Running Docker behind proxy - docker

I have install docker on a windows 7 machine, if I connect to Internet outside my company network everything works fine, but when I connect to Internet from my company network, and try to pull a image from dockerhub, I just get the "docker: Network timed out while trying to connect to .... You may want to check your internet connection or if you are behind a proxy..".
I have edited the /var/lib/boot2docker/profile file by adding following two lines
export "HTTP_PROXY=http://me:mypassword#proxyhost:proxyport"
export "HTTPS_PROXY=http://me:mypassword#proxyhost:proxyport"
rebooted the docker machine and try to pull an image and get the following error;
Error while pulling image: Get https://index.docker.io/v1/repositories/library/ubuntu/images: x509: certificate signed by unknown authority
edit: CA certification details

The problem is your corporate proxy is using it's own SSL certificate which Docker doesn't trust. What you're going to have to do is to download a copy of the CA certificate and trust it on any machines you want to use behind the firewall. Check this answer for how to trust a certificate:
Docker behind proxy that changes ssl certificate

Related

Docker remote access

I followed Docker Documentation in order to access a remote docker (installed on a server B) daemon from a server A.
So, all certificates were generated on server B and copied in the docker client machine, server A.
I had already tested the remote access by running the following command :
docker --tlsverify -H=$MY_HOST:$MY_PORT
--tlscacert=$MY_PATH/ca.pem
--tlscert=$MY_PATH/client-cert.pem
--tlskey=$MY_PATH/client-key.pem
Everything is looking good so far, and I had succefully access the remote docker daemon.
However, when I tried to access it by exporting Docker envrionment variables
export DOCKER_HOST=tcp://MY_HOST:$MY_PORT DOCKER_TLS_VERIFY=1 DOCKER_CERT_PATH=~/certs
things don't turn out as expected (tls: bad certificate) :
The server probably has client authentication (--tlsverify) enabled. Please check your TLS client certification settings: Get https://MY_HOST:MY_PORT/v1.40/containers/json?all=1: remote error: tls: bad certificate
Anyone knows how to fix this?

ubuntu: docker run hello-world returns an error "x509: certificate signed by unknown authority"

After following the installation instructions to install docker provided in the official page I ran into the following error when I tried to run
docker: error pulling image configuration: Get https://production.cloudflare.docker.com/registry-v2/docker/registry/v2/blobs/sha256/fc/fce289e99eb9bca977dae136fbe2a82b6b7d4c372474c9235adc1741675f587e/data?verify=1549989486-DEdrDDaoZskZzHXF84y4VY%2FxRpw%3D: x509: certificate signed by unknown authority
I am not finding information about solving this issue. Please note I am behind corporate proxy.
I have set the proxy in the file
/etc/systemd/system/docker.service.d/http-proxy.conf
with the following content
[Service]
Environment="HTTP_PROXY=http://proxyurl:8080/" "HTTPS_PROXY=http://proxyurl:8080/"
First, are you sure, your HTTPS_PROXY=http://proxyurl:8080/ ? Check that port is configured properly, it is more likely to be 443.
Second, your proxy can work in man-in-the-middle mode, that means it establishes two separate connections: with you and with targeted server, deciphering and enciphering all traffic. In this case it signs the data it sends to you with it's own ssl certificate and you have to obtain this one and add to your trusted ones in the system.
It seems that the image you are trying to pull is stored within a private registry. Have you logged to that registry?
Meanwhile, try to pull a hello-world image to check that proxy is not blocking outgoing connections from your Docker host.

Docker for Windows not using client certificates

I'm having issue with connecting to private Docker registry.
Setup:
Windows10 (using HyperV)
Docker for Windows version: 18.03.0-ce
Steps I did:
Placed client certificates in C:/ProgramData/Docker/certs.d/<private_registry_url>/
Placed client certificates in C:/Users//.docker/certs.d/<private_registry_url>/
Root certificate imported in Windows "Trusted Root Certification Authorities" (otherwise I'm getting "X509: certificate signed by unknown authority")
Result: Executing docker login <private_registry_url> and inserting correct credentials gives me:
Error response from daemon: Get https://<private_registry_url>/v2/: remote error: tls: bad certificate
which means that Docker is not sending correct client certificates. (When I execute curl -client <file.cert> -key <file.key> https://<private_registry_url>/v2/ with client certificates I'm able to connect.
When I connect to running HyperV machine there is missing /etc/docker/certs.d/ folder. If I manually create /etc/docker/certs.d/<private_registry_url> and put my client certificates inside, everything starts to work! But after restarting Docker for Windows, folder certs.d in HyperV machine is missing and I'm not able to connect to private registry again.
Any ideas what am I doing wrong?

Configure docker repo with https without domain name

I have a website that I'm running on a digital ocean droplet, which I want to continuously deploy via docker and a Teamcity build server which I have running on my home server. I want to enable https on my docker repo, with a self signed certificate, and without a domain name.
Let's say my home's ip address is 10.10.10.10 and the docker repo is running on port 5000.
I followed the steps here, however docker on my website complained that it cannot connect to the docker repo on my homeserver because it doesn't specify an IP in the SAN extension.
Okay. So I created a new certificate without the CN field and only an IP in the SAN, and now my cert config on my website looks like...
/etc/docker/certs.d/10.10.10.10:5000/ca.crt
I also added the cert to my general certs (Ubuntu 16.04 btw)
Then I try to pull the image from my home server to my website...
docker pull 10.10.10.10:5000/personal_site:latest
However, I'm getting this error.
Error response from daemon: Get https://10.10.10.10:5000/v1/_ping: x509:
certificate signed by unknown authority (possibly because of "x509:
invalid signature: parent certificate cannot sign this kind of
certificate" while trying to verify candidate authority certificate "serial:xxx")
I thought by adding my cert to the /etc/docker/... it would accept a self-signed cert. Anyone have any advice here?
You can't used a self signed certificate for this, it needs to be a CA certificate. Follow the same steps required to create a certificate for a docker host and store your CA in /etc/docker/certs.d/.... Or you can also define 10.10.10.10 as an insecure registry as part of the docker daemon startup (dockerd --insecure-registry 10.10.10.10:5000 ...) and docker should ignore any certificate issues.
I just did the same thing with this instructions create private repo with password without domain and ssl. That will require you to add certificate on client and domain on host file (if you love to have an domain yourself without registering new domain)

Uploading and storing Docker certificates for connecting to remote Docker machines

From reading the Docker Remote API documentation:
Docker Daemon over SSL
Ruby Docker-API
It appears the the correct way to connect to remote Docker machines is by letting the application know the location of the certificates to connect to a machine and connect using SSL/TLS with the certificates.
Is there a way to not have a user hand over the certificate, key, and CA? This would give whomever has those certificates root access to a docker machine.

Resources