Univention Bugzilla – Bug 51033
Docker does not consider proxy settings until manual intervention
Last modified: 2022-07-28 09:11:29 CEST
ucr set proxy/https="http://foo.bar:3128" UCR writes the proxy settings to etc/systemd/system/docker.service.d/http-proxy.conf but they're not being considered until: systemctl daemon-reload systemctl restart docker This lets installation of apps fail, if the app center's Docker repository is not reachable without a proxy from the UCS system.
mhm, can we merge this with Bug #51031 ? In the end both need to be fixed to have proper proxy configuration in docker apps, right?
(In reply to Ingo Steuwer from comment #1) > mhm, can we merge this with Bug #51031 ? In the end both need to be fixed to > have proper proxy configuration in docker apps, right? Maybe but technically they are different problems. This one concerns the docker daemon itself, bug #51031 is about the settings inside the containers.
A Ticket-Number is required to qualify a Bug as "School Customer Affected". I've pushed this Bug into the appcenter Taiga Backlog.
We have the policy that services are not restarted automatically per default. This would be the wrong expectation for the Docker service, as well. Restarting the Docker service would affect running Docker containers and therefore apps. We'd rather think of a way to notify the administrator to restart the Docker service on their own after they changed the respective UCR variables. See bug #51125.
> Restarting the Docker service would affect running Docker containers and therefore apps. I don't see how it would. Even if you stop the docker process the running containers remain functional, only the docker-cli cannot talk to the daemon while it's not there. So from my POV I'd say that we should restart that service.
Docker daemon will be restarted on proxy changes. univention-docker.yaml 325342571b38 | Bug #51033: update advisory 661cdfccc93d | Bug #51033: added docker daemon restart module on proxy changes univention-docker (5.0.2-2) 661cdfccc93d | Bug #51033: added docker daemon restart module on proxy changes Package: univention-docker Version: 5.0.2-2A~5.0.0.202207071107 Branch: ucs_5.0-0 Scope: errata5.0-2
OK: 661cdfccc93d OK: 325342571b38 OK: errata-announce -V --only univention-docker.yaml OK: univention-docker.yaml OK: apt -t apt install univention-docker # 5.0.2-2A~5.0.0.202207071107 OK: ucr set proxy/http{,s}=http://10.200.17.34:3128 OK: xargs -0n1 -a /proc/$(pidof dockerd)/environ echo OK: iptables -A OUTPUT -d 10.200.0.0/16 -j ACCEPT iptables -A OUTPUT -d 10.205.0.0/16 -j ACCEPT iptables -A OUTPUT -d 192.168.0.0/8 -j ACCEPT iptables -A OUTPUT -j REJECT docker pull busybox OK: docker run -d --name sleeper busybox sleep 1h ucr set proxy/http{,s}=http://10.200.17.34:3128 docker ps # still running OK: dpkg -L univention-docker | grep restart /etc/univention/templates/modules/docker-daemon-restart.py OK: grep -nH restart /etc/univention/templates/info/univention-docker.info /etc/univention/templates/info/univention-docker.info:22:Postinst: docker-daemon-restart.py FYI: This fixes only the case for `dockerd`, e.g. downloading images from a registry via a proxy. It does NOT fix the use of the proxy from within a container, which requires https://docs.docker.com/network/proxy/ IGN: docker run --rm busybox:latest env | grep -i proxy
<https://errata.software-univention.de/#/?erratum=5.0x371>