Develop Reference

Set proxy on docker

Im using centos 7.7 and docker 19.03.
I cannot pull images and getting :
Error response from daemon: Get https://registry-1.docker.io.v2./: dial tcp lookup : server misbehaving
I did what all guides on google suggested:
cat /etc/systemd/system/docker.service.d/http-proxy.conf
[Service]
Enviroment="HTTP_PROXY=http://myproxy"
systemctl deamon reload
systemctl restart docker
and nothing happends.
if i do echo $http_proxy i see my settings.
more settings:
/etc/enviroment
http_proxy=http://myproxy
https_proxy=https://myproxy
The proxy setting used to work and is working on another server.
On this server i had deleted docker old versions :
docker-1.13.1
docker-common-1.13.1
docker-client-1.13.1
With the older docker it seems to work but with docker-ce it doesnt.
I even rebooted and reinstalled again.

Solved it!
I guess because i am using Centos then doing
systemctl restart docker didnt really work.
Created the directory :
mkdir -p /etc/systemd/system/docker.service.d
Create the file :
nano /etc/systemd/system/docker.service.d/http-proxy.conf
Add the following line:
[Service]
Environment="HTTP_PROXY=http://proxy.example.com:80/"
Restart daemon:
systemctl daemon-reload
And this restart method worked:
service docker restart
and then it accepted all the env vars

Set both variables, and they can both be set to your http server. The variable is for the type of traffic being proxied, not the protocol to the proxy server:
[Service]
Enviroment="HTTP_PROXY=http://myproxy"
Enviroment="HTTPS_PROXY=http://myproxy"

The latest documentation detailing the configuration of Docker to use Proxy server worked for me to build my latest docker image.
For latest docker clients (>= v17.07) create or edit the file ~/.docker/config.json
For older docker clients (<= v17.06) use the --env flag to set the proxy accordingly

Docker daemon (not containers) can't read environment variables

Trying to configure a container running outside of GCP to log to Google Cloud Platform (StackDriver). One requirement is that the Docker daemon is able to locate the environment variable GOOGLE_APPLICATION_CREDENTIALS so it can authenticate. One would assume that the following would work, but it doesn't:
GOOGLE_APPLICATION_CREDENTIALS=/usr/local/keys/project-1.json docker run --log-driver=gcplogs ...
That outputs:
ERROR: for api Cannot start service api:
failed to initialize logging driver: google: could not find default credentials.
See https://developers.google.com/accounts/docs/application-default-credentials
for more information.
Haven't found any documentation on how to set that directly on daemon.json, but I don't want that either because I might have different containers logging to different GCP projects.
I've tried this on Mac (docker desktop) and Debian.

This is question that keeps coming back. What is happening here is that environment variable GOOGLE_APPLICATION_CREDENTIALS is loaded by the system docker daemon. System daemons don't see the environment variables set in the user login. What you need to do is set the GOOGLE_APPLICATION_CREDENTIALS at the system level.
Here is how to do that in Ubuntu(Systemd):
$ sudo mkdir -p /etc/systemd/system/docker.service.d
Create /etc/systemd/system/docker.service.d/env.conf with the following content:
[Service]
Environment="GOOGLE_APPLICATION_CREDENTIALS=/path/to/file.json"
Apply the changes.
$ sudo systemctl daemon-reload
Once done restart docker/containerd daemons
$ sudo systemctl restart containerd
$ sudo systemctl restart docker
Test the gcplogs driver
docker run --log-driver=gcplogs --log-opt gcp-project="my-project" hello-world

Docker behing transparent proxy and intermediate cert

OS: Centos 7.6.1810
Docker Version: Server Version: 18.09.5
Issue:
My company uses a transparent proxy with an intermediate cert to navigate. I was able to install the cert following doc: https://docs.docker.com/ee/dtr/user/access-dtr/ and these steps:
# Download the DTR CA certificate
sudo curl -k https://<dtr-domain-name>/ca -o /etc/pki/ca-trust/source/anchors/<dtr-domain-name>.crt
# Refresh the list of certificates to trust
sudo update-ca-trust
# Restart the Docker daemon
sudo /bin/systemctl restart docker.service
Curl and Wget are working well, but docker run is not:
bash $ docker run -it cheers
Unable to find image 'cheers:latest' locally
docker: Error response from daemon: Get https://registry-1.docker.io/v2/: remote error: tls: handshake failure.
See 'docker run --help'.
I've tried adding the registry as insecure in daemon.json but it was unsuccessfully.
Has anyone run into the same problem?

