#6 but for whatever reason didn't just try get\.docker\.com apparently. No matter, thanks much for what I would call a real solution @mandoonandy 👍

Contributor

mbentley commented Mar 30, 2015

I would think this issue can be closed as it is a misconfiguration of apt-cacher-ng essentially and nothing that can be fixed by docker.

Collaborator

tiborvass commented Mar 30, 2015

@mbentley thanks!

I'm closing this now. @mgcrea if you disagree and still see this issue, feel free to comment and we'll reopen.

@tiborvass tiborvass closed this Mar 30, 2015

I'm getting this error while running the wget -qO- https://get.docker.com/ | sh provided in the docs on Ubuntu 12.4.

I don't think this is the appropriate place to report the issue since i'm not using apt-cacher.

Should I open up a new one?

root@vagrant:/home/vagrant# wget -qO- https://get.docker.com/ | sh

Hit http://apt.newrelic.com newrelic Release.gpg
Ign https://get.docker.com docker Release.gpg
Ign https://get.docker.com docker Release
Hit http://security.ubuntu.com precise-security Release.gpg
Hit http://apt.datadoghq.com stable Release.gpg
Hit http://us.archive.ubuntu.com precise Release.gpg
Hit http://us.archive.ubuntu.com precise-updates Release.gpg
Hit http://us.archive.ubuntu.com precise-backports Release.gpg
Hit http://apt.postgresql.org precise-pgdg Release.gpg
Hit http://apt.newrelic.com newrelic Release
Ign https://get.docker.com docker/main TranslationIndex
Hit http://ppa.launchpad.net precise Release.gpg
Hit http://security.ubuntu.com precise-security Release
Hit http://us.archive.ubuntu.com precise Release
Hit http://us.archive.ubuntu.com precise-updates Release
Hit http://apt.datadoghq.com stable Release
Hit http://apt.newrelic.com newrelic/non-free amd64 Packages
Hit http://us.archive.ubuntu.com precise-backports Release
Hit http://us.archive.ubuntu.com precise/main Sources
Hit http://apt.newrelic.com newrelic/non-free i386 Packages
Hit http://us.archive.ubuntu.com precise/restricted Sources
Hit http://us.archive.ubuntu.com precise/universe Sources
Ign http://apt.newrelic.com newrelic/non-free TranslationIndex
Hit http://us.archive.ubuntu.com precise/multiverse Sources
Hit http://us.archive.ubuntu.com precise/main amd64 Packages
Hit http://us.archive.ubuntu.com precise/restricted amd64 Packages
Hit http://us.archive.ubuntu.com precise/universe amd64 Packages
Hit http://ppa.launchpad.net precise Release
Hit http://security.ubuntu.com precise-security/main Sources
Hit http://us.archive.ubuntu.com precise/multiverse amd64 Packages
Hit http://apt.postgresql.org precise-pgdg Release
Hit http://us.archive.ubuntu.com precise/main i386 Packages
Hit http://apt.datadoghq.com stable/main amd64 Packages
Hit http://us.archive.ubuntu.com precise/restricted i386 Packages
Err https://get.docker.com docker/main amd64 Packages
  Proxy CONNECT aborted
Hit http://us.archive.ubuntu.com precise/universe i386 Packages
Err https://get.docker.com docker/main i386 Packages
  Proxy CONNECT aborted
Hit http://us.archive.ubuntu.com precise/multiverse i386 Packages
Hit http://us.archive.ubuntu.com precise/main TranslationIndex
Hit http://us.archive.ubuntu.com precise/multiverse TranslationIndex
Hit http://us.archive.ubuntu.com precise/restricted TranslationIndex
Hit http://us.archive.ubuntu.com precise/universe TranslationIndex
Hit http://us.archive.ubuntu.com precise-updates/main Sources
Hit http://us.archive.ubuntu.com precise-updates/restricted Sources
Ign https://get.docker.com docker/main Translation-en_US
Hit http://us.archive.ubuntu.com precise-updates/universe Sources
Ign https://get.docker.com docker/main Translation-en
Hit http://us.archive.ubuntu.com precise-updates/multiverse Sources
Hit http://apt.datadoghq.com stable/main i386 Packages
Hit http://us.archive.ubuntu.com precise-updates/main amd64 Packages
Ign http://apt.datadoghq.com stable/main TranslationIndex
Hit http://us.archive.ubuntu.com precise-updates/restricted amd64 Packages
Hit http://us.archive.ubuntu.com precise-updates/universe amd64 Packages
Hit http://ppa.launchpad.net precise/main Sources
Hit http://us.archive.ubuntu.com precise-updates/multiverse amd64 Packages
Get:1 http://security.ubuntu.com precise-security/restricted Sources [3,759 B]
Hit http://us.archive.ubuntu.com precise-updates/main i386 Packages
Get:2 http://security.ubuntu.com precise-security/universe Sources [42.1 kB]
Hit http://us.archive.ubuntu.com precise-updates/restricted i386 Packages
Hit http://apt.postgresql.org precise-pgdg/main amd64 Packages
Hit http://us.archive.ubuntu.com precise-updates/universe i386 Packages
Hit http://us.archive.ubuntu.com precise-updates/multiverse i386 Packages
Hit http://us.archive.ubuntu.com precise-updates/main TranslationIndex
Hit http://us.archive.ubuntu.com precise-updates/multiverse TranslationIndex
Hit http://us.archive.ubuntu.com precise-updates/restricted TranslationIndex
Hit http://us.archive.ubuntu.com precise-updates/universe TranslationIndex
Hit http://us.archive.ubuntu.com precise-backports/main Sources
Hit http://us.archive.ubuntu.com precise-backports/restricted Sources
Hit http://us.archive.ubuntu.com precise-backports/universe Sources
Hit http://us.archive.ubuntu.com precise-backports/multiverse Sources
Hit http://us.archive.ubuntu.com precise-backports/main amd64 Packages
Hit http://security.ubuntu.com precise-security/multiverse Sources
Hit http://security.ubuntu.com precise-security/main amd64 Packages
Hit http://security.ubuntu.com precise-security/restricted amd64 Packages
Hit http://security.ubuntu.com precise-security/universe amd64 Packages
Hit http://security.ubuntu.com precise-security/multiverse amd64 Packages
Hit http://security.ubuntu.com precise-security/main i386 Packages
Hit http://security.ubuntu.com precise-security/restricted i386 Packages
Hit http://security.ubuntu.com precise-security/universe i386 Packages
Hit http://security.ubuntu.com precise-security/multiverse i386 Packages
Hit http://us.archive.ubuntu.com precise-backports/restricted amd64 Packages
Hit http://us.archive.ubuntu.com precise-backports/universe amd64 Packages
Hit http://us.archive.ubuntu.com precise-backports/multiverse amd64 Packages
Hit http://ppa.launchpad.net precise/main amd64 Packages
Hit http://ppa.launchpad.net precise/main i386 Packages
Hit http://ppa.launchpad.net precise/main TranslationIndex
Hit http://us.archive.ubuntu.com precise-backports/main i386 Packages
Hit http://us.archive.ubuntu.com precise-backports/restricted i386 Packages
Hit http://us.archive.ubuntu.com precise-backports/universe i386 Packages
Hit http://us.archive.ubuntu.com precise-backports/multiverse i386 Packages
Hit http://us.archive.ubuntu.com precise-backports/main TranslationIndex
Hit http://security.ubuntu.com precise-security/main TranslationIndex
Hit http://us.archive.ubuntu.com precise-backports/multiverse TranslationIndex
Hit http://security.ubuntu.com precise-security/multiverse TranslationIndex
Hit http://security.ubuntu.com precise-security/restricted TranslationIndex
Hit http://apt.postgresql.org precise-pgdg/main i386 Packages
Hit http://us.archive.ubuntu.com precise-backports/restricted TranslationIndex
Hit http://security.ubuntu.com precise-security/universe TranslationIndex
Hit http://us.archive.ubuntu.com precise-backports/universe TranslationIndex
Hit http://us.archive.ubuntu.com precise/main Translation-en
Hit http://us.archive.ubuntu.com precise/multiverse Translation-en
Hit http://us.archive.ubuntu.com precise/restricted Translation-en
Hit http://us.archive.ubuntu.com precise/universe Translation-en
Hit http://us.archive.ubuntu.com precise-updates/main Translation-en
Hit http://us.archive.ubuntu.com precise-updates/multiverse Translation-en
Hit http://us.archive.ubuntu.com precise-updates/restricted Translation-en
Hit http://security.ubuntu.com precise-security/main Translation-en
Hit http://us.archive.ubuntu.com precise-updates/universe Translation-en
Hit http://us.archive.ubuntu.com precise-backports/main Translation-en
Hit http://us.archive.ubuntu.com precise-backports/multiverse Translation-en
Hit http://us.archive.ubuntu.com precise-backports/restricted Translation-en
Hit http://us.archive.ubuntu.com precise-backports/universe Translation-en
Hit http://security.ubuntu.com precise-security/multiverse Translation-en
Hit http://security.ubuntu.com precise-security/restricted Translation-en
Ign http://apt.newrelic.com newrelic/non-free Translation-en_US
Hit http://ppa.launchpad.net precise/main Translation-en
Ign http://apt.postgresql.org precise-pgdg/main TranslationIndex
Hit http://security.ubuntu.com precise-security/universe Translation-en
Ign http://apt.newrelic.com newrelic/non-free Translation-en
Ign http://apt.datadoghq.com stable/main Translation-en_US
Ign http://apt.datadoghq.com stable/main Translation-en
Ign http://apt.postgresql.org precise-pgdg/main Translation-en_US
Ign http://apt.postgresql.org precise-pgdg/main Translation-en
Fetched 45.9 kB in 4s (11.3 kB/s)
W: Failed to fetch https://get.docker.com/ubuntu/dists/docker/main/binary-amd64/Packages  Proxy CONNECT aborted

