Using Docker Behind a Proxy

With a default installation, Docker assumes the host it is running host on has general access to the internet. This, however, might not be the case in large corporate environments, as most of internet traffic will be routed through a proxy in such networks.

Consequently, If you are using Docker in your office you might not be able to pull images from the Docker image registry or install/update packages on your running containers.

While dealing with the proxy configuration, you would need to change the settings related to:

  • The Docker daemon, to be able to pull images from Docker public registries (Docker Store or Docker Hub).
  • The Docker containers, to be able to install or updates packages within these containers while they are running.

The following post will show you how to configure your Docker host to be able to perform common Docker operation tasks, even if you’re behind a corporate proxy.

The steps above have been performed on a CentOS 7 system, but the same should apply, irrespective of which distribution you are using.

Configuring Proxy for Docker Daemon


Create a systemd drop-in directory for the docker service.

$ sudo mkdir -p /etc/systemd/system/docker.service.d

Inside this folder, create a file called http-proxy.conf that adds the HTTP_PROXY, HTTPS_PROXY, and NO_PROXY environment variables.

vi /etc/systemd/system/docker.service.d/http-proxy.conf

Add the following lines

[Service]
Environment="HTTP_PROXY=http://user:password@proxy.domain.com:8080/"
Environment="HTTPS_PROXY=https://user:password@proxy.domain.com:8080/"
Environment="NO_PROXY= hostname.domain.com,172.10.10.10"

Where

user is the user used to run Docker commands.

password is your the Docker user password.

– proxy.domain.com is the user proxy’s IP or FQDN.

8080 is your proxy’s port number. Change it accordingly to reflect your environment.

After this is done, flush changes and restart Docker service.

$ sudo systemctl daemon-reload && \
sudo systemctl restart docker.service

Verify that the configuration has been loaded.

$ systemctl show --property=Environment docker
Environment=HTTP_PROXY=http://proxy.domain.com:8080/
Environment=HTTPS_PROXY=https://proxy.domain.com:8080/
Environment=NO_PROXY= hostname.domain.com,172.10.10.10/

You should now able able pull images from Docker public registries without any issue.

If after these changes are done, you’re still not able to get images and encounter a proxyconnect error like the one below:

$ docker pull alpine
Using default tag: latest
Error response from daemon: Get https://registry-1.docker.io/v2/: proxyconnect tcp: dial tcp: lookup https on X.X.X.X:53: no such host

Try to add temporary google DNS to your resolver file and you should be fine to go

$ cat /etc/resolv.conf
# Generated by NetworkManager
search contoso.com contoso.local
nameserver 8.8.8.8
...

Configuring Proxy for Docker Containers


Having a configured proxy for the Docker daemon does not necessary mean that your containers will be able to download packages from Internet. You still have to configure them to pass through the proxy.

Edit the file ~/.docker/config.json in the home directory of the user which starts containers. If this file is not there, create it.

$ vi ~/.docker/config.json

Add the following instructions and change them accordingly to reflect your environment.

{
 "proxies":
 {
   "default":
   {
	 "httpProxy": "http://proxy.domain.com:8080",
	 "httpsProxy": "https://proxy.domain.com:8080",
	 "noProxy": "*.test.domain.com,.example2.com"
   }
 }
}

You can optionally:

  • Add httpsProxy or ftpProxy necessary if you are using an HTTPS or FTP proxy server.
  • Exclude hosts or ranges from going through the proxy server by setting a noProxy key to one or more comma-separated IP addresses or hosts. Note that the wildcard character is also supported, as shown in the example.

Leave a Comment

Your email address will not be published. Required fields are marked *