如何使我所有的docker容器都使用我的代理? [英] How can I make all my docker containers use my proxy?
问题描述
我正在Debian Jessie上运行docker,该公司位于公司代理后面.为了能够下载docker映像,我需要将以下内容添加到我的/etc/defaults/docker
I am running docker on Debian Jessie which is behind a corporate proxy. To be able to download docker images, I need to add the following to my /etc/defaults/docker
http_proxy="http://localhost:3128/"
我可以确认这可行.
但是,为了能够从我的容器中访问interwebz,我需要使用-net host 启动所有会话,然后设置以下环境变量:
However, in order to be able to access the interwebz from within my container, I need to start all sessions with --net host and then setup these env variables:
export http_proxy=http://localhost:3128/
export https_proxy=https://localhost:3128/
export ftp_proxy=${http_proxy}
理想情况下,我希望容器不需要主机网络,并且不了解代理(即,对容器中端口20、80、443的所有出站呼叫都通过主机的代理端口进行).有可能吗?
Ideally, I would like for the container to not need the host network, and not to know about the proxy (i.e. all outbound calls to port 20, 80, 443 in the container go via the host's proxy port). Is that possible?
是否无法进行站点设置,以确保这些env变量在本地设置,但不会作为映像的一部分导出?我知道我可以通过-env http_proxy = ... 等传递这些东西,但这很笨拙.我希望它对系统上的所有用户有效,而不必使用别名.
Failing that, is it possible to have a site setup, which will ensure that these env variables are set locally but never exported as part of an image? I know I can pass these things with --env http_proxy=... etc, but that's clunky. I want it to work for all users on the system without having to use aliases.
(免责声明:我在 https://superuser.com/posts/890196 上问过这个问题,但在docker 问题目前尚不明确).
(Disclaimer: I asked this on https://superuser.com/posts/890196 but the home for docker questions is a little ambiguous at the moment).
推荐答案
请参见代理所有容器:
主机服务器运行一个容器,该容器运行可以进行透明代理的代理(在这种情况下为鱿鱼).该容器具有一些iptables规则,可将NAT流量传输到代理服务器-这意味着该容器需要在特权模式下运行.
Host server runs a container running a proxy (squid, in this case) that can do transparent proxying. That container has some iptables rules that NAT traffic into the proxy server - this means that container needs to run in privileged mode.
主机服务器还包含ip路由表条目(这是神奇的地方),它们通过代理容器重新路由来自除目的地为端口80的代理之外的任何容器的所有流量.
Host server also contains (and here's the magic) ip route table entries that re-route all traffic from any container but the proxy that was destined for port 80, through the proxy container.
最后一点本质上意味着对于端口80的流量,从容器到世界其他地方的路由通过代理容器-使其有机会进行NAT和透明代理.
That last bit essentially means that for port 80 traffic, the route from container to the rest of the world goes through the proxy container - giving it the chance to NAT and transparent proxy.
https://github.com/silarsis/docker-proxy
这篇关于如何使我所有的docker容器都使用我的代理?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
