Add http(s) proxy properties to daemon configuration (carry 42647)#42835
Merged
thaJeztah merged 6 commits intomoby:masterfrom Oct 28, 2021
Merged
Add http(s) proxy properties to daemon configuration (carry 42647)#42835thaJeztah merged 6 commits intomoby:masterfrom
thaJeztah merged 6 commits intomoby:masterfrom
Conversation
thaJeztah
added
status/2-code-review
impact/changelog
docs/revisit
area/daemon
Member
Author
thaJeztah
commented
Sep 9, 2021
| } | ||
|
|
||
| func TestDaemonProxy(t *testing.T) { | ||
| skip.If(t, runtime.GOOS == "windows", "cannot start multiple daemons on windows") |
Member
Author
There was a problem hiding this comment.
If someone knows if we can somehow test this in Windows CI, let me know 😅
Member
Author
There was a problem hiding this comment.
Looks like we may have to skip this on rootless as well; it's not connecting to the "proxy". Not exactly sure why it would not be supported by rootless though, but perhaps something in how networking is set up there? 🤔
=== RUN TestDaemonProxy/environment_variables
daemon_test.go:183: assertion failed: (received string) != example.org:5000 (string)
--- FAIL: TestDaemonProxy/environment_variables (0.53s)
time="2021-09-09T12:24:03.244052911Z" level=debug msg="Calling POST /v1.42/images/create?fromImage=example.org%3A5000%2Fsome%2Fimage&tag=latest"
time="2021-09-09T12:24:03.251949489Z" level=debug msg="hostDir: /home/unprivilegeduser/.config/docker/certs.d/example.org:5000"
time="2021-09-09T12:24:03.251995467Z" level=debug msg="Trying to pull example.org:5000/some/image from https://example.org:5000 v2"
time="2021-09-09T12:24:03.252172111Z" level=warning msg="Error getting v2 registry: Get \"https://example.org:5000/v2/\": proxyconnect tcp: dial tcp 127.0.0.1:45999: connect: connection refused"
time="2021-09-09T12:24:03.252193892Z" level=info msg="Attempting next endpoint for pull after error: Get \"https://example.org:5000/v2/\": proxyconnect tcp: dial tcp 127.0.0.1:45999: connect: connection refused"
time="2021-09-09T12:24:03.255022400Z" level=error msg="Handler for POST /v1.42/images/create returned error: Get \"https://example.org:5000/v2/\": proxyconnect tcp: dial tcp 127.0.0.1:45999: connect: connection refused"
thaJeztah
commented
Sep 9, 2021
thaJeztah
commented
Sep 9, 2021
| } | ||
|
|
||
| func TestDaemonProxy(t *testing.T) { | ||
| skip.If(t, runtime.GOOS == "windows", "cannot start multiple daemons on windows") |
Member
Author
There was a problem hiding this comment.
