Using Docker behind a proxy


Docker draws currently a lot of attention on the (quite old) linux container concept.
Docker is a lightwight solution for system level virtualisiation which allows the deployment of operating systems and applications to be more portable (e.g. to different cloud platforms).

One usecase is to use docker behind a enterprise proxy system. Some times this proxy systems do SSL/TLS inspection, which means that this systems repleace SSL/TLS certificates.
Docker can be configured to use this proxy systems.

Configuration

To configure docker to work with an http(s) proxy edit the docker system configuration file.

vi /etc/sysconfig/docker

Add the HTTP_PROXY / HTTPS_PROXY environment variables. Authentication is also supported but optional.


If your proxy system uses NTLM / NTLMv2 authentication you have to use an intermediate proxy like cntlm, that handles the actual NTLM authentication. After setting up cntlm simply add the cntlm proxy adress to the docker system configuration file.

export HTTP_PROXY="http://localhost:3128"
export HTTPS_PROXY="http://localhost:3128"
HTTP_PROXY="http://localhost:3128"
HTTPS_PROXY="http://localhost:3128"

It is currently the best to add both variants - one time with "export" and one time without it.
The "export" is needed when starting docker with the services utitility (service docker start). When starting docker with the old init.d scripts (/etc/rc.d/init.d/docker start) export is not needed.
When the proxy settings are ignored docker prints out:
dial tcp 162.242.195.84:443: connection timed out

If the proxy system does SSL/TLS inspection, the proxy usually signs the particular server certificate with its own proxy root certificates.
This leads to the following docker exception when you try to pull images from the public docker repository:

x509: certificate signed by unknown authority

To solve this add the proxy root certificate to the trusted certificates of your docker host (underlying linux systems that hosts docker binaries). However the setup depends on your linux distribution.
I will explain it based on CentOS Linux (and Red Hat Enterprise Linux).
First copy the proxy root certificate to the ca-trust area.

cp /tmp/<proxy-root-certificate>.crt /etc/pki/ca-trust/source/anchors/
 
Then update the trusted certificates 

update-ca-trust extract
  
After that docker needs to be restarted.

service docker restart


Further readings:

http://kb.kerio.com/product/kerio-connect/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767441