silarsis / docker-proxy Goto Github PK

i installed this on my work machine when i was tinkering with docker dns stuff, but now it binds to all the ports i need when i start docker and and i'm not sure how to get rid of it.

an attempt to find the executable using ll /proc/$(ps aux | grep docker-proxy | head -n 1 | cut -d ' ' -f 7)/exe just shows the docker executable

this is killing me, any ideas?

I understand that this project does not primarily targets docker deployments that are behind boo2docker. However, it would be incredibly useful if it could :-)

I tried to run it, but I have an issue with iptables:

root@boot2docker:/mnt/sda1/var/lib/boot2docker/docker-proxy# ./run.sh 
Uploading context 504.3 kB
Uploading context 
Step 0 : FROM silarsis/base
 ---> d78443c9993f
Step 1 : MAINTAINER Kevin Littlejohn <[email protected]>
 ---> Using cache
 ---> b2313d309b50
Step 2 : RUN apt-get -yq update
 ---> Running in 3b6f2a71bf69
 ---> c8e44f2f6744
Removing intermediate container 3b6f2a71bf69
Step 3 : RUN apt-get -yq install squid iptables
 ---> Running in e21f974d3c0b
 ---> dc3f0c8b2812
Removing intermediate container e21f974d3c0b
Step 4 : ADD squid.conf /etc/squid3/squid.conf
 ---> e16b84e92822
Removing intermediate container e65d993e3c64
Step 5 : ADD start_squid.sh /usr/local/bin/start_squid.sh
 ---> d89b7455ff31
Removing intermediate container 1f67371c6516
Step 6 : EXPOSE 3128
 ---> Running in d07a4bb1d1fe
 ---> c4f54c81632d
Removing intermediate container d07a4bb1d1fe
Step 7 : CMD ["/usr/local/bin/start_squid.sh"]
 ---> Running in 0895e1196938
 ---> e8aef7262148
Removing intermediate container 0895e1196938
Successfully built e8aef7262148
Error: argument "TRANSPROXY" is wrong: invalid table ID

The problem is with the following command:

sudo ip route add default via ${IPADDR} dev docker0 table TRANSPROXY

I updated the path for the rt_tables to point to /usr/local/etc/rt_tables which seems to be the default one on the tiny core linux.

Any suggestions?

trap not execute on debian with /bin/sh link to /bin/dash

workarround create link /bin/sh to /bin/bash

Greetings

When I run the command 'sudo docker build -t docker-proxy .' , it fails because it cant reach index.docker.io through our corporate proxy.

This is the problem I am trying to solve using docker-proxy! (Accessing internet using docker containers.).

I may be missing something simple.
How do I get past this?

Thanks
pj

Would you mind adding the link to docker hub on this project description? It would make it easier for us to go back and forth between github and hub.

and kudos for making this docker image public 👍

To be more concise I would use IMAGE_NAME in stead of CONTAINER_NAME in the beginning of this script.

Hi there,

I'm trying to test your module in a Ubuntu 16.04 virtual machine.
When I run "sudo docker build -t docker-proxy, it hangs for a while and then I get this :

Err http://archive.ubuntu.com trusty InRelease  
Err http://archive.ubuntu.com trusty-updates InRelease  
Err http://archive.ubuntu.com trusty-security InRelease  
Err http://archive.ubuntu.com trusty Release.gpg
  Could not resolve 'archive.ubuntu.com'
Err http://archive.ubuntu.com trusty-updates Release.gpg
  Could not resolve 'archive.ubuntu.com'
Err http://archive.ubuntu.com trusty-security Release.gpg
  Could not resolve 'archive.ubuntu.com'
Reading package lists...

W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/trusty/InRelease  
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/trusty-updates/InRelease  
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/trusty-security/InRelease  
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/trusty/Release.gpg  Could not resolve 'archive.ubuntu.com'
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/trusty-updates/Release.gpg  Could not resolve 'archive.ubuntu.com'
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/trusty-security/Release.gpg  Could not resolve 'archive.ubuntu.com'
W: Some index files failed to download. They have been ignored, or old ones used instead.
Reading package lists...
Building dependency tree...
Reading state information...
Package dpkg-dev is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
E: Unable to locate package build-essential
E: Unable to locate package curl
E: Package 'dpkg-dev' has no installation candidate
E: Unable to locate package iptables
E: Unable to locate package libssl-dev
E: Unable to locate package patch
E: Unable to locate package squid-langpack
E: Unable to locate package ssl-cert
The command '/bin/sh -c export DEBIAN_FRONTEND=noninteractive TERM=linux     && apt-get update     && apt-get install -y --no-install-recommends         build-essential         curl         dpkg-dev         iptables         libssl-dev         patch         squid-langpack         ssl-cert     && apt-get source -y squid3 squid-langpack     && apt-get build-dep -y squid3 squid-langpack' returned a non-zero code: 100

I have configured proper proxy settings in /etc/systemd/system/docker.service.d and I am able to download other images, as well as access the web from my VM. Do you thing this could be a connection issue on my VM or something else is wrong ?

https://docs.docker.com/docker-for-mac/

Will support be added?

Thanks!

