How do I get Docker to run on a Windows system behind a corporate firewall?

Solution 1:

Windows Boot2Docker behind corporate proxy

(Context: March 2015, Windows 7, behind corporate proxy)

TLDR; see GitHub project VonC/b2d:

Clone it and:

  • configure ..\env.bat following the env.bat.template,
  • add the alias you want in the 'profile' file,
  • execute senv.bat then b2d.bat.

You then are in a properly customized boot2docker environment with:

  • an ssh session able to access internet behind corporate proxy when you type docker search/pull.
  • Dockerfiles able to access internet behind corporate proxy when they do an apt-get update/install and you type a docker build.

Installation and first steps

If you are admin of your workstation, you can run boot2docker install on your Windows.
It currently comes with:

  • Boot2Docker 1.5.0 (Docker v1.5.0, Linux v3.18.5)
  • Boot2Docker Management Tool v1.5.0
  • VirtualBox v4.3.20-r96997
  • msysGit v1.9.5-preview20141217

Then, once installed:

  • add c:\path\to\Boot2Docker For Windows\ in your %PATH%
  • (one time): boot2docker init
  • boot2docker start
  • boot2docker ssh
  • type exit to exit the ssh session, and boot2docker ssh to go back in: the history of commands you just typed is preserved.
  • if you want to close the VM, boot2docker stop

You actually can see the VM start or stop if you open the Virtual Box GUI, and type in a DOS cmd session boot2docker start or stop.


Hosts & Proxy: Windows => Boot2Docker => Docker Containers

The main point to understand is that you will need to manage 2 HOSTS:

  • your Windows workstation is the host to the Linux Tiny Core run by VirtualBox in order for you to define and run containers
    (%HOME%\.boot2docker\boot2docker.iso =>
    .%USERPROFILE%\VirtualBox VMs\boot2docker-vm\boot2docker-vm.vmdk),
  • Your boot2docker Linux Tiny Core is host to your containers that you will run.

In term of proxy, that means:

  • Your Windows Host must have set its HTTP_PROXY, HTTPS_PROXY and NO_PROXY environment variable (you probably have them already, and they can be used for instance by the Virtual Box to detect new versions of Virtual Box)
  • Your Tiny Core Host must have set http_proxy, https_proxy and no_proxy (note the case, lowercase in the Linux environment) for:
    • the docker service to be able to query/load images (for example: docker search nginx).
      If not set, the next docker pull will get you a dial tcp: lookup index.docker.io: no such host.
      This is set in a new file /var/lib/boot2docker/profile: it is profile, not .profile.
    • the docker account (to be set in /home/docker/.ashrc), if you need to execute any other command (other than docker) which would require internet access)
    • any Dockerfile that you would create (or the next RUN apt-get update will get you a, for example, Could not resolve 'http.debian.net').
      That means you must add the lines ENV http_proxy http://... first, before any RUN command requiring internet access.

A good no_proxy to set is:

.company,.sock,localhost,127.0.0.1,::1,192.168.59.103

(with '.company' the domain name of your company, for the internal sites)


Data persistence? Use folder sharing

The other point to understand is that boot2docker uses Tiny Core, a... tiny Linux distribution (the .iso file is only 26 MB).
And Tiny Core offers no persistence (except for a few technical folders): if you modify your ~/.ashrc with all your preferred settings and alias... the next boot2docker stop / boot2docker start will restore a pristine Linux environment, with your modification gone.

You need to make sure the VirtualBox has the Oracle_VM_VirtualBox_Extension_Pack downloaded and added in the Virtual Box / File / Settings / Extension / add the Oracle_VM_VirtualBox_Extension_Pack-4.x.yy-zzzzz.vbox-extpack file).

As documented in boot2docker, you will have access (from your Tiny Core ssh session) to /c/Users/<yourLogin> (ie the %USERPROFILE% is shared by Virtual Box)


Port redirection? For container and for VirtualBox VM

The final point to understand is that no port is exported by default:

  • your container ports are not visible from your Tiny Core host (you must use -p 80:80 for example in order to expose the 80 port of the container to the 80 port of the Linux session)
  • your Tiny Cort ports are not exported from your Virtual Box VM by default: even if your container is visible from within Tiny Core, your Windows browser won't see it: http://127.0.0.1 won't work "The connection was reset".

