Bug 44561 - Proxy settings of host are not inherited to docker containers
Proxy settings of host are not inherited to docker containers
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: App Center
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2-0-errata
Assigned To: Felix Botner
Dirk Wiesenthal
:
Depends on:
Blocks: 44785
  Show dependency treegraph
 
Reported: 2017-05-09 12:19 CEST by Michael Grandjean
Modified: 2017-06-15 17:58 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 4: A User would return the product
User Pain: 0.229
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Grandjean univentionstaff 2017-05-09 12:19:14 CEST
When UCS runs behind a proxy, the proxy settings of the host (proxy/http="http://10.200.30.254:8080" and proxy/https="https://10.200.30.254:8080") are not passed to the docker containers.

Please note that this is not about the docker daemon ("docker pull" works fine). This is about the applications inside the docker container. They cannot access the internet because they are not aware of the proxy.
This means that you cannot install Nextcloud/ownCloud plugins, for example (or install debugging tools inside the container). 

As a workaround, you can set this UCR variable BEFORE the App installation (thanks Dirk):

ucr set --force appcenter/apps/nextcloud/docker/params="--env http_proxy=http://10.200.30.254:8080 --env 
https_proxy=https://10.200.30.254:8080"

I think we should do this automatically as some kind of pre-hook before the main app installation, if proxy/http(s) is set on the host.

The challenge is, that ENV variables can only be passed to a container while it is being created. They cannot be changed for an existing container afterwards:
https://github.com/moby/moby/issues/8838#issuecomment-285789380

This means that we can only change the ENV variables before the installation or before an app upgrade, afaics. I think we also need something like "univention-app reinstall" that simply removes the current container and creates a new one without purging app data. But that's a separate bug.
Comment 1 Felix Botner univentionstaff 2017-05-26 16:56:39 CEST
univention-appcenter r79694, r79696
univention-appcenter.yaml r79695

* always (ro) map /etc/apt/apt.conf.d/80proxy into container 
  (proxy settings for apt-get)
* set proxy/http (http_proxy), proxy/https (https_proxy) and
  proxy/no_proxy (no_proxy) in container if set on the host
* both can be disabled by appcenter/docker/container/proxy/settings=no

Note!
 These env variable can not be changed afterwards, so changes to the proxy
 settings require a re-installation of the app
 Workaround:
  * stop container
  * edit env var in /var/lib/docker/containers/CONTAINER_ID/config.v2.json
  * restart docker
  * start container

QA:
 * if these changes are OK, please clone the Bug for errata4.1-4
Comment 2 Dirk Wiesenthal univentionstaff 2017-06-14 05:04:38 CEST
With these changes, I am able to access the internet from within a container.

YAML OK
Comment 3 Janek Walkenhorst univentionstaff 2017-06-15 17:58:15 CEST
<http://errata.software-univention.de/ucs/4.2/38.html>