为所有docker container设置代理

来自三线的随记

TODO


https://docs.docker.com/network/proxy/

Method 1: use the config.json file to set the proxy for all containers

~/.docker/config.json 添加proxies配置

official documentation tips : When you create or start new containers, the environment variables are set automatically within the container.

"proxies": {
    "default": {
      "httpProxy": "http://127.0.0.1:3001",
      "httpsProxy": "http://127.0.0.1:3001",
      "noProxy": "*.test.example.com,.example2.com"
    }
}

实际测试

看起来只能设在user下面,设在/etc/docker/config.json下面没有任何作用

[root@192-168-104-11 .docker]# cat /root/.docker/config.json
{
	"auths": {
		"192.168.104.9": {
			"auth": "YWRtaW46Y2hhbmdlbWU="
		}
	},
	"HttpHeaders": {
		"User-Agent": "Docker-Client/19.03.8 (linux)"
	},
	"proxies": {
		"default": {
			"httpProxy": "http://127.0.0.1:3001",
			"httpsProxy": "http://127.0.0.1:3001",
			"noProxy": "*.test.example.com,.example2.com"
		}
	}
}

[root@192-168-104-11 .docker]# docker run --entrypoint sh --rm --name test-env -it ubuntu:16.04
# env | sort
HOME=/root
HOSTNAME=6e50e82441df
HTTPS_PROXY=http://127.0.0.1:3001
HTTP_PROXY=http://127.0.0.1:3001
NO_PROXY=*.test.example.com,.example2.com
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PWD=/
TERM=xterm
http_proxy=http://127.0.0.1:3001
https_proxy=http://127.0.0.1:3001
no_proxy=*.test.example.com,.example2.com

在这种情况下,通过k8s启动一个pod并调度到这个节点上面

⚠️ proxy 环境变量实测并不会被注入到容器里面


额外相关性测试 - 通过service配置文件为dockerd配置代理

通过service配置文件为dockerd配置代理


Official documentation tips:

The Docker daemon uses the HTTP_PROXY, HTTPS_PROXY, and NO_PROXY environmental variables in its start-up environment to configure HTTP or HTTPS proxy behavior.

You cannot configure these environment variables using the daemon.json file.


[root@dce-192-168-104-11 .docker]# cat /usr/lib/systemd/system/docker.service;
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
BindsTo=containerd.service
After=network-online.target firewalld.service containerd.service
Wants=network-online.target
Requires=docker.socket

[Service]
Type=notify
Environment="HTTP_PROXY=http://proxy.example.com:80"
Environment="HTTPS_PROXY=https://proxy.example.com:443"
Environment="NO_PROXY=localhost,127.0.0.1,docker-registry.example.com,.corp"
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always

# Note that StartLimit* options were moved from "Service" to "Unit" in systemd 229.
# Both the old, and new location are accepted by systemd 229 and up, so using the old location
# to make them work for either version of systemd.
StartLimitBurst=3

# Note that StartLimitInterval was renamed to StartLimitIntervalSec in systemd 230.
# Both the old, and new name are accepted by systemd 230 and up, so using the old name to make
# this option work for either version of systemd.
StartLimitInterval=60s

# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity

# Comment TasksMax if your systemd version does not support it.
# Only systemd 226 and above support this option.
TasksMax=infinity

# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes

# kill only the docker process, not all processes in the cgroup
KillMode=process

[Install]
WantedBy=multi-user.target


[root@192-168-104-11 .docker]# systemctl show --property=Environment docker
Environment=HTTP_PROXY=http://proxy.example.com:80 HTTPS_PROXY=https://proxy.example.com:443 NO_PROXY=localhost,127.0.0.1,docker-registry.example.com,.corp

为docker daemon 常规场景下设置的proxy并不会影响容器的代理

只会影响daemon的常规网络通讯,如 pull / push image 等等