For the first point, docker run -it --rm --name my-apache-app -v "$PWD":/usr/local/apache2/htdocs/ httpd:2.4 won't work without a -p 80:80 in it.

For the second point, define an alias doskey vbm="c:\Program Files\Oracle\VirtualBox\VBoxManage.exe" $*, and then: - if the Virtual Box 'boot2docker-vm' is not yet started, uses vbm modifyvm - if the Virtual Box 'boot2docker-vm' is already started, uses vbm controlvm

Typically, if I realize, during a boot2docker session, that the port 80 is not accessible from Windows:

vbm controlvm "boot2docker-vm" natpf1 "tcp-port80,tcp,,80,,80";
vbm controlvm "boot2docker-vm" natpf1 "udp-port80,udp,,80,,80";

Then, and only then, I can access http://127.0.0.1


Persistent settings: copied to docker service and docker account

In order to use boot2docker easily:

  • create on Windows a folder %USERPROFILE%\prog\b2d
  • add a .profile in it (directly in Windows, in%USERPROFILE%\prog\b2d), with your settings and alias.

For example (I modified the original /home/docker/.ashrc):

# ~/.ashrc: Executed by SHells.
#
. /etc/init.d/tc-functions
if [ -n "$DISPLAY" ]
then
        `which editor >/dev/null` && EDITOR=editor || EDITOR=vi
else
        EDITOR=vi
fi
export EDITOR

# Alias definitions.
#
alias df='df -h'
alias du='du -h'

alias ls='ls -p'
alias ll='ls -l'
alias la='ls -la'

alias d='dmenu_run &'
alias ce='cd /etc/sysconfig/tcedir'

export HTTP_PROXY=http://<user>:<pwd>@proxy.company:80
export HTTPS_PROXY=http://<user>:<pwd>@proxy.company:80
export NO_PROXY=.company,.sock,localhost,127.0.0.1,::1,192.168.59.103

export http_proxy=http://<user>:<password>@proxy.company:80
export https_proxy=http://<user>:<password>@proxy.company:80
export no_proxy=.company,.sock,localhost,127.0.0.1,::1,192.168.59.103

alias l='ls -alrt'
alias h=history
alias cdd='cd /c/Users/<user>/prog/b2d'

ln -fs /c/Users/<user>/prog/b2d /home/docker

(192.168.59.103 is usually the ip returned by boot2docker ip)


Putting everything together to start a boot2docker session: b2d.bat

  • create and add a b2d.bat script in your %PATH% which will:
    • start boot2docker
    • copy the right profile, both for the docker service (which is restarted) and for the /home/docker user account.
    • initiate an interactive ssh session

That is:

doskey vbm="c:\Program Files\Oracle\VirtualBox\VBoxManage.exe" $*
boot2docker start
boot2docker ssh sudo cp -f /c/Users/<user>/prog/b2d/.profile /var/lib/boot2docker/profile
boot2docker ssh sudo /etc/init.d/docker restart
boot2docker ssh cp -f /c/Users/<user>/prog/b2d/.profile .ashrc
boot2docker ssh

In order to enter a new boot2docker session, with your settings defined exactly as you want, simply type:

b2d

And you are good to go:


End result:

  • a docker search xxx will work (it will access internet)
  • any docker build will work (it will access internet if the ENV http_proxy directives are there)
  • any Windows file from %USERPROFILE%\prog\b2d can be modified right from ~/b2d.
    Or you actually can write and modify those same files (like some Dockerfile) right from your Windows session, using your favorite editor (instead of vi)

And all this, behind a corporate firewall.


Bonus: http only

Tuan adds in the comments:

Maybe my company's proxy doesn't allow https. Here's my workaround:

  • boot2docker ssh,
    kill the docker process and
  • set the proxy export http_proxy=http://proxy.com, then
  • start docker with docker -d --insercure-registry docker.io