Looks like we may have to skip this on rootless as well; it's not connecting to the "proxy". Not exactly sure why it would not be supported by rootless though, but perhaps something in how networking is set up there? 🤔
=== RUN TestDaemonProxy/environment_variables
daemon_test.go:183: assertion failed: (received string) != example.org:5000 (string)
--- FAIL: TestDaemonProxy/environment_variables (0.53s)
time="2021-09-09T12:24:03.244052911Z" level=debug msg="Calling POST /v1.42/images/create?fromImage=example.org%3A5000%2Fsome%2Fimage&tag=latest"
time="2021-09-09T12:24:03.251949489Z" level=debug msg="hostDir: /home/unprivilegeduser/.config/docker/certs.d/example.org:5000"
time="2021-09-09T12:24:03.251995467Z" level=debug msg="Trying to pull example.org:5000/some/image from https://example.org:5000 v2"
time="2021-09-09T12:24:03.252172111Z" level=warning msg="Error getting v2 registry: Get \"https://example.org:5000/v2/\": proxyconnect tcp: dial tcp 127.0.0.1:45999: connect: connection refused"
time="2021-09-09T12:24:03.252193892Z" level=info msg="Attempting next endpoint for pull after error: Get \"https://example.org:5000/v2/\": proxyconnect tcp: dial tcp 127.0.0.1:45999: connect: connection refused"
time="2021-09-09T12:24:03.255022400Z" level=error msg="Handler for POST /v1.42/images/create returned error: Get \"https://example.org:5000/v2/\": proxyconnect tcp: dial tcp 127.0.0.1:45999: connect: connection refused"
db8edec to
cb5cfa0
Compare
tianon
reviewed
Sep 13, 2021
Comment on lines
+786
to
+797
| if p := conf.HTTPProxy; p != "" { | ||
| _ = os.Setenv("HTTP_PROXY", p) | ||
| _ = os.Setenv("http_proxy", p) | ||
| } | ||
| if p := conf.HTTPSProxy; p != "" { | ||
| _ = os.Setenv("HTTPS_PROXY", p) | ||
| _ = os.Setenv("https_proxy", p) | ||
| } | ||
| if p := conf.NoProxy; p != "" { | ||
| _ = os.Setenv("NO_PROXY", p) | ||
| _ = os.Setenv("no_proxy", p) | ||
| } |
Member
There was a problem hiding this comment.
I'm probably overthinking this, but we likely want the precedence of these to remain familiar to users, right? CLI flag > environment variable > config file? I'm not sure what the best way to accomplish that would be (nor if it's even worth doing so).
(If we were able to resolve that disparity somehow, we could probably remove the getConfigOrEnv function. 😬)
Member
Author
There was a problem hiding this comment.
Hmm.. good point.
I recall we had discussions around that when daemon.json was implemented. Afaik, we currently treat --some-option and configfile.some-option to be at the same level (which is why the daemon produces a "conflicting options" error if both are set). IIRC, the motivation at the time was that --some-option would be usually set in a config-file as well (e.g. a systemd unit), and therefore to be at the same level of priority.
I thought we made them both > env-var, but looks like for, e.g.DOCKER_DRIVER, we make the env-var take precedence, i.e. the following will use overlay2, not vfs;
DOCKER_DRIVER=overlay2 dockerd --debug --storage-driver=vfsI thought it would make sense to make the config (or --flag) > env-var to allow overriding any default proxy that's set in the environment, but perhaps that was the wrong idea 🤔
Member
Author
There was a problem hiding this comment.
^^ discussing the above in the maintainers meeting, and we'll keep the current implementation (allowboth --flag and daemon.json to override the "system" configuration), but if we find that a proxy env-var is present, we'll print a warning in the daemon logs.
thaJeztah
force-pushed
the
proxy_daemon_config_carry2
branch
2 times, most recently
from
3bf661f to
f948e6e
Compare
Member
Author
|
Added a warning if we're overriding the "system" value (environment variables); HTTPS_PROXY="https://user:[email protected]" \
https_proxy="https://user:[email protected]" \
HTTP_PROXY="http://user:[email protected]" \
http_proxy="http://user:[email protected]" \
NO_PROXY="*" \
no_proxy="*" \
dockerd --https-proxy="https://user:[email protected]" --http-proxy="http://user:[email protected]" --no-proxy="hello"
WARN[2021-09-17T14:55:36.554465385Z] overriding existing proxy variable with value from configuration name=HTTP_PROXY new-value="http://xxxxx:[email protected]" old-value="http://xxxxx:[email protected]"
WARN[2021-09-17T14:55:36.554547154Z] overriding existing proxy variable with value from configuration name=http_proxy new-value="http://xxxxx:[email protected]" old-value="http://xxxxx:[email protected]"