I think i figured out what’s going on:
Docker client offers only TLS_ECDHE_* ciphers but .docker.io (behind my corporate proxy) offers only TLS_RSA ciphers.
Without proxy, docker.io offers both types of ciphers.
Now, next challenge: make docker offer TLS_RSA or make my proxy support TLS_ECDHE.
I have no idea how to do either :frowning:

How to set TLS Certificates for a machine in docker-machine

What I want to do:
I have dockerd running on one machine with TLS verify set to true. I would like to add this host as a machine in docker-machine
What I have done:
I used the following command to start dockerd:
$ sudo dockerd -D --tls=true --tlscert=cert.pem --tlskey=key.pem -H tcp://172.19.48.247:2376
On a second machine I sourced the following variables:
export DOCKER_HOST=tcp://172.19.48.247:2376
export DOCKER_TLS_VERIFY=1
export DOCKER_CERT_PATH=/path/to/ssl
and ran docker command succesfully:
$ docker run busybox echo hello
hello
Then I added this host docker-machine:
docker-machine create --driver none --url=tcp://172.19.48.247:2376 dockerhost
Where I am going wrong:
I am getting a x509: certificate signed by unknown authority error now.
$ docker-machine ls
NAME ACTIVE DRIVER STATE URL SWARM DOCKER ERRORS Unknown
dockerhost - none Running tcp://172.19.48.247:2376 Unknown Unable to query docker version: Get https://172.19.48.247:2376/v1.15/version: x509: certificate signed by unknown authority
I tried using the docker-machine config but that doesnt work:
$ docker-machine config dockerhost --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H tcp://172.19.48.247:2376
Incorrect Usage.
Usage: docker-machine config [OPTIONS] [arg...]
Print the connection config for machine
Description:
Argument is a machine name.
Options:
--swarm Display the Swarm config instead of the Docker daemon
flag provided but not defined: -tlsverify

By default, the none driver will be configured to use the TLS certs found at ~/.docker/machine. This isn't necessarily what is needed, because you'll run into the error you've run into if your remote Docker host has a certificate signed by something other than the ca.pem that you've got at that location.
I've found a reference to a workaround here that I tested and it definitely seems to work. Here are the steps I followed:
docker-machine create -d none --url tcp://remotedocker.example.com:2376 remotedocker
This creates the following directory:
~/.docker/machine/machines/remotedocker
Inside that directory is a file called config.json. Edit that file, and change every instance of ".docker/machine/certs" to ".docker/machine/machines/remotedocker"
Normally, when you access Docker remotely, it only needs to have access to the ca.pem, cert.pem and key.pem files. As far as I can tell, the other files referenced in config.json will likely not get used by the none driver because regenerate-certs is not implemented by none.
You will need to copy in the ca.pem and key.pem files
At this point, you should be able to run docker-machine config remotedocker, or eval "$(docker-machine env remotedocker)" and use your remote daemon successfully.

How to download a image from default docker registry?

I'm trying to download a container image from default registry with the command:
docker run -d --name=nginx -p 80:80 nginx:alpine
The output is:
Unable to find image 'nginx:alpine' locally
docker: Error response from daemon: Get https://registry-1.docker.io/v2/: x509: certificate signed by unknown authority.
See 'docker run --help'.
I already configured the proxy with cntlm. I'm behind a corporate firewall with Deep Inspection Package (DIP, man in the middle)
Could I define the default registry (https://registry-1.docker.io/v2/) like a insecure registry? How? There are another solution?
I already try the options:
--insecure-registry=registry-1.docker.io:5000
--insecure-registry=registry-1.docker.io
--insecure-registry='*'
--insecure-registry=https://registry-1.docker.io/v2/

Problem resolved.
My SO is mint (based in ubuntu xenial) and docker version 17.06.0-ce
To resolve I needed do put the root certificate from my company's firewall to my linux ca-certificates (reference 1 - https://askubuntu.com/questions/73287/how-do-i-install-a-root-certificate). Obs.: Proxy already configured using cntlm (reference 2 - http://cntlm.sourceforge.net/) (reference 3 - https://docs.docker.com/engine/admin/systemd/)
First I exported the certicate installed in my browser, google chrome. From chrome a choose configuration->advanced->privacy and security->manage certificates->trusted root certificate authorities, so I selected the authority, in my case something like mycompany.com. After, I choose export->advance, select X.509 base64 format (*.cer). The correct format is very important. I saved the file ~/certificate.crt.
Create a extra directory:
sudo mkdir /usr/share/ca-certificates/extra
copy the certificate to extra dir:
sudo cp ~/certificate.crt /usr/share/ca-certificates/extra
update ca-certificates config:
sudo dpkg-reconfigure ca-certificates
restart docker:
sudo systemctl daemon-reload
sudo systemctl restart docker
Now docker can download images from default registry.