Friday, 9 June 2017

Pull Docker images from behind a corporate proxy - TLS Trust

IMPORTANT NOTE: This applies to an old version of Docker (1.7) when using on RHEL 6.6 and therefore may not be relevant to newer versions. 

If you need to pull images from Docker Hub from behind a corporate proxy you will need to address two issues:
  1. You will need to configure Docker to use (and potentially authenticate with) your corporate HTTP proxy
  2. If you're receiving a message along the lines of "X509 certificate signed by an unrecognised CA" you will need to configure Docker to trust the corporate proxies TLS certificate. 
The first issue is addressed as follows:

  • Open the file /etc/sysconfig/docker and add the following two lines
export HTTP_PROXY=http://username:password@proxy-hostname:proxy-port
export HTTPS_PROXY=http://username:password@proxy-hostname:proxy-port

The second issue is addressed as follows: 
(NOTE: in my experience using the --insecure-registry option does not work. This is contrary to the documentation and contrary to the advice given in the logs)

  • Create a directory named /etc/docker/certs.d (I believe /etc/docker is the default and is configurable via the DOCKER_CERTS property which can be set in /etc/sysconfig/docker. However I haven't tested this)
  • Under /etc/docker/certs.d, create a directory for each domain of the Docker registry you need to trust. For example if you're attempting to pull from index.docker.io, you should create a directory named index.docker.io. To be clear, the resulting path will be /etc/docker/certs.d/index.docker.io. (NOTE:  It's likely that multiple domains will need to be added. In order to determine this, see the section titled Debugging below)
  • Copy a PEM formatted copy of your corporate proxy's certificate (or associated CA signer) into the directory(s) you created in the previous step. The filename used should be ca.crt
  • Restart docker engine.
  • Now re-attempt your docker pull and all should be well. If not, set your log level to debug as specified below and tail the logs to determine which directories need to be created (the logs are verbose enough in debug mode to point you in the right direction).

Debugging
To determine which domains are acting as Docker registries and subsequently which directories need to be created under /etc/docker/certs.d, set the log level for docker engine to debug as follows:
  • Open /etc/sysconfig/docker for editing
  • Add the --log-level=debug to other_args
  • restart docker engine






No comments:

Post a Comment