WARN[2021-09-17T14:55:36.554572109Z] overriding existing proxy variable with value from configuration name=HTTPS_PROXY new-value="https://xxxxx:[email protected]" old-value="https://xxxxx:[email protected]"
WARN[2021-09-17T14:55:36.554617061Z] overriding existing proxy variable with value from configuration name=https_proxy new-value="https://xxxxx:[email protected]" old-value="https://xxxxx:[email protected]"
WARN[2021-09-17T14:55:36.554627868Z] overriding existing proxy variable with value from configuration name=NO_PROXY new-value=hello old-value="*"
WARN[2021-09-17T14:55:36.554683409Z] overriding existing proxy variable with value from configuration name=no_proxy new-value=hello old-value="*"@tianon PTAL |
thaJeztah
force-pushed
the
proxy_daemon_config_carry2
branch
from
f948e6e to
828b449
Compare
Member
Author
Hm... looks like I didn't push those changes? 🤔 😂 |
Member
Author
|
Hmm somehow I broke the "reload" test. Not sure how |
Member
|
The reload code paths shouldn't even hit this code, right? (Otherwise it would/should print a warning at most 😕) |
Member
Author
The reload code should print the active configuration that it loaded. Thinking now if it also does so if nothing changed, or only if a "reloadable" configuration was updated 🤔 |
Member
Author
|
Looks like it's either a race-condition, or something else is happening when reloading the config that causes the test-utility to not read the full content. Here's a diff between what the test found, and what's in the actual daemon logs for that test daemon (downloaded bundle); diff --git a/./test_output.log b/./docker.log
index 923aa3d..f39707b 100644
--- a/./test_output.log
+++ b/./docker.log
@@ -213,3 +213,17 @@ time="2021-09-20T13:42:37.511662185Z" level=debug msg="Registering DELETE, /netw
time="2021-09-20T13:42:37.512786542Z" level=info msg="API listen on /tmp/docker-integration/d76f680f641d9.sock"
time="2021-09-20T13:42:37.810621126Z" level=debug msg="Calling GET /_ping"
time="2021-09-20T13:42:37.810994855Z" level=debug msg="Calling GET /info"
+time="2021-09-20T13:42:37.818311878Z" level=info msg="Got signal to reload configuration, reloading from: /etc/docker/daemon.json"
+time="2021-09-20T13:42:37.818446122Z" level=debug msg="Reset Max Concurrent Downloads: 3"
+time="2021-09-20T13:42:37.818465007Z" level=debug msg="Reset Max Concurrent Uploads: 5"
+time="2021-09-20T13:42:37.818474917Z" level=debug msg="Reset Max Download Attempts: 5"
+time="2021-09-20T13:42:37.819029352Z" level=info msg="Reloaded configuration: {\"storage-driver\":\"overlay2\",\"mtu\":1500,\"pidfile\":\"/go/src/github.com/docker/docker/bundles/test-integration/TestDaemonProxy/reload_sanitized/d76f680f641d9/docker.pid\",\"data-root\":\"/go/src/github.com/docker/docker/bundles/test-integration/TestDaemonProxy/reload_sanitized/d76f680f641d9/root\",\"exec-root\":\"/tmp/dxr/d76f680f641d9\",\"group\":\"docker\",\"deprecated-key-path\":\"/etc/docker/key.json\",\"max-concurrent-downloads\":3,\"max-concurrent-uploads\":5,\"max-download-attempts\":5,\"shutdown-timeout\":15,\"debug\":true,\"hosts\":[\"unix:///tmp/docker-integration/d76f680f641d9.sock\"],\"log-level\":\"info\",\"swarm-default-advertise-addr\":\"\",\"swarm-raft-heartbeat-tick\":0,\"swarm-raft-election-tick\":0,\"metrics-addr\":\"\",\"host-gateway-ip\":\"172.18.0.1\",\"log-driver\":\"json-file\",\"ip\":\"0.0.0.0\",\"icc\":true,\"iptables\":true,\"ip-forward\":true,\"ip-masq\":true,\"userland-proxy\":true,\"default-address-pools\":{\"Values\":null},\"network-control-plane-mtu\":1500,\"experimental\":false,\"containerd\":\"/var/run/docker/containerd/containerd.sock\",\"builder\":{\"GC\":{},\"Entitlements\":{}},\"containerd-namespace\":\"d76f680f641d9\",\"containerd-plugin-namespace\":\"d76f680f641d9p\",\"runtimes\":{\"io.containerd.runc.v2\":{\"path\":\"runc\"},\"io.containerd.runtime.v1.linux\":{\"path\":\"runc\"},\"runc\":{\"path\":\"runc\"}},\"default-runtime\":\"runc\",\"seccomp-profile\":\"builtin\",\"default-shm-size\":67108864,\"default-ipc-mode\":\"private\",\"default-cgroupns-mode\":\"private\",\"resolv-conf\":\"/etc/resolv.conf\",\"http-proxy\":\"https://xxxxx:[email protected]\",\"https-proxy\":\"https://xxxxx:[email protected]\",\"no-proxy\":\"example.com\"}"
+time="2021-09-20T13:42:37.819650900Z" level=info msg="Processing signal 'interrupt'"
+time="2021-09-20T13:42:37.819752770Z" level=debug msg="daemon configured with a 15 seconds minimum shutdown timeout"
+time="2021-09-20T13:42:37.819783138Z" level=debug msg="start clean shutdown of all containers with a 15 seconds timeout..."
