为所有docker container设置代理
来自三线的随记
TODO
https://docs.docker.com/network/proxy/
Method 1: use the config.json file to set the proxy for all containers
~/.docker/config.json 添加proxies配置
official documentation tips : When you create or start new containers, the environment variables are set automatically within the container.
"proxies": { "default": { "httpProxy": "http://127.0.0.1:3001", "httpsProxy": "http://127.0.0.1:3001", "noProxy": "*.test.example.com,.example2.com" } }
实际测试
看起来只能设在user下面,设在/etc/docker/config.json下面没有任何作用
[root@192-168-104-11 .docker]# cat /root/.docker/config.json { "auths": { "192.168.104.9": { "auth": "YWRtaW46Y2hhbmdlbWU=" } }, "HttpHeaders": { "User-Agent": "Docker-Client/19.03.8 (linux)" }, "proxies": { "default": { "httpProxy": "http://127.0.0.1:3001", "httpsProxy": "http://127.0.0.1:3001", "noProxy": "*.test.example.com,.example2.com" } } } [root@192-168-104-11 .docker]# docker run --entrypoint sh --rm --name test-env -it ubuntu:16.04 # env | sort HOME=/root HOSTNAME=6e50e82441df HTTPS_PROXY=http://127.0.0.1:3001 HTTP_PROXY=http://127.0.0.1:3001 NO_PROXY=*.test.example.com,.example2.com PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin PWD=/ TERM=xterm http_proxy=http://127.0.0.1:3001 https_proxy=http://127.0.0.1:3001 no_proxy=*.test.example.com,.example2.com
在这种情况下,通过k8s启动一个pod并调度到这个节点上面
⚠️ proxy 环境变量实测并不会被注入到容器里面
额外相关性测试 - 通过service配置文件为dockerd配置代理
通过service配置文件为dockerd配置代理
Official documentation tips:
The Docker daemon uses the HTTP_PROXY
, HTTPS_PROXY
, and NO_PROXY
environmental variables in its start-up environment to configure HTTP or HTTPS proxy behavior.
You cannot configure these environment variables using the daemon.json
file.
[root@dce-192-168-104-11 .docker]# cat /usr/lib/systemd/system/docker.service; [Unit] Description=Docker Application Container Engine Documentation=https://docs.docker.com BindsTo=containerd.service After=network-online.target firewalld.service containerd.service Wants=network-online.target Requires=docker.socket [Service] Type=notify Environment="HTTP_PROXY=http://proxy.example.com:80" Environment="HTTPS_PROXY=https://proxy.example.com:443" Environment="NO_PROXY=localhost,127.0.0.1,docker-registry.example.com,.corp" # the default is not to use systemd for cgroups because the delegate issues still # exists and systemd currently does not support the cgroup feature set required # for containers run by docker ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock ExecReload=/bin/kill -s HUP $MAINPID TimeoutSec=0 RestartSec=2 Restart=always # Note that StartLimit* options were moved from "Service" to "Unit" in systemd 229. # Both the old, and new location are accepted by systemd 229 and up, so using the old location # to make them work for either version of systemd. StartLimitBurst=3 # Note that StartLimitInterval was renamed to StartLimitIntervalSec in systemd 230. # Both the old, and new name are accepted by systemd 230 and up, so using the old name to make # this option work for either version of systemd. StartLimitInterval=60s # Having non-zero Limit*s causes performance problems due to accounting overhead # in the kernel. We recommend using cgroups to do container-local accounting. LimitNOFILE=infinity LimitNPROC=infinity LimitCORE=infinity # Comment TasksMax if your systemd version does not support it. # Only systemd 226 and above support this option. TasksMax=infinity # set delegate yes so that systemd does not reset the cgroups of docker containers Delegate=yes # kill only the docker process, not all processes in the cgroup KillMode=process [Install] WantedBy=multi-user.target
[root@192-168-104-11 .docker]# systemctl show --property=Environment docker Environment=HTTP_PROXY=http://proxy.example.com:80 HTTPS_PROXY=https://proxy.example.com:443 NO_PROXY=localhost,127.0.0.1,docker-registry.example.com,.corp
为docker daemon 常规场景下设置的proxy并不会影响容器的代理
只会影响daemon的常规网络通讯,如 pull / push image 等等