search

moby / moby

The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
https://mobyproject.org/
Apache License 2.0
68.76k stars 18.67k forks source link

Using docker build in rootless mode #43639

Open ktdharan opened 2 years ago

ktdharan commented 2 years ago

Description

We are trying to build docker images in the rootless mode , and one of the requirements would to be download the dependencies from the Internet and build our docker images .

Additional details :

1.We have set the proxy details to use in the following location

/local/home/<user>/.config/systemd/user/docker.service.d

2.The following are the contents of the http-proxy.conf

[Service] Environment="HTTP_PROXY=http://10.0.2.2:3128" Environment="HTTPS_PROXY=http://10.0.2.2:3128" Environment="NO_PROXY=localhost, 127.0.0.*,*."

3.The output of the docker service running in the rootless mode

docker.service - Docker Application Container Engine (Rootless) Loaded: loaded (/local/home/<user>/.config/systemd/user/docker.service; enabled; vendor preset: enabled) Drop-In: /local/home/<user>/.config/systemd/user/docker.service.d └─http-proxy.conf, override.conf Docs: https://docs.docker.com/go/rootless/ Main PID: 1735274 (rootlesskit) CGroup: /user.slice/user-100.slice/user@100.service/docker.service ├─1735274 rootlesskit --net=slirp4netns --mtu=65521 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=slirp4netns --copy-up=/etc --copy-> ├─1735287 /proc/self/exe --net=slirp4netns --mtu=65521 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=slirp4netns --copy-up=/etc --co> ├─1735301 slirp4netns --mtu 65521 -r 3 --disable-host-loopback --api-socket /tmp/rootlesskit247432169/.s4nn.sock --enable-sandbox --enable-seccomp 1735287 tap0 ├─1735308 dockerd --iptables=false └─1735325 containerd --config /run/user/100/docker/containerd/containerd.toml --log-level info

Output of docker version:

Client: Docker Engine - Community
 Version:           20.10.15
 API version:       1.41
 Go version:        go1.17.9
 Git commit:        fd82621
 Built:             Thu May  5 13:15:49 2022
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.15
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.17.9
  Git commit:       4433bf6
  Built:            Thu May  5 13:14:10 2022
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.4
  GitCommit:        212e8b6fa2f44b9c21b2798135fc6fb7c53efc16
 runc:
  Version:          1.1.1
  GitCommit:        v1.1.1-0-g52de29d
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

Output of docker info:

Client:
 Context:    default
 Debug Mode: false
 Plugins:
  app: Docker App (Docker Inc., v0.9.1-beta3)
  buildx: Docker Buildx (Docker Inc., v0.8.2-docker)
  scan: Docker Scan (Docker Inc., v0.17.0)

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 2
 Server Version: 20.10.15
 Storage Driver: fuse-overlayfs
 Logging Driver: json-file
 Cgroup Driver: none
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 212e8b6fa2f44b9c21b2798135fc6fb7c53efc16
 runc version: v1.1.1-0-g52de29d
 init version: de40ad0
 Security Options:
  seccomp
   Profile: default
  rootless
 Kernel Version: 4.18.0-348.20.1.el8_5.x86_64
 Operating System: Red Hat Enterprise Linux 8.5 (Ootpa)
 OSType: linux
 Architecture: x86_64
 CPUs: 
 Total Memory: 
 Name: <hostname>
 Docker Root Dir: /local/home/<user>/.local/share/docker
 Debug Mode: false
 HTTP Proxy: http://10.0.2.2:3128
 HTTPS Proxy: http://10.0.2.2:3128
 No Proxy: localhost, 127.0.0.*,
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:

 Live Restore Enabled: false

Additional environment details (AWS, VirtualBox, physical, etc.): We use cntlm as our proxy

ktdharan commented 2 years ago

@AkihiroSuda -> Is there anything that we should additionally consider ?

ktdharan commented 2 years ago

Checking to see if any one can help with this info @AkihiroSuda

thaJeztah commented 2 years ago

The proxies configured in your systemd unit will be used by the daemon itself (so for, for example, docker pull and docker push), but are not inherited by containers (including containers used during build).

If you need your (build)containers to also use a proxy, you can configure the CLI to set these automatically; https://docs.docker.com/network/proxy/#configure-the-docker-client

Setting that configuration will make the CLI automatically set the corresponding --env HTTP_PROXY=.. when running a container, and --build-arg HTTP_PROXY=... when building images.

Does that help with your issue?

ktdharan commented 2 years ago

@thaJeztah -> The understanding is that docker in the rootless mode will have its own networking space . Since we use cntlm as our proxy ( which is essentially http://localhost:3128) and with the understanding that rootless docker does not support localhost , was checking to see how this can be achieved .

olljanat commented 2 years ago

Since we use cntlm as our proxy ( which is essentially http://localhost:3128) and with the understanding that rootless docker does not support localhost , was checking to see how this can be achieved .

Haven't checked but I would assume that localhost on host machine and inside of rootless networks are two different things. If using proxy is mandatory then you need either external proxy server or pointing to cntlm with host machine external IP instead of localhost (and you need make sure that process is listening it).