+time="2021-09-20T13:42:37.819821110Z" level=debug msg="found 0 orphan layers"
+time="2021-09-20T13:42:37.820970956Z" level=debug msg="Unix socket /tmp/dxr/d76f680f641d9/libnetwork/86a2f8b505ab.sock doesn't exist. cannot accept client connections"
+time="2021-09-20T13:42:37.821025906Z" level=debug msg="Cleaning up old mountid : start."
+time="2021-09-20T13:42:37.821538602Z" level=debug msg="Cleaning up old mountid : done."
+time="2021-09-20T13:42:37.821950436Z" level=debug msg="Clean shutdown succeeded"
+time="2021-09-20T13:42:37.821968287Z" level=info msg="Daemon shutdown complete" |
thaJeztah
commented
Sep 21, 2021
|
|
||
| // ReadLogFile returns the content of the daemon log file | ||
| func (d *Daemon) ReadLogFile() ([]byte, error) { | ||
| _ = d.logFile.Sync() |
Member
Author
There was a problem hiding this comment.
YOLO; wondering if it's just not written to disk the moment we try to read it 🤔
Member
Author
There was a problem hiding this comment.
Looks "better", but still flaky
So, looks like test-integration-flaky (perhaps because of the subtests) runs the test 25 times in total:
cd /Users/sebastiaan/Downloads/bundles/1/test-integration-flaky/TestDaemonProxy/reload_sanitized
ls -l
drwxr-xr-x@ 3 sebastiaan staff 96 Sep 21 16:06 d03a7aefa903c/
drwxr-xr-x@ 3 sebastiaan staff 96 Sep 21 16:06 d12825289bf2b/
drwxr-xr-x@ 3 sebastiaan staff 96 Sep 21 16:06 d35d0bbf7367a/
drwxr-xr-x@ 3 sebastiaan staff 96 Sep 21 16:06 d47371778e153/
drwxr-xr-x@ 3 sebastiaan staff 96 Sep 21 16:06 d4c7283bf1c32/
drwxr-xr-x@ 3 sebastiaan staff 96 Sep 21 16:06 d59a9befb682b/
drwxr-xr-x@ 3 sebastiaan staff 96 Sep 21 16:06 d5c38961c3cca/
drwxr-xr-x@ 3 sebastiaan staff 96 Sep 21 16:06 d5c6cf3878a96/
drwxr-xr-x@ 3 sebastiaan staff 96 Sep 21 16:06 d5f09c9777209/
drwxr-xr-x@ 3 sebastiaan staff 96 Sep 21 16:06 d6e6a3dc8339f/
drwxr-xr-x@ 3 sebastiaan staff 96 Sep 21 16:06 d7ef34388452f/
drwxr-xr-x@ 3 sebastiaan staff 96 Sep 21 16:06 d7fc5ed00fc65/
drwxr-xr-x@ 3 sebastiaan staff 96 Sep 21 16:06 d83c195f1c19d/
drwxr-xr-x@ 3 sebastiaan staff 96 Sep 21 16:06 d9ac12b0678f4/
drwxr-xr-x@ 3 sebastiaan staff 96 Sep 21 16:06 d9da71ee7bf96/
drwxr-xr-x@ 3 sebastiaan staff 96 Sep 21 16:06 db95143c8d488/
drwxr-xr-x@ 3 sebastiaan staff 96 Sep 21 16:06 dba5677b1543e/
drwxr-xr-x@ 3 sebastiaan staff 96 Sep 21 16:06 dbe1bc8fb4409/
drwxr-xr-x@ 3 sebastiaan staff 96 Sep 21 16:06 dc09093c6ca96/
drwxr-xr-x@ 3 sebastiaan staff 96 Sep 21 16:06 dc3a50433e7c6/
drwxr-xr-x@ 3 sebastiaan staff 96 Sep 21 16:06 dc7d0850ec28a/
drwxr-xr-x@ 3 sebastiaan staff 96 Sep 21 16:06 dd0482bb66e57/
drwxr-xr-x@ 3 sebastiaan staff 96 Sep 21 16:06 dd4312712c345/
drwxr-xr-x@ 3 sebastiaan staff 96 Sep 21 16:06 ddc2b2078d2bb/
drwxr-xr-x@ 3 sebastiaan staff 96 Sep 21 16:06 def3e032e5255/Checking if logs for all of those contains the Reloaded configuration string, that looks to be the case:
