aws-codebuild-docker-images icon indicating copy to clipboard operation
aws-codebuild-docker-images copied to clipboard
verified publisher icon aws

Support for using Docker daemon behind proxy

Open rdt712 opened this issue 5 years ago • 8 comments

Currently, using Docker in Docker does not work behind a proxy when running the code build images locally. The Docker daemon requires a proxy to be set using systemctl which is not available on the image, so I am unable to reach out to the Docker registry to pull images when building a new image. Building artifacts work perfectly fine, but it would be nice if I could build a docker image within the Code Build image locally to help with testing, rather than testing that using the actual Code Build service.

rdt712 avatar Jun 05 '20 15:06 rdt712

Any updates on this?

If I'm trying to set docker.conf

[Container] 2021/01/13 13:40:59 Entering phase PRE_BUILD
[Container] 2021/01/13 13:40:59 Running command mkdir -p /etc/systemd/system/docker.service.d
[Container] 2021/01/13 13:40:59 Running command echo "[Service]" >> /etc/systemd/system/docker.service.d/http-proxy.conf
[Container] 2021/01/13 13:40:59 Running command echo "Environment='HTTP_PROXY=http://server-proxy.zz:3128'" >> /etc/systemd/system/docker.service.d/http-proxy.conf
[Container] 2021/01/13 13:40:59 Running command echo "Environment='HTTPS_PROXY=http://server-proxy.zz:3128'" >> /etc/systemd/system/docker.service.d/http-proxy.conf
[Container] 2021/01/13 13:40:59 Running command echo "Environment='NO_PROXY=.we.whatever.de,.ecr.eu-central-1.amazonaws.com'" >> /etc/systemd/system/docker.service.d/http-proxy.conf
[Container] 2021/01/13 13:40:59 Running command systemctl daemon-reload
Failed to get D-Bus connection: Operation not permitted

I get Failed to get D-Bus connection: Operation not permitted. From an enterprise perspective, this feature is needed.

Zirkonium88 avatar Jan 13 '21 13:01 Zirkonium88

Same issue here, but realised systemd does not actually run inside the container so my script kills the docker daemon and starts it again with the proxy environment variables set. It would be nice not to have to do that since the pipeline already is configured with the correct environment variables.

dimitriosstander avatar Jan 29 '21 10:01 dimitriosstander

you can use the docker:dind (docker in docker) image as your build image to work around this issue, but i'd also like to see an option to make this work with aws provided images.

Nookyx avatar Feb 06 '21 01:02 Nookyx

@dimitriosstander can you please share your script that kills and restarts the docker daemon in codebuild? I am having the same issue.

scottsizemore avatar Feb 21 '21 17:02 scottsizemore

Here are the steps to restart docker within CodeBuild if anyone needs it in order to utilize proxy:

env:
  variables:
    HTTP_PROXY: "http://x.x.x.x:yyyy"
    HTTPS_PROXY: "https://x.x.x.x:zzzz"
    NO_PROXY: "169.254.169.254,*.amazonaws.com"

  pre_build:
    commands:
      - docker system info
      - kill $(cat /var/run/docker.pid)
      - while kill -0 $(cat /var/run/docker.pid) ; do sleep 1 ; done
      - /usr/local/bin/dockerd-entrypoint.sh
      - docker system info

When docker system info first runs, HTTP Proxy and HTTPS Proxy from environment variables are not included and docker build fails to connect to registry because proxy is not utilized. However, after killing and restarting docker, docker system info correctly includes HTTP Proxy and HTTPS Proxy from environment variables and docker build successfully connects to registry, utilizing the specified proxy.

scottsizemore avatar Feb 21 '21 21:02 scottsizemore

any updates on this ? I'm using a CodeBuild within a private corporate network that uses a proxy and I get this error when I try to build a python image:

Step 1/11 : FROM python:3.8.6-slim
Get https://registry-1.docker.io/v2/: x509: certificate signed by unknown authority

event though I already provided the proxy when running the build docker build --build-arg http_proxy=<proxy>

SlimenTN avatar Feb 26 '21 17:02 SlimenTN

It may be needed to trust a proxy's self signed certificate or a corporate private CA. When building the image running something like this can be used to blindly trust on the fly - though ideally a known good file with the full CA trust chain is supplied, Replace DOCKER_PROXY with HTTPS_PROXY if that is the variable exported. These may need to be changed to match the linux distribution in use. I cannot find where I got it from.

- mkdir -p /etc/docker/certs.d/"$DOCKER_PROXY"
- openssl s_client -showcerts -connect "$DOCKER_PROXY":443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/docker/certs.d/"$DOCKER_PROXY"/ca.crt
- cp /etc/docker/certs.d/"$DOCKER_PROXY"/ca.crt /etc/pki/ca-trust/source/anchors
- /bin/update-ca-trust

dimitriosstander avatar Feb 27 '21 00:02 dimitriosstander

Here are the steps to restart docker within CodeBuild if anyone needs it in order to utilize proxy:

env:
  variables:
    HTTP_PROXY: "http://x.x.x.x:yyyy"
    HTTPS_PROXY: "https://x.x.x.x:zzzz"
    NO_PROXY: "169.254.169.254,*.amazonaws.com"

  pre_build:
    commands:
      - docker system info
      - kill $(cat /var/run/docker.pid)
      - while kill -0 $(cat /var/run/docker.pid) ; do sleep 1 ; done
      - /usr/local/bin/dockerd-entrypoint.sh
      - docker system info

When docker system info first runs, HTTP Proxy and HTTPS Proxy from environment variables are not included and docker build fails to connect to registry because proxy is not utilized. However, after killing and restarting docker, docker system info correctly includes HTTP Proxy and HTTPS Proxy from environment variables and docker build successfully connects to registry, utilizing the specified proxy.

It worked for me ! Thanks!

gauravkbansal avatar Jun 26 '22 12:06 gauravkbansal