Open bastiaanb opened 7 years ago
Blocked by what appears to be this issue.
the segfault has already been fixed, presumably in https://github.com/docker/cli/commit/45b0e7cf1a2278ab22d388f1cbc724160101cb8a#diff-8868a5325011d98de3834041d1d2a913
Apparently the Docker CLI does not use a HTTPS proxy but a socks5 proxy for docker attach
.
It expects it to be configured in env var ALL_PROXY
. E.g.
export ALL_PROXY=socks5://proxy-server:1080
This needs to be properly documented. Also I would expect Docker to use the HTTP(S) proxy if configured, as often a socks proxy is not available.
@dnephin: I would expect that since the Docker engine exposes an HTTP API, I would only need a HTTP(S) proxy, not a socks proxy. You have relabled this as a documentation issue rather than a bug. Do you mean that to have 'docker attach' working through an HTTP(S) proxy, would be a new feature request?
The Docker API is actually not entirely HTTP. There are a few places where it uses https://golang.org/pkg/net/http/#Hijacker and then starts communicating with some other protocol, which makes me think this is not a bug. I'm not exactly sure where that is implemented.
I think @nathanleclaire did some things for the socks5 proxy stuff perhaps he's around to help out 😅
What's the specific issue? It's that the DNS lookup does not go through the HTTP proxy? Or that attach
is not working through an HTTP proxy?
If it's the former, that does strike me as a bug on Docker CLI's side if it doesn't because https://serverfault.com/questions/169816/how-dns-lookups-work-when-using-an-http-proxy-or-not-in-ie suggests that a browser configured to use a HTTP proxy will do the lookup using the proxy when possible. The Docker client should do the same.
If it's the latter, it's likely to stay WONTFIX
because even though an attach
request starts life as an HTTP request, as Dan noted Docker rapidly hijacks the connection to do the bidirectional communication required for a pseudo-terminal attach. HTTP/1.1 doesn't really work bidirectionally out of the box (see Comet for a variety of ways folks have worked on hacking around this in the browser) so it's very likely that whatever HTTP proxy you're attempting to go through simply doesn't support this. If it did I'd be impressed though.
Is this weird behavior on Docker's end? Sure, but you can't really have your cake and eat it too. HTTP/1.1 is originally designed as a request => response model without supporting bidirectional communication. Docker could try and move to something like HTTP2, whether via gRPC or otherwise, to fix this, but there's no guarantee your proxy will support that either (however, it's likely a better bet than bespoke protocol over HTTP/1.1). Or, Docker could consider changing the API to support separate methods to create a terminal session and read/write to it vs. one big attach
(this would make run -it
laggier though). However these are both big engineering efforts.
Workaround: Consider avoiding attach
when running through a proxy if possible, e.g., by using docker run -d
to run containers in the background.
BTW, HTTP_PROXY
and ALL_PROXY
are separate things. One deals with HTTP, and the other deals with SOCKS traffic, which can support raw TCP as well as (I think) UDP. That's why attach
can work over a SOCKS proxy (IIRC - you can verify this by whipping a quick one up with ssh
if desired), it's just relaying the raw TCP packets.
Thanks Nathan!
Description
The Docker CLI partially honors, partially ignores HTTP_PROXY settings. This results in the following
Steps to reproduce the issue:
Describe the results you received:
The CLI segfaults:
Furthermore, a wireshark capture shows that it will connect to the proxy server, but then also tries to DNS lookup
docker-server.public.inter.net
. A run with connectivity to both internet and the proxy server does succeed, with the CLI directly accessing the Docker Engine endpoint (as well as using the proxy)Describe the results you expected:
expected output:
Additional information you deem important (e.g. issue happens only occasionally):
Performed the same test with a freshly built docker cli https://github.com/docker/cli.git @ d861a1c3ddd794cd64d6c2efb722d7d33391ead7 . This version appears to completely ignore proxy settings.
Output of
docker version
:Output of
docker info
:Additional environment details (AWS, VirtualBox, physical, etc.): The used Docker Engine is Docker for AWS 17.06.0 CE
NB. First (wrongly) submitted in moby https://github.com/moby/moby/issues/34718