grep -lr 'Reloaded configuration' . | wc -l
25But the test failed twice;
grep -r 'does not contain "Reloaded configuration:"' . | wc -l
2
Member
Author
There was a problem hiding this comment.
The failure that was reported was in d9ac12b0678f4, but it also has the string, but I do see it ran into another failure with the libnetwork socket, but that looks to be in the shutdown cycle;
time="2021-09-21T12:55:04.290097255Z" level=info msg="API listen on /tmp/docker-integration/d9ac12b0678f4.sock"
time="2021-09-21T12:55:04.414946112Z" level=debug msg="Calling GET /_ping"
time="2021-09-21T12:55:04.415317278Z" level=debug msg="Calling GET /info"
time="2021-09-21T12:55:04.430754586Z" level=info msg="Got signal to reload configuration, reloading from: /etc/docker/daemon.json"
time="2021-09-21T12:55:04.431178648Z" level=debug msg="Reset Max Concurrent Downloads: 3"
time="2021-09-21T12:55:04.431201851Z" level=debug msg="Reset Max Concurrent Uploads: 5"
time="2021-09-21T12:55:04.431221426Z" level=debug msg="Reset Max Download Attempts: 5"
time="2021-09-21T12:55:04.432309643Z" level=info msg="Reloaded configuration: {\"storage-driver\":\"overlay2\",\"mtu\":1500,\"pidfile\":\"/go/src/github.com/docker/docker/bundles/test-integration-flaky/TestDaemonProxy/reload_sanitized/d9ac12b0678f4/docker.pid\",\"data-root\":\"/go/src/github.com/docker/docker/bundles/test-integration-flaky/TestDaemonProxy/reload_sanitized/d9ac12b0678f4/root\",\"exec-root\":\"/tmp/dxr/d9ac12b0678f4\",\"group\":\"docker\",\"deprecated-key-path\":\"/etc/docker/key.json\",\"max-concurrent-downloads\":3,\"max-concurrent-uploads\":5,\"max-download-attempts\":5,\"shutdown-timeout\":15,\"debug\":true,\"hosts\":[\"unix:///tmp/docker-integration/d9ac12b0678f4.sock\"],\"log-level\":\"info\",\"swarm-default-advertise-addr\":\"\",\"swarm-raft-heartbeat-tick\":0,\"swarm-raft-election-tick\":0,\"metrics-addr\":\"\",\"host-gateway-ip\":\"172.18.0.1\",\"log-driver\":\"json-file\",\"ip\":\"0.0.0.0\",\"icc\":true,\"iptables\":true,\"ip-forward\":true,\"ip-masq\":true,\"userland-proxy\":true,\"default-address-pools\":{\"Values\":null},\"network-control-plane-mtu\":1500,\"experimental\":false,\"containerd\":\"/var/run/docker/containerd/containerd.sock\",\"builder\":{\"GC\":{},\"Entitlements\":{}},\"containerd-namespace\":\"d9ac12b0678f4\",\"containerd-plugin-namespace\":\"d9ac12b0678f4p\",\"runtimes\":{\"io.containerd.runc.v2\":{\"path\":\"runc\"},\"io.containerd.runtime.v1.linux\":{\"path\":\"runc\"},\"runc\":{\"path\":\"runc\"}},\"default-runtime\":\"runc\",\"seccomp-profile\":\"builtin\",\"default-shm-size\":67108864,\"default-ipc-mode\":\"private\",\"default-cgroupns-mode\":\"host\",\"resolv-conf\":\"/etc/resolv.conf\",\"http-proxy\":\"https://xxxxx:[email protected]\",\"https-proxy\":\"https://xxxxx:[email protected]\",\"no-proxy\":\"example.com\"}"
