如何让我所有的 docker 容器都使用我的代理?
How can I make all my docker containers use my proxy?
我 运行 docker 在 Debian Jessie 上使用公司代理。为了能够下载 docker 图片,我需要将以下内容添加到我的 /etc/defaults/docker
http_proxy="http://localhost:3128/"
我可以确认这有效。
但是,为了能够从我的容器中访问 interwebz,我需要使用 --net host 启动所有会话,然后设置这些环境变量:
export http_proxy=http://localhost:3128/
export https_proxy=https://localhost:3128/
export ftp_proxy=${http_proxy}
理想情况下,我希望容器不需要主机网络,也不知道代理(即容器中所有对端口 20、80、443 的出站调用都通过主机的代理端口)。这可能吗?
否则,是否可以进行站点设置,以确保这些环境变量在本地设置但绝不会作为图像的一部分导出?我知道我可以用 --env http_proxy=... 等传递这些东西,但这很笨重。我希望它无需使用别名即可为系统上的所有用户工作。
(免责声明:我在 https://superuser.com/posts/890196 上问过这个问题,但 docker 问题的主页目前有点模棱两可)。
Host server runs a container running a proxy (squid, in this case) that can do transparent proxying. That container has some iptables rules that NAT traffic into the proxy server - this means that container needs to run in privileged mode.
Host server also contains (and here's the magic) ip route table entries that re-route all traffic from any container but the proxy that was destined for port 80, through the proxy container.
That last bit essentially means that for port 80 traffic, the route from container to the rest of the world goes through the proxy container - giving it the chance to NAT and transparent proxy.
我 运行 docker 在 Debian Jessie 上使用公司代理。为了能够下载 docker 图片,我需要将以下内容添加到我的 /etc/defaults/docker
http_proxy="http://localhost:3128/"
我可以确认这有效。
但是,为了能够从我的容器中访问 interwebz,我需要使用 --net host 启动所有会话,然后设置这些环境变量:
export http_proxy=http://localhost:3128/
export https_proxy=https://localhost:3128/
export ftp_proxy=${http_proxy}
理想情况下,我希望容器不需要主机网络,也不知道代理(即容器中所有对端口 20、80、443 的出站调用都通过主机的代理端口)。这可能吗?
否则,是否可以进行站点设置,以确保这些环境变量在本地设置但绝不会作为图像的一部分导出?我知道我可以用 --env http_proxy=... 等传递这些东西,但这很笨重。我希望它无需使用别名即可为系统上的所有用户工作。
(免责声明:我在 https://superuser.com/posts/890196 上问过这个问题,但 docker 问题的主页目前有点模棱两可)。
Host server runs a container running a proxy (squid, in this case) that can do transparent proxying. That container has some iptables rules that NAT traffic into the proxy server - this means that container needs to run in privileged mode.
Host server also contains (and here's the magic) ip route table entries that re-route all traffic from any container but the proxy that was destined for port 80, through the proxy container.
That last bit essentially means that for port 80 traffic, the route from container to the rest of the world goes through the proxy container - giving it the chance to NAT and transparent proxy.