{"id":330,"date":"2016-08-30T17:32:09","date_gmt":"2016-08-30T15:32:09","guid":{"rendered":"http:\/\/le-moulin-de-verre.com\/fieldnotes\/?p=330"},"modified":"2016-08-30T17:32:09","modified_gmt":"2016-08-30T15:32:09","slug":"making-docker-work-behind-ntlm-proxy","status":"publish","type":"post","link":"https:\/\/le-moulin-de-verre.com\/fieldnotes\/?p=330","title":{"rendered":"Making Docker work behind NTLM proxy"},"content":{"rendered":"

Working in a corporate environment, it may come that web access is filtered through a proxy… and even an NTLM one which requiere MS-style authentication.<\/p>\n

If you also are lucky enough to run Docker inside a Linux Virtual machine (not natively on Windows), your docker builds or package update operations may fail at first.<\/p>\n

You may ease the building and running of docker containers by using an intermediate proxy (cntlm) that will authenticate your and forward your requests against the coprorate proxy, while acting as simpler (unanthenticated) proxy for your doacker daemon or containers.<\/p>\n

Build images behind a proxy<\/h2>\n

My environment:<\/p>\n

- Coporate NTLM proxy\n- Windows 7 (running cntlm proxy properly configured, listenning to 127.0.0.1:9128, and NOT in gateway mode)\n- Virtual Box \n- Centos 7 \n- Docker \n<\/code><\/pre>\n
Make docker daemon use the proxy of the Windows host<\/h3>\n
Not hard but a bit complex:<\/h4>\n
The first thing to take care of with all these virtualization layers is that 127.0.0.1 means something different for each layer !<\/p>\n
The tricky part is to understand that Virtual box creates a specific NIC inside CentOS (address is 10.0.2.x with a default gateway of 10.0.2.2). The 10.0.2.2 IP address is redirected by Virtual Box to the 127.0.0.1 of Windows, on which cntlm proxy is listenning.<\/p>\n
Last thing, the daemon needs to be aware of proxy at build time (download an image from web), while apt-get or yum may need to be aware of proxy at build time but also possibly at runtime.<\/p>\n
In short, from docker daemon perspective, the proxy is 10.0.2.2:9128<\/p>\n
Docker daemon setup<\/h4>\n
Create<\/p>\n
\/etc\/systemd\/system\/docker.service.d\/docker_http_proxy.conf\n<\/code><\/pre>\n
With content:<\/p>\n
[Service]\nEnvironment=\"HTTP_PROXY=http:\/\/10.0.2.2:9128\/\"\nEnvironment=\"HTTPS_PROXY=https:\/\/10.0.2.2:9128\/\"\n<\/code><\/pre>\n
Then reload configuration and restart daemon<\/p>\n
sudo systemctl daemon-reload\nsudo systemctl restart docker\n<\/code><\/pre>\n
Build the image<\/h4>\n
Then you should run the build using buildtime-only proxy configuration:<\/p>\n
docker build --build-arg http_proxy=http:\/\/10.0.2.2:9128 --build-arg https_proxy=https:\/\/10.0.2.2:9128 -t my_app .\n<\/code><\/pre>\n
TBC: is --build-args<\/code> needed for yum update only ?<\/p>\n
Run containers behind a proxy<\/h2>\n
Here the context is a bit different: we want a running container to access the web. Generraly speaking, it may not be the best idea in production environments, but it may still greatly help you to test or develop inside container.<\/p>\n
Quick and dirty: rely on another container to provide the proxy<\/h3>\n
The simplest way is to use an already existing container, made specifically to provide transparent cntlm proxy service to others through Docker -link capability. It allows your application to address the proxy by name.<\/p>\n
You should rather build this container from source (rather than blindly downloading it) as you will entrust it sufficiently with your logins and passwords.<\/p>\n
Several cntml proxies are available, I choose to use jaschac\/cntlm.<\/p>\n
Download \/ build image with:<\/p>\n
docker pull jaschac\/cntlm\n<\/code><\/pre>\n
Start jashac\/cntlm container:<\/p>\n
docker run --name cntlm -e CNTLM_USERNAME=your_username -e CNTLM_DOMAIN=your_domain -e CNTLM_PROXY_URL=your_parent_ proxy -e CNTLM_PROXY_PORT=your_parent_proxy_port -e CNTLM_PASSNTLMv2=yourhash -d jaschac\/cntlm\n<\/code><\/pre>\n
Then start your applciation container with:<\/p>\n
docker run --link cntlm:cntlm -it my_app \/bin\/bash\n<\/code><\/pre>\n
Note the –link option that allow your application to resolve the cntlm host destite in another container.<\/p>\n
Optional: set the proxy env in the dockerfile:<\/p>\n
ENV http_proxy http:\/\/cntlm:3128\nENV https_proxy https:\/\/cntlm:3128\n<\/code><\/pre>\n
Make your container aware of the external proxy<\/h3>\n
Use the same address (corresponding to Windows 127.0.0.1 through Virtual box) to let your container access the Windows cntlm proxy at runtime.<\/p>\n
TBD: remains to be tested<\/p>\n
ENV http_proxy http:\/\/10.0.2.2:9128\nENV https_proxy https:\/\/10.0.2.2:9128\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
Working in a corporate environment, it may come that web access is filtered through a proxy… and even an NTLM one which requiere MS-style authentication. If you also are lucky enough to run Docker inside a Linux Virtual machine (not natively on Windows), your docker builds or package update operations may fail at first. You … Continue reading “Making Docker work behind NTLM proxy”<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_newsletter_tier_id":0,"jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false}}},"categories":[1],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p5WcEf-5k","_links":{"self":[{"href":"https:\/\/le-moulin-de-verre.com\/fieldnotes\/index.php?rest_route=\/wp\/v2\/posts\/330"}],"collection":[{"href":"https:\/\/le-moulin-de-verre.com\/fieldnotes\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/le-moulin-de-verre.com\/fieldnotes\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/le-moulin-de-verre.com\/fieldnotes\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/le-moulin-de-verre.com\/fieldnotes\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=330"}],"version-history":[{"count":1,"href":"https:\/\/le-moulin-de-verre.com\/fieldnotes\/index.php?rest_route=\/wp\/v2\/posts\/330\/revisions"}],"predecessor-version":[{"id":331,"href":"https:\/\/le-moulin-de-verre.com\/fieldnotes\/index.php?rest_route=\/wp\/v2\/posts\/330\/revisions\/331"}],"wp:attachment":[{"href":"https:\/\/le-moulin-de-verre.com\/fieldnotes\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=330"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/le-moulin-de-verre.com\/fieldnotes\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=330"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/le-moulin-de-verre.com\/fieldnotes\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=330"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}