time="2021-09-21T12:55:04.435328719Z" level=info msg="Processing signal 'interrupt'"
time="2021-09-21T12:55:04.435439253Z" level=debug msg="daemon configured with a 15 seconds minimum shutdown timeout"
time="2021-09-21T12:55:04.435514624Z" level=debug msg="start clean shutdown of all containers with a 15 seconds timeout..."
time="2021-09-21T12:55:04.435590112Z" level=debug msg="found 0 orphan layers"
time="2021-09-21T12:55:04.437848674Z" level=debug msg="Unix socket /tmp/dxr/d9ac12b0678f4/libnetwork/f7725651065a.sock doesn't exist. cannot accept client connections"
time="2021-09-21T12:55:04.437938435Z" level=debug msg="Cleaning up old mountid : start."
time="2021-09-21T12:55:04.439961024Z" level=debug msg="Cleaning up old mountid : done."
time="2021-09-21T12:55:04.444201003Z" level=debug msg="Clean shutdown succeeded"
time="2021-09-21T12:55:04.444236880Z" level=info msg="Daemon shutdown complete"
The same failure is appearing in all of them, it seems:
grep -lr 'cannot accept client connections' . | wc -l
25Actually; perhaps even in all tests that shutdown the daemon (running within the bundles top level directory);
grep -lr 'cannot accept client connections' . | wc -l
419
thaJeztah
force-pushed
the
proxy_daemon_config_carry2
branch
from
a24db0f to
016981c
Compare
tianon
approved these changes
Sep 24, 2021
Member
tianon
left a comment
tianon
left a comment
There was a problem hiding this comment.
LGTM, although with a minor note 👀
thaJeztah
force-pushed
the
proxy_daemon_config_carry2
branch
from
016981c to
ccc6f9e
Compare
thaJeztah
commented
Sep 27, 2021
Comment on lines
+326
to
+332
| // FIXME: there appears to ba a race condition, which causes ReadLogFile | ||
| // to not contain the full logs after signaling the daemon to reload, | ||
| // causing the test will fail here. As a workaround, check if we | ||
| // received the "reloaded" message after signaling, and only then | ||
| // check that it's sanitized properly. For more details on this | ||
| // issue, see https://github.com/moby/moby/pull/42835/files#r713120315 | ||
| if strings.Contains(string(logs), "Reloaded configuration:") { |
Member
Author
There was a problem hiding this comment.
Running out of ideas on where the race condition is, and how to work around it. From CI, it looks like it's passing 23 out of 25 times (roughly 92% passes), so using this workaround to only verify if we actually read the logs with the "Reloaded configuration" message, otherwise skip the check.
If anyone has ideas how to fix the root cause of the race condition; let me know , then we can remove this hack
Member
There was a problem hiding this comment.
Should we put in a t.Skip or something? Too bad there's not something that's the opposite of -short like -extended for tests like this. 😅
Member
Author
There was a problem hiding this comment.
