Proxy not working if password contains special character(%)

[thiner]

• This is a bug report
• This is a feature request
• I searched existing issues before opening this one

Expected behavior

Docker should accept special characters used in proxy password.

Actual behavior

I installed docker engine on Ubuntu 18.04, which is behind corporate proxy. I configured proxy for docker, but failed to take effect due to the password contains a special character("%").

Steps to reproduce the behavior

Create /etc/systemd/system/docker.service.d/http-proxy.conf file, and input below Environment variables:

[Service]
Environment="https_proxy=http://user:abcG4g@proxyhost:8080/"
Environment="no_proxy=127.0.0.1"

And then run

sudo systemctl daemon-reload
sudo systemctl restart docker
docker info

The proxy setting shows as below:

HTTP Proxy: http://xxxxx:xxxxx@proxyhost:8080/

Please note: the user name and password mask is copied from original docker info output. I assume this means docker accepts the proxy authentication setting.

But, if there is "%" sign in the password, /var/log/syslog prints error message as below after run sudo systemctl daemon-reload.

Nov 20 09:49:26  systemd[1]: /etc/systemd/system/docker.service.d/http-proxy.conf:3: Failed to resolve specifiers, ignoring: https_proxy=http://user:abc%G4g@proxyhost:8080/

And there is not proxy setting in the output of docker info.

If I change the password to abc%%G4g, escape "%" by prefixing another "%" sign, and then reload the daemon and restart docker. The syslog shows error message:

Nov 20 10:01:58 systemd[1]: /etc/systemd/system/gitlab-runner.service.d/http-proxy.conf:3: Failed to resolve specifiers, ignoring: HTTPS_PROXY=http://user:abc%G4g@proxyhost:8080/

and the docker info output contains proxy setting as below:

HTTP Proxy: http://user:abc%G4g@proxyhost:8080/

This time user name and password are not masked, and the test docker run hello-world failed due to connection time out.

*Output of docker version:

Client: Docker Engine - Community
 Version:           19.03.13
 API version:       1.40
 Go version:        go1.13.15
 Git commit:        4484c46d9d
 Built:             Wed Sep 16 17:02:36 2020
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          19.03.13
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.13.15
  Git commit:       4484c46d9d
  Built:            Wed Sep 16 17:01:06 2020
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.3.7
  GitCommit:        8fba4e9a7d01810a393d5d25a3621dc101981175
 runc:
  Version:          1.0.0-rc10
  GitCommit:        dc9208a3303feef5b3839f4323d9beb36df0a9dd
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683

Output of docker info:

Client:
 Debug Mode: false

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 1
 Server Version: 19.03.13
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 8fba4e9a7d01810a393d5d25a3621dc101981175
 runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd
 init version: fec3683
 Security Options:
  apparmor
  seccomp
   Profile: default
 Kernel Version: 5.4.0-1029-aws
 Operating System: Ubuntu 18.04.4 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 4
 Total Memory: 15.19GiB
 Name: ip-xxx-xxx-xxx-xxx
 ID: xxx-xxxx-xxxx-xxxx
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 HTTP Proxy: http://user:abc%G4g@proxyhost:8080/
 No Proxy: 127.0.0.1
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Registry Mirrors:
  http://hub-mirror.c.163.com/
  https://docker.mirrors.ustc.edu.cn/
 Live Restore Enabled: false

Additional environment details (AWS, VirtualBox, physical, etc.)

[thaJeztah]

I suspect the % may have to be URL-encoded (%25)? Does it work if you use that?

[thiner]

Problem solved!
The solution is %%25 to escape "%" . Thanks @thaJeztah for your hint.
The final workable configuration as below:

# /etc/systemd/system/docker.service.d/http_proxy.conf
[Service]
Environment="https_proxy=http://user:a%%25G4g@proxyhost/"
Environment="http_proxy=http://user:a%%25G4g@proxyhost/"
Environment="no_proxy=127.0.0.1"

[thaJeztah]

Perfect!

Worth noting as well that there's no standard definition for the naming of these env-vars; IIRC, the daemon itself will look both for lowercase (_proxy) and uppercase (_PROXY) env-vars, but if you need to use the same proxy for containers as well, you may have to set both lower and uppercase variants (as env-vars on Linux are case-sensitive, and some linux tools may look for a specific case).

To have containers started automatically with these env-vars set, you may be interested in docker/cli#93

Finally, I should warn that environment variables are known to "leak", