pac4cli cannot be used for building docker images

[badp]

AFAICT docker containers exist on the other end of a docker tunnel called "docker0"; on my laptop, I've got the laptop itself on 172.17.0.1 and the "machine" (?) running the container on 172.17.0.2.

Those machines are typically configured to use Google DNS, so attempting to use a domain name as HTTP_PROXY only works if their DNS name is known to Google.

~> ip address show dev docker0
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:ef:ab:8d:54 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:efff:feab:8d54/64 scope link 
       valid_lft forever preferred_lft forever
~> docker run -it alpine ip address show dev eth0
99: eth0@if100: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP 
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever
~> docker run -it alpine cat /etc/resolv.conf | tail -n2
nameserver 8.8.8.8
nameserver 8.8.4.4

As a result:

• Attempting to set HTTP_PROXY to 127.0.0.1 doesn't work, since 127.0.0.1 doesn't point to your machine, but to the container itself.
• Setting HTTP_PROXY to 172.17.0.1 doesn't work since pac4cli binds to the laptop's 127.0.0.1; when confronted with a request from 172.17.0.2, it'll refuse the connection.
• Setting HTTP_PROXY to the name of the internal corporate proxy I have to use doesn't work, which mean I need to hardcode IP addresses in ~/.docker/config.json, making pac4cli even more desirable to use than it normally is.

I don't know if you have a happy middle ground between just binding to localhost and binding to literally anything and hoping the firewall does the right thing, but I wanted at least to document my struggles for the benefit of the next unfortunate soul.

[tkluck]

Thanks for the detailed report @badp !

I don't know if you have a happy middle ground between just binding to localhost and binding to literally anything

One potential (stopgap) solution is to add a list of IP addresses to listen on to the configuration file. That would help provided that your host's ip address on docker0 is stable.

Slightly more advanced would be to query docker for its network configuration, and listen on the appropriate interface.

Even more advanced would be if docker were to support some sort of "sidecar" concept, where it starts a process (pac4cli -p 172.17.0.1:3128) whenever any container is running.

What do you think?

[tkluck]

@badp could you test whether #34 (add-interface-option) works for you? Instructions:

git clone https://github.com/tkluck/pac4cli
cd pac4cli
git checkout add-interface-option
make env
env/bin/python main.py -s 172.17.0.1 -p 3128 &

and then see if your docker container can use it.

[tkluck]

Hey @badp , just out of interest: did you also look into the --network host option to docker run? I just checked that that also allows the container to connect to the pac4cli instance on the host.