The title of this issue might be a bit misleading, but I don't know exactly where the problem is. It has been working well before, but today I accidentally upgraded docker to 1.0 and run into the following issues (I guess it is not because of docker 1.0 but because I had to upgrade also the boot2docker and your proxy image):

1. ifconfig not found - apparently the image does not contain ifconfig any more. In order to grab the IPADDR in start_squid.sh I used following:

   IPADDR=$(/sbin/ip -o -f inet addr show eth0 | awk '{ sub(/\/.+/,"",$4); print $4 }')
   

2. When I run it, all starts up fine, but then no HTTP communication on port 80 works and in the squid long I get

1402420835.817  31168 172.17.0.21 TCP_MISS_ABORTED/000 0 GET http://mirrorlist.centos.org/? - HIER_DIRECT/204.15.73.243 -
1402421193.719  31152 172.17.0.21 TCP_MISS_ABORTED/000 0 GET http://mirrorlist.centos.org/? - HIER_DIRECT/72.232.223.58 -

All request are timed-out.

As a reference to others (and possibly myself), i explain how it worked for me.

i run this docker (docker-proxy) like this:

sudo docker build -t docker-proxy .
./run.sh ssl

Then i copy test/detect-proxy.sh to the root directory of my own docker containers sources.

My own docker containers Dockerfile looks like this:

# Base image
FROM python:2-slim

MAINTAINER me <[email protected]>

WORKDIR /src

# We need info about available system packages
RUN apt-get update

# These are required by detect-proxy.sh
RUN apt-get install -y --no-install-recommends ca-certificates net-tools netcat

ADD ./detect-proxy.sh /src/detect-proxy.sh
RUN /src/detect-proxy.sh

# These are required by one of our python dependencies
RUN apt-get install -y gcc libreadline-dev

# Install python requirements
# ... option 1 (final solution):
ADD ./requirements.txt /src/requirements.txt
RUN pip --cert /etc/ssl/certs/ca-certificates.crt install -r requirements.txt
# option 2 (may make sense during development):
RUN pip --cert /etc/ssl/certs/ca-certificates.crt install numpy
RUN pip --cert /etc/ssl/certs/ca-certificates.crt install enum34

# Execute the python script
CMD ["python", "/src/my_script.py"]

This way, all downloads (at least by apt-get and pip) done while building and running the docker,
go through the proxy.
One thing that might be clear anyway, but worth to note: The proxy cache is lost whenever we shut the docker-proxy container down (with Ctrl+C).

Is there a way to prevent that? In other words, can we keep/carry over proxy cache between different runs of ./run.sh?

I would like to use docker behind a corporate, authenticating firewall.

It is not clear to me how to achieve that.
I've tried to use cache_peer proxy.acme.corp parent 8080 0 no-query default login=user:pass, but that fails with temporary disabling (Bad Gateway) digest from proxy.acme.corp.

Also, it logs ERROR: No forward-proxy ports configured.

Hi,
I'm getting this error when attempting to start the docker-proxy (on a work network behind a proxy). Any ideas?

[...]/docker-proxy (master)$ sudo ./run.sh 

Sending build context to Docker daemon 429.1 kB
Step 0 : FROM silarsis/base
 ---> b1e0761ebf68
Step 1 : MAINTAINER Kevin Littlejohn <[email protected]>
 ---> Using cache
 ---> bd1c2e9d8109
Step 2 : RUN apt-get -yq update
 ---> Using cache
 ---> f893ebae8e59
Step 3 : RUN apt-get -yq install squid iptables
 ---> Running in 9f6dc112263e
The command '/bin/sh -c apt-get -yq install squid iptables' returned a non-zero code: 100

The docker build step currently fails with an error:

E: Unable to find a source package for squid3

This is apparently because the Docker image for Ubuntu 14.04 was at some point changed to comment out the deb-src lines in sources.list, as most Dockerfiles did not need source packages and it was slowing down apt-get update.

The problem can be fixed by adding this line before the apt-get one:

RUN sed -i 's/^# deb-src/deb-src/' /etc/apt/sources.list

This uncomments the deb-src lines and allows the squid3 source package to be located.

Provide an example of how to use docker-proxy

There is still some clean up missing I guess:

1. start the run.sh - everything works fine
2. hit ctrl-c - still everything works fine
3. start the run.sh again - the proxy stops working and there is no HTTP trafic possible - getting TCP_MISS_ABORTED in the squid.conf log file (similarly to the #3)
   4 hit ctrl-c - everything is back to normal

I can repeat steps 3 and 4 and it is still the same. If I restart boot2docker everything works fine again.

Thanks!

I know you said it needs to run in the foreground, but here's an idea I wondered if you could implement:

Require the container to run in host mode so that the container can edit the host's iptables. Then to allow for "on-off" proxying, create a simple apache web server in the container with a simple on-off switch. When set to off, it removes the iptable rules. When set to on, it adds the rules. This would allow us to just run the container and leave it permanently for our projects.

Hi,

I'm relatively new to Squid. I was hoping for some expansion on the HTTPS instructions relating to NPM. I am looking to intercept/cache ONLY npm SSL connections.

I modified squid.conf, rebuilt, and started my squid server with run.sh ssl.
My other docker images run detect_proxy.sh and npm config set cafile /usr/local/share/ca-certificates/docker-proxy.crt

I've tried a number of variations for my acl:

#acl npmjs url_regex npmjs
#acl npmjs dstdomain .npmjs.org
acl npmjs dst 151.101.56.162 # ip displayed when pinging registry.npmjs.org
...
ssl_bump server-first npmjs
ssl_bump none all
...

Any ideas on where I am going wrong?

Thanks,
~ Jesse

Ubuntu /bin/sh links to dash which doesn't support the pseudo-signal ERR,

 trap: SIGINT: bad trap

You could use #!/bin/bash instead.