Ah, yes, a t.Skip() could make sense; didn't come to mind, because we would normally do that only at the start of a test, but I guess it's ok to do it elsewhere.
I'll update
thaJeztah
force-pushed
the
proxy_daemon_config_carry2
branch
from
ccc6f9e to
50793bc
Compare
Member
Author
|
Failures are unrelated (see #42892) |
thaJeztah
force-pushed
the
proxy_daemon_config_carry2
branch
from
50793bc to
215d461
Compare
tianon
approved these changes
Oct 21, 2021
Comment on lines
+326
to
+332
| // FIXME: there appears to ba a race condition, which causes ReadLogFile | ||
| // to not contain the full logs after signaling the daemon to reload, | ||
| // causing the test will fail here. As a workaround, check if we | ||
| // received the "reloaded" message after signaling, and only then | ||
| // check that it's sanitized properly. For more details on this | ||
| // issue, see https://github.com/moby/moby/pull/42835/files#r713120315 | ||
| if strings.Contains(string(logs), "Reloaded configuration:") { |
Member
There was a problem hiding this comment.
Should we put in a t.Skip or something? Too bad there's not something that's the opposite of -short like -extended for tests like this. 😅
thaJeztah
force-pushed
the
proxy_daemon_config_carry2
branch
from
215d461 to
82efc3e
Compare
Member
Author
|
Rebased, and updated the test to use |
Member
Author
|
Failures are unrelated and will be fixed / addressed by #42960 |
tianon
approved these changes
Oct 25, 2021
This allows the utility to be used in other places. Signed-off-by: Sebastiaan van Stijn <[email protected]>
This allows configuring the daemon's proxy server through the daemon.json con-
figuration file or command-line flags configuration file, in addition to the
existing option (through environment variables).
Configuring environment variables on Windows to configure a service is more
complicated than on Linux, and adding alternatives for this to the daemon con-
figuration makes the configuration more transparent and easier to use.
The configuration as set through command-line flags or through the daemon.json
configuration file takes precedence over env-vars in the daemon's environment,
which allows the daemon to use a different proxy. If both command-line flags
and a daemon.json configuration option is set, an error is produced when starting
the daemon.
Note that this configuration is not "live reloadable" due to Golang's use of
`sync.Once()` for proxy configuration, which means that changing the proxy
configuration requires a restart of the daemon (reload / SIGHUP will not update
the configuration.
With this patch:
cat /etc/docker/daemon.json
{
"http-proxy": "http://proxytest.example.com:80",
"https-proxy": "https://proxytest.example.com:443"
}
docker pull busybox
Using default tag: latest
Error response from daemon: Get "https://registry-1.docker.io/v2/": proxyconnect tcp: dial tcp: lookup proxytest.example.com on 127.0.0.11:53: no such host
docker build .
Sending build context to Docker daemon 89.28MB
Step 1/3 : FROM golang:1.16-alpine AS base
Get "https://registry-1.docker.io/v2/": proxyconnect tcp: dial tcp: lookup proxytest.example.com on 127.0.0.11:53: no such host
Integration tests were added to test the behavior:
- verify that the configuration through all means are used (env-var,
command-line flags, damon.json), and used in the expected order of
preference.
- verify that conflicting options produce an error.