W: Failed to fetch https://get.docker.com/ubuntu/dists/docker/main/binary-i386/Packages  Proxy CONNECT aborted

E: Some index files failed to download. They have been ignored, or old ones used instead.
Contributor

mbentley commented Jun 3, 2015

Hmm, it is acting like it is hitting a proxy. For kicks, could you try to add Acquire::HTTP::Proxy::get.docker.com "DIRECT"; to your /etc/apt/apt.conf file and then doing an apt-get update to see if it still happens?

@mbentley You're a gentleman and a scholar. This was in a vagrant box that had some wonky proxy config set up. Thanks for your insight. For anybody who stumbles upon this problem be sure to check your /etc/apt/apt.conf :)

In case this helps anyone, here is a workaround to configure apt-cacher-ng to work with SSL:
http://blog.packagecloud.io/eng/2015/05/05/using-apt-cacher-ng-with-ssl-tls/

kversl commented Oct 30, 2015

possibly the quickest solution is to add a line into your

           /etc/apt-cacher-ng/acng.conf   

PassThroughPattern: .*

            Allow data pass-through mode for certain hosts when requested by the client
            using a CONNECT request. This is particularly useful to allow access to SSL
            sites (https proxying).

(this hint is also noted in goodwillcoding's reference)

Frug commented Feb 26, 2016

In my situation, with the latest install instructions, adding Acquire::HTTP::Proxy::apt.dockerproject.org "DIRECT"; to my apt.conf.d/proxy01 solved the problem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment