Docker 1.5 : http_proxy used by client result in error with unix socket connexion

[dduportal]

OK, quick issue, due to the recent Docker 1.5.

It added that https://github.com/docker/docker/pull/9951 (cf. changelog : https://github.com/docker/docker/blob/master/CHANGELOG.md#150-2015-02-10, last item of 1.5.0). The documentation is here : https://github.com/docker/docker/pull/10192

So in my case :

docker@boot2docker:~$ docker -H tcp://localhost:2375 ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
docker@boot2docker:~$ docker -H unix:///var/run/docker.sock ps
FATA[0000] Error response from daemon: 404 page not found
docker@boot2docker:~$ unset HTTP_PROXY
docker@boot2docker:~$ unset HTTPS_PROXY
docker@boot2docker:~$ unset NO_PROXY
docker@boot2docker:~$ env | grep proxy
no_proxy=localhost,127.0.0.1,.my-domain.com
https_proxy=http://my-proxy:3128
http_proxy=http://my-proxy:3128
docker@boot2docker:~$ export no_proxy=$no_proxy,/var/run/docker.sock
docker@boot2docker:~$ docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
docker@boot2docker:~$ export no_proxy=localhost,127.0.0.1,.my-domain.com,.sock
docker@boot2docker:~$ docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES

It's not related to the vagrant-proxyconf directly, but we can enhance user experience by adding a pattern like ,.sockor /var/run/docker.sock in no_proxy vars for the Docker part ?

[otahi]

Thank you for your information! That change seems excellent!

Anyway, do you mean add ,.sock or /var/run/docker.sock to vagrant-proxyconf default no_proxy? If so, I think adding documentation is better way. Because vagrant-proxyconf no_proxy affect not only Docker but also all applications. And Docker supports sock with no_proxy by its documentation https://github.com/docker/docker/pull/10133 not default value adding.

[dduportal]

I'm not sure on which route to use but here's my thoughts :

• The condition for adding this custom case should be "docker is present on the remote VM" if the configuration change won't be on the docker daemon side of the plugin. (If the VM just have the cli and want to talk to another remote, no unix socket would be usee)
• If we have to make the change at plugin runtime, in which location should we do that ? I see the profile for both interactive/non-inter sessions (shell and ssh). It does not seems to be needed in docker daemon part.
• Adding the pattern ".sock" to the conf seems a bit dangerous : how to determine if we are talking to a domain thru tcp or a file thru unix socket. As domains accept custom extension nowadays, my proposition is bad all things considered.
• Adding litteraly "/var/run/docker.sock" is maybe too restrictive : what if you're using another location ? Maybe reading the doc and adding your custom path to the vagrant' host conf. But it loose the effortless config this plugin use to brought i think.
• configuring on the profile can be an impact as you stated, to other applications and commands

The things i want to test before pull-requesting a first solution :

• can we add unix:// protocol as pattern in no_proxy ? Or finding a solution to deal with unix socket and no_proxy ?
• can we push a custom solution at docker client execution (maybe ~/.docker ) ?

[otahi]

Thank you for your thoughts.

I think I understand what you stated. We have some choices. Now, I think we are nice if we add avoidance to transfer via proxies for unix domain sockets. If you can test something, please share your results.

I think we can narrow the influence of adding the avoidance only for docker if we change action/configure_docker_proxy.rb.

If we can use unix://, it is better than .sock. Because now, there is no .sock gtld, but it might be added...

Now, my idea for this feature,

• Add avoidance only to docker proxy configuration for unix domain socket as default
  • how to avoid is not fixed.
• Add a flag to disable the avoidance like config.proxy.docker_sock_noproxy_disabled
  • too long name..
• Add README

Thank you,

[dduportal]

@otahi : in fact it seems that is Docker codebase's related. They have implemented and merged in master a patch that will change the behavior :

• https://github.com/docker/docker/pull/10739
• The related doc update : https://github.com/docker/docker/pull/10748

TL;DR : The docker CLI won't use NO_PROXY variables when using a Unix socket

This is perfect and it will handle what i was thinking, so i'm going to close the Issue.

Thank you !

[otahi]

@dduportal , Thank you for your giving good news. This seems completely OK :100:

[jeffbean]

I am still confused on how this all works together. After reading all the comments and posts about this I have the following scenario:

I need a proxy set in my environment at all times I also nee the docker daemon to use these proxy variables

I tried what is documented here: https://github.com/docker/docker/pull/10192/files

This sill fails and seems not to work as intended.

Here is what I found: Docker version 1.5.0, build a8a31ef Linux jbean 3.13.0-24-generic #47-Ubuntu SMP Fri May 2 23:30:00 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

[jbean@jbean ~] $ docker ps FATA[0000] Error response from daemon: 404 page not found [jbean@jbean ~] $ ps -ef | grep docker root 4455 1 0 10:18 ? 00:00:00 /usr/bin/docker -d --dns 10.21.223.53 --insecure-registry docker.example.com:5000 -H tcp://127.0.0.1:2375 -H unix:///var/run/docker.sock jbean 5036 4971 0 10:26 pts/22 00:00:00 grep --colour=auto docker [jbean@jbean ~] $ env | grep proxy http_proxy=http://proxy.example.com:3128/ ftp_proxy=http://proxy.example.com:3128/ https_proxy=http://proxy.example.com:3128/ no_proxy=localhost,127.0.0.0/8,::1,/var/run/docker.sock [jbean@jbean ~] $ docker ps FATA[0000] Error response from daemon: 404 page not found [jbean@jbean ~] $ unset https_proxy [jbean@jbean ~] $ docker ps FATA[0000] Error response from daemon: 404 page not found [jbean@jbean ~] $ unset http_proxy [jbean@jbean ~] $ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES [jbean@jbean ~] $

In this case I have to unset my http_proxy to talk with the daemon. This worked just fine for everything before Docker 1.5.

[dduportal]

@jeffbean : Could you provide me the output of env | grep -i proxy please ?

The -i of grep is important, because it'll check for the upper cases version, as i remember that the plugin set the two cases.

If i'm right, you should see a NO_PROXY var also.

[jeffbean]

oh man, so i am assuming I need to set the NO_PROXY as it takes president. [jbean@jbean ~] $ env | grep -i proxy NO_PROXY=localhost,127.0.0.0/8,::1 http_proxy=http://proxy.example.com:3128/ ftp_proxy=http://proxy.example.com:3128/ https_proxy=http://proxy.example.com:3128/ no_proxy=localhost,127.0.0.0/8,::1,/var/run/docker.sock

After setting the variable it works. [jbean@jbean ~] $ env | grep -i proxy NO_PROXY=localhost,127.0.0.0/8,::1,/var/run/docker.sock http_proxy=http://proxy.example.com:3128/ ftp_proxy=http://proxy.example.com:3128/ https_proxy=http://proxy.example.com:3128/ no_proxy=localhost,127.0.0.0/8,::1,/var/run/docker.sock [jbean@jbean ~] $ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES

As a side note /etc/environment does not work in Mint, I HAVE to do it through my .bash_profile. I saw some answers pointing to gconf and /etc/environment.

Thanks!

[ahb-sjsu]

It doesn't work for me:

[root@lab-c1 ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.2 (Maipo) [root@lab-c1 ~]# docker -v Docker version 1.12.1-cs1, build e7f4338 [root@lab-c1 ~]# env | grep -i proxy NO_PROXY=localhost,127.0.0.0/8,::1,/var/run/docker.sock http_proxy=http://proxy.esl.cisco.com:80/ ftp_proxy=http://proxy.esl.cisco.com:80/ https_proxy=http://proxy.esl.cisco.com:80/ no_proxy=localhost,127.0.0.0/8,::1,/var/run/docker.sock [root@lab-c1 ~]# firewall-cmd --list-ports 12385/tcp 2376/tcp 12384/tcp 12381/tcp 443/tcp 12380/tcp 12386/tcp 12383/tcp 12379/tcp 12382/tcp 12376/tcp

Yet I still get FATAL error with

docker run --rm -it --name ucp -v /var/run/docker.sock:/var/run/docker.sock docker/ucp install

... INFO[0000] Checking that required ports are available and accessible FATA[0034] The following required ports are blocked on your host: 443, 12386, 12376, 12379, 12385, 12381, 12380, 2376, 12383, 12384, 12382. Check your firewall settings.