Using Chef Kitchen / Docker Build Behind a Corporate Proxy or Firewall

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

What to configure if Docker build or the Kitchen-Docker driver is behind a Corporate Proxy.

While working with Docker builds and more specific Kitchen(using the Docker driver, not the default vagrant) behind a Corporate Proxy, I wasn’t able to complete a successful docker/kitchen image build.

The problem was clearly related to Docker (or Kitchen) build process – not being able to reach the outside world i.e. the Ubuntu, docker, etc.. related network repository.

The article below address options that worked for me, how to configure your proxy/firewall, which will then enable to build your own images by using Docker with a DockerFile or Chefs Kitchen Docker-Driver with a kitchen.yml configuration file.

Note: All the configurations below were tested using the latest Ubuntu 17.04 and Docker version 17.03.1-ce.

Ubuntu 17.04 Firewall, Iptables, ufw

Before we start with any Docker (or kitchen) configurations, lets adjust or disable the Ubuntu firewall.

First lets verify the current active firewall, this can be running the below.

If using ufw, you might wont to disabled that, by running the below.

And if using iptables, run the below.

Setting the basic http proxy

First, lets set the simplest proxy setting(used in many instances), the shell environment variable http_proxy, https_proxy and no_proxy.
Note: Make sure to set the no_proxy as well, as it can cause issues in some instances if not set.

Note: A good option might be to add the above in a place ware it gets sourced when you login, like your .profile, .bashrc or even in /etc/profile.

Anther place to set your proxy and good practice, is in the /etc/apt/apt.conf, mainly used in the apt application, like the below.

Working with the Docker Daemon

Now ,that we enabled system related outgoing/incoming proxy configurations, lets move on and configure the Docker Daemon.

Check and make sure the DOCKER_OPTS are set properly

First lets set the Docker dns and the ip-masq, you can use something like the below (which uses the Google DNS servers)
Modify the settings in the /etc/default/docker configuration file

While there make sure to also configure your http and https proxy, like the below.

Note: This is one of the places you can set you proxy being used in docker.
You will also need to reload and restart the docker service, by doing this.

Add your proxy to the Docker service

Adding your proxy to the systemd Docker service startup, is a good idea. this might not work/help in some instances (I believe there are a number of bugs related to this), but in any case a good idea doing so.

Adding the below to /etc/systemd/system/docker.service.d/http-proxy.conf will add this to the systemd configuration files.
Note: Since some programs use HTTP_PROXY all CAPS, you might wont to add that too.

You might also need to reload and restart, to take effect.

Docker build Proxy configuration

Next, lets move to the Docker build process, which requires external access, especially when used with apt install curl, etc..
Note: Below only address the Docker build process in relation to the proxy options, I will have a separate article on all the other Docker build related options.

First, lets pull a Docker SSH image, this will be used in most of the testing.

Now, lets discuss the Docker proxy configuration options.
Option 1:
Make sure to set a variable something like to below, is anyway a good practice to have that.

Create a Dockerfile, like the one below.

Then lets create a new alias called docker_build like the one below.

Finally, lets use that for the docker build process, like the one below.

Option 2:
Very similar to option 1, but instead we will modify the Dockerfile to set a proxy, we will also use the actual docker instead of the docker_build alias we created above.

Modify your Dockerfile to look like the one below.

You should see something like the below, apt install should completed correctly without any issues.

Now to use the image just run, something like the below.

Now that Docker is out of the way, lets begin working on the Kitchen docker-driver

Chef Kitchen / Kitchen-test Docker driver Proxy Configuration Options

Lets create our first kitchen configuration directory.

Now, lets initialize docker by using kitchen.
Note: Make sure to specify the Kitchen driver name as docker, because the default kitchen driver will configure/use Vagrant Virtual Box which is a full VM.

Note: There are many kitchen driver you can use like AWS/EC2, GCP, etc.. to get a full list of drivers, just run kitchen driver discover

Next, lets run bundle install, you should see something like the below.
Note: This will also generate an initial .kitchen.yml

Kitchen Configuration options

Now comes the fun part.
Below is the .kitchen.yml with the proxy configuration already set, make sure to modify yours the same way.
Note: This only address the Kitchen/Docker build process in relation to the proxy options, I will have a separate article on all the other Kitchen automation related options.

If you look closely on on the configuration above, you can see the section driver_config:.
To set your proxy all you need to do is add the driver_config: with http_proxy and https_proxy set.

Note: A quick note on Kitchen documentation. I had challenges getting to work the examples in the Chef kitchen yml documentation. but had a much better experience in getting it to work with this documentation.

For Solaris specific notes check this out – Solaris chef kitchen docker quick notes

You might also like Managing Docker On Ubuntu 17.04 Using Rancher Or Portainer.

What was you experience and challenges with Kitchen, Docker behind a Corporate Proxy or Firewall? Please let me know in the comments below.

Leave a Reply

Notify of