Signed-off-by: Anca Iordache <[email protected]>
Signed-off-by: Sebastiaan van Stijn <[email protected]>
The proxy configuration works, but looks like we're unable to connect to the
test proxy server as part of our test;
level=debug msg="Trying to pull example.org:5000/some/image from https://example.org:5000 v2"
level=warning msg="Error getting v2 registry: Get \"https://example.org:5000/v2/\": proxyconnect tcp: dial tcp 127.0.0.1:45999: connect: connection refused"
level=info msg="Attempting next endpoint for pull after error: Get \"https://example.org:5000/v2/\": proxyconnect tcp: dial tcp 127.0.0.1:45999: connect: connection refused"
level=error msg="Handler for POST /v1.42/images/create returned error: Get \"https://example.org:5000/v2/\": proxyconnect tcp: dial tcp 127.0.0.1:45999: connect: connection refused"
Signed-off-by: Sebastiaan van Stijn <[email protected]>
The daemon can print the proxy configuration as part of error-messages, and when reloading the daemon configuration (SIGHUP). Make sure that the configuration is sanitized before printing. Signed-off-by: Sebastiaan van Stijn <[email protected]>
For consistency, and to allow easier grepping for all tests that we skip on windows. Signed-off-by: Sebastiaan van Stijn <[email protected]>
Make sure it's written to disk before we try reading the logs. Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
force-pushed
the
proxy_daemon_config_carry2
branch
from
82efc3e to
e7583ab
Compare
Member
Author
|
Looks like we're (fairly consistently) hitting cleanup errors from arm64 and cgroup2. In both cases, Jenkins is complaining about files from Interesting case is that in the I guess that could be explained because the test starts to separate daemons; one rootless, and one not; moby/integration/build/build_userns_linux_test.go Lines 39 to 42 in 085c6a9 moby/integration/build/build_userns_linux_test.go Lines 90 to 92 in 085c6a9 Wondering if one of those daemons is not succesfully killed, and therefore causing the permission denied |
Member
Author
|
Nothing immediately apparent in the logs for that test; there's indeed a file non-userns daemon logs (looks to have shutdown, but does show a uerns daemon also shut down (but had no containers running); Full logs for both: |
tonistiigi
approved these changes
Oct 28, 2021
This was referenced Dec 3, 2021
This was referenced Apr 12, 2023
This was referenced May 19, 2023
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
daemon.jsonchanged in a follow-up; #43448The new format uses a
"proxies"key that holds the proxies;{ "proxies": { "http-proxy": "http-config", "https-proxy": "https-config", "no-proxy": "no-proxy-config" } }carry of #42647
fixes #24758
closes #42647
addresses #40201
This allows configuring the daemon's proxy server through the daemon.json con-
figuration file or command-line flags configuration file, in addition to the
existing option (through environment variables).
Configuring environment variables on Windows to configure a service is more
complicated than on Linux, and adding alternatives for this to the daemon con-
figuration makes the configuration more transparent and easier to use.
The configuration as set through command-line flags or through the daemon.json
configuration file takes precedence over env-vars in the daemon's environment,
which allows the daemon to use a different proxy. If both command-line flags
and a daemon.json configuration option is set, an error is produced when starting
the daemon.
Note that this configuration is not "live reloadable" due to Golang's use of
sync.Once()for proxy configuration, which means that changing the proxyconfiguration requires a restart of the daemon (reload / SIGHUP will not update
the configuration.
With this patch: (⚠️ #43448 changes the location of these fields to be in a "proxy-config" struct within
daemon.json)Integration tests were added to test the behavior:
command-line flags, damon.json), and used in the expected order of
preference.
make BIND_DIR=. DOCKER_GRAPHDRIVER=vfs TEST_FILTER=TestDaemonProxy binary test-integration Running integration-test (iteration 1) Running /go/src/github.com/docker/docker/integration/daemon (amd64.integration.daemon) flags=-test.v -test.timeout=5m -test.run TestDaemonProxy === RUN TestDaemonProxy === RUN TestDaemonProxy/environment_variables === RUN TestDaemonProxy/command-line_options === RUN TestDaemonProxy/configuration_file === RUN TestDaemonProxy/conflicting_options === RUN TestDaemonProxy/reload_sanitized --- PASS: TestDaemonProxy (6.75s) --- PASS: TestDaemonProxy/environment_variables (1.84s) --- PASS: TestDaemonProxy/command-line_options (1.84s) --- PASS: TestDaemonProxy/configuration_file (1.93s) --- PASS: TestDaemonProxy/conflicting_options (0.52s) --- PASS: TestDaemonProxy/reload_sanitized (0.63s) PASS DONE 6 tests in 6.942s- Description for the changelog
- A picture of a cute animal (not mandatory but encouraged)