为所有docker container设置代理:修订间差异
来自三线的随记
无编辑摘要 |
小无编辑摘要 |
||
第1行: | 第1行: | ||
TODO | TODO | ||
<br />https://docs.docker.com/network/proxy/ | <br />https://docs.docker.com/network/proxy/ | ||
===Method 1=== | ===Method 1: use the config.json file to set the proxy for all containers=== | ||
~/.docker/config.json | ~/.docker/config.json 添加proxies配置 | ||
official documentation tips : When you create or start new containers, the environment variables are set automatically within the container. | |||
"proxies": { | "proxies": { | ||
"default": { | "default": { | ||
第12行: | 第16行: | ||
} | } | ||
} | } | ||
[[ | |||
==== 实际测试 ==== | |||
看起来只能设在user下面,设在/etc/docker/config.json下面没有任何作用 | |||
[root@192-168-104-11 .docker]# cat /root/.docker/config.json | |||
{ | |||
"auths": { | |||
"192.168.104.9": { | |||
"auth": "YWRtaW46Y2hhbmdlbWU=" | |||
} | |||
}, | |||
"HttpHeaders": { | |||
"User-Agent": "Docker-Client/19.03.8 (linux)" | |||
}, | |||
"proxies": { | |||
"default": { | |||
"httpProxy": "<nowiki>http://127.0.0.1:3001</nowiki>", | |||
"httpsProxy": "<nowiki>http://127.0.0.1:3001</nowiki>", | |||
"noProxy": "*.test.example.com,.example2.com" | |||
} | |||
} | |||
} | |||
[root@192-168-104-11 .docker]# docker run --entrypoint sh --rm --name test-env -it ubuntu:16.04 | |||
# env | sort | |||
HOME=/root | |||
HOSTNAME=6e50e82441df | |||
HTTPS_PROXY=<nowiki>http://127.0.0.1:3001</nowiki> | |||
HTTP_PROXY=<nowiki>http://127.0.0.1:3001</nowiki> | |||
NO_PROXY=*.test.example.com,.example2.com | |||
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin | |||
PWD=/ | |||
TERM=xterm | |||
http_proxy=<nowiki>http://127.0.0.1:3001</nowiki> | |||
https_proxy=<nowiki>http://127.0.0.1:3001</nowiki> | |||
no_proxy=*.test.example.com,.example2.com | |||
在这种情况下,通过k8s启动一个pod并调度到这个节点上面 | |||
⚠️ proxy 环境变量实测并不会被注入到容器里面 | |||
<br /> | |||
=== 额外相关性测试 - 通过service配置文件为dockerd配置代理 === | |||
通过service配置文件为dockerd配置代理 | |||
==== Official documentation tips: ==== | |||
The Docker daemon uses the <code>HTTP_PROXY</code>, <code>HTTPS_PROXY</code>, and <code>NO_PROXY</code> environmental variables in its start-up environment to configure HTTP or HTTPS proxy behavior. | |||
You cannot configure these environment variables using the <code>daemon.json</code> file. | |||
[root@dce-192-168-104-11 .docker]# cat /usr/lib/systemd/system/docker.service; | |||
[Unit] | |||
Description=Docker Application Container Engine | |||
Documentation=<nowiki>https://docs.docker.com</nowiki> | |||
BindsTo=containerd.service | |||
After=network-online.target firewalld.service containerd.service | |||
Wants=network-online.target | |||
Requires=docker.socket | |||
[[分类:Linux]] | [Service] | ||
Type=notify | |||
Environment="HTTP_PROXY=<nowiki>http://proxy.example.com:80</nowiki>" | |||
Environment="HTTPS_PROXY=<nowiki>https://proxy.example.com:443</nowiki>" | |||
Environment="NO_PROXY=localhost,127.0.0.1,docker-registry.example.com,.corp" | |||
# the default is not to use systemd for cgroups because the delegate issues still | |||
# exists and systemd currently does not support the cgroup feature set required | |||
# for containers run by docker | |||
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock | |||
ExecReload=/bin/kill -s HUP $MAINPID | |||
TimeoutSec=0 | |||
RestartSec=2 | |||
Restart=always | |||
# Note that StartLimit* options were moved from "Service" to "Unit" in systemd 229. | |||
# Both the old, and new location are accepted by systemd 229 and up, so using the old location | |||
# to make them work for either version of systemd. | |||
StartLimitBurst=3 | |||
# Note that StartLimitInterval was renamed to StartLimitIntervalSec in systemd 230. | |||
# Both the old, and new name are accepted by systemd 230 and up, so using the old name to make | |||
# this option work for either version of systemd. | |||
StartLimitInterval=60s | |||
# Having non-zero Limit*s causes performance problems due to accounting overhead | |||
# in the kernel. We recommend using cgroups to do container-local accounting. | |||
LimitNOFILE=infinity | |||
LimitNPROC=infinity | |||
LimitCORE=infinity | |||
# Comment TasksMax if your systemd version does not support it. | |||
# Only systemd 226 and above support this option. | |||
TasksMax=infinity | |||
# set delegate yes so that systemd does not reset the cgroups of docker containers | |||
Delegate=yes | |||
# kill only the docker process, not all processes in the cgroup | |||
KillMode=process | |||
[Install] | |||
WantedBy=multi-user.target | |||
<br /> | |||
[root@192-168-104-11 .docker]# systemctl show --property=Environment docker | |||
Environment=HTTP_PROXY=<nowiki>http://proxy.example.com:80</nowiki> HTTPS_PROXY=<nowiki>https://proxy.example.com:443</nowiki> NO_PROXY=localhost,127.0.0.1,docker-registry.example.com,.corp | |||
为docker daemon 常规场景下设置的proxy并不会影响容器的代理 | |||
只会影响daemon的常规网络通讯,如 pull / push image 等等 | |||
<br /> | |||
[[分类:Docker]] | |||
[[分类:Linux]] | |||
{{DEFAULTSORT:wei}} | {{DEFAULTSORT:wei}} | ||
__强显目录__ | |||
__无编辑段落__ |
2020年10月27日 (二) 14:37的版本
TODO
https://docs.docker.com/network/proxy/
Method 1: use the config.json file to set the proxy for all containers
~/.docker/config.json 添加proxies配置
official documentation tips : When you create or start new containers, the environment variables are set automatically within the container.
