Open Falco20019 opened 5 years ago
A colleague tested it with 2.0.0.3 (31259) and it's also not working on his machine. He is in the same company network.
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
comment.
Stale issues will be closed after an additional 30d of inactivity.
Prevent issues from auto-closing with an /lifecycle frozen
comment.
If this issue is safe to close now please do so.
Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows. /lifecycle stale
Still a big problem that there is no infrastructure to solve this issue.
/remove-lifecycle stale
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
comment.
Stale issues will be closed after an additional 30d of inactivity.
Prevent issues from auto-closing with an /lifecycle frozen
comment.
If this issue is safe to close now please do so.
Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows. /lifecycle stale
Still a big problem that there is no infrastructure to solve this issue.
/remove-lifecycle stale
Issues go stale after 90 days of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
comment.
Stale issues will be closed after an additional 30 days of inactivity.
Prevent issues from auto-closing with an /lifecycle frozen
comment.
If this issue is safe to close now please do so.
Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows. /lifecycle stale
Still problematic
/remove-lifecycle stale
Issues go stale after 90 days of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
comment.
Stale issues will be closed after an additional 30 days of inactivity.
Prevent issues from auto-closing with an /lifecycle frozen
comment.
If this issue is safe to close now please do so.
Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows. /lifecycle stale
/remove-lifecycle stale /lifecycle frozen
Hitting the same issue.
Any workarounds/plans to fix?
Sadly no workaround I know of. Might be fixable by using a proxy between the docker VM and the windows host which trusts the certificates. But we are still adding the root CA to the containers/images since that’s the only reliable way to do it on multiple machines without having a special setup necessary.
Hi
is there any resolution to the same? We are hitting the same problem.
Nope, sadly not and no reactions at all for 1.5 yrs :( It would be great if network could be proxied through the host optionally. This would resolve the issue.
Big issues here for same issue
Sadly no reaction from the team, even though it's over 2 years now. Maybe it will get some more love once more people are forced into Docker Pro+ through the change of the licensing.
Can confirm this is still an issue with Windows 10 Enterprise 20H2 (19042.1466) and Docker Desktop 4.2.0, using Zscaler 3.6.0.26.
Same with Docker Desktop 4.4.4 (73704) as well. (same machine, updated Docker Desktop)
I'd love to see an official response from the team. I can see how this would be "as designed", since a developer may want to isolate a container's context from the host system; like networking, implementations could decide what should and should not be included (e.g. certificates).
However, the OP correctly points out that the documentation suggests that this should "just work" and it does not.
Windows trusted root CAs should be trusted in Moby VM according to https://docs.docker.com/desktop/faqs/#how-do-i-add-custom-ca-certificates
That section describes that CAs as configured on the host machine (macOS / Windows) will be configured the same within the VM in which the Docker Engine Daemon runs.
Docker Desktop attempts to make running containers (and the Docker Engine) function "as if" the Docker Engine is running locally on your macOS or Windows machine; for Linux containers, which require a Linux kernel, it must run in a VM, so to make it function as "close as possible" to running on your host machine, it configures the VM to use the same CAs as on the host (in addition to providing other things, such as file-sharing between the host and the VM, mapping networking ports to localhost etc.).
I can see how this would be "as designed", since a developer may want to isolate a container's context from the host system; like networking, implementations could decide what should and should not be included (e.g. certificates).
This is indeed by design; containers by default should run isolated, and not have access to resources on the host (or the VM in which it's running). This is both for security (you don't want a container you started from a "random" image to be able to access resources on your host), but also to provide a more reproducible environment ("it worked on my machine").
So giving the container access to custom CA's must be an explicit configuration of the container (which could be to bind-mount the files needed, or (depending on your use-case) adding the files to the image you use to start the container).
@thaJeztah If it s by design that this does not work on Windows then why does it work on Mac?
My coworkers on Mac have no issues with certificates. Everything is seamless without having to load client certs into the containers. On Windows this is not the case.
The docs as the original reporter said, suggest that this should work. It seems like there is something wrong here that needs to be fixed.
I started having this issue out of the blue, and realized that I had a proxy (Fiddler Classic) running locally. Hope this helps someone else.
Expected behavior
Windows trusted root CAs should be trusted in Moby VM according to https://docs.docker.com/docker-for-windows/faqs/#how-do-i-add-custom-ca-certificates
Actual behavior
The certificates are not added to the MobyVM or are not trusted. This is due to the companies ZScaler root CA acting as man-in-the-middle. It worked some time ago (I asume until 2.1.0.2 or 2.1.0.0) but doesn't work with the latest (2.1.0.3) version anymore.
Information
Steps to reproduce the behavior
I used the following Dockerfile. It will fail on the
dotnet restore
line when trying to get a connection toapi.nuget.org
since the connection will be signed by ZScaler root certificate, which the machine is falsely not trusting.