"proxies": { "default": { "httpProxy": "http://127.0.0.1:3001", "httpsProxy": "http://127.0.0.1:3001", "noProxy": "*.test.example.com,.example2.com" } }
实际测试
看起来只能设在user下面,设在/etc/docker/config.json下面没有任何作用
[root@192-168-104-11 .docker]# cat /root/.docker/config.json { "auths": { "192.168.104.9": { "auth": "YWRtaW46Y2hhbmdlbWU=" } }, "HttpHeaders": { "User-Agent": "Docker-Client/19.03.8 (linux)" }, "proxies": { "default": { "httpProxy": "http://127.0.0.1:3001", "httpsProxy": "http://127.0.0.1:3001", "noProxy": "*.test.example.com,.example2.com" } } } [root@192-168-104-11 .docker]# docker run --entrypoint sh --rm --name test-env -it ubuntu:16.04 # env | sort HOME=/root HOSTNAME=6e50e82441df HTTPS_PROXY=http://127.0.0.1:3001 HTTP_PROXY=http://127.0.0.1:3001 NO_PROXY=*.test.example.com,.example2.com PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin PWD=/ TERM=xterm http_proxy=http://127.0.0.1:3001 https_proxy=http://127.0.0.1:3001 no_proxy=*.test.example.com,.example2.com
在这种情况下,通过k8s启动一个pod并调度到这个节点上面
⚠️ proxy 环境变量实测并不会被注入到容器里面
额外相关性测试 - 通过service配置文件为dockerd配置代理
通过service配置文件为dockerd配置代理
Official documentation tips:
The Docker daemon uses the HTTP_PROXY
, HTTPS_PROXY
, and NO_PROXY
environmental variables in its start-up environment to configure HTTP or HTTPS proxy behavior.
You cannot configure these environment variables using the daemon.json
file.
[root@dce-192-168-104-11 .docker]# cat /usr/lib/systemd/system/docker.service; [Unit] Description=Docker Application Container Engine Documentation=https://docs.docker.com BindsTo=containerd.service After=network-online.target firewalld.service containerd.service Wants=network-online.target Requires=docker.socket [Service] Type=notify Environment="HTTP_PROXY=http://proxy.example.com:80" Environment="HTTPS_PROXY=https://proxy.example.com:443" Environment="NO_PROXY=localhost,127.0.0.1,docker-registry.example.com,.corp" # the default is not to use systemd for cgroups because the delegate issues still # exists and systemd currently does not support the cgroup feature set required # for containers run by docker ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock ExecReload=/bin/kill -s HUP $MAINPID TimeoutSec=0 RestartSec=2 Restart=always # Note that StartLimit* options were moved from "Service" to "Unit" in systemd 229. # Both the old, and new location are accepted by systemd 229 and up, so using the old location # to make them work for either version of systemd. StartLimitBurst=3 # Note that StartLimitInterval was renamed to StartLimitIntervalSec in systemd 230. # Both the old, and new name are accepted by systemd 230 and up, so using the old name to make # this option work for either version of systemd. StartLimitInterval=60s # Having non-zero Limit*s causes performance problems due to accounting overhead # in the kernel. We recommend using cgroups to do container-local accounting. LimitNOFILE=infinity LimitNPROC=infinity LimitCORE=infinity # Comment TasksMax if your systemd version does not support it. # Only systemd 226 and above support this option. TasksMax=infinity # set delegate yes so that systemd does not reset the cgroups of docker containers Delegate=yes # kill only the docker process, not all processes in the cgroup KillMode=process [Install] WantedBy=multi-user.target
[root@192-168-104-11 .docker]# systemctl show --property=Environment docker Environment=HTTP_PROXY=http://proxy.example.com:80 HTTPS_PROXY=https://proxy.example.com:443 NO_PROXY=localhost,127.0.0.1,docker-registry.example.com,.corp
为docker daemon 常规场景下设置的proxy并不会影响容器的代理
只会影响daemon的常规网络通讯,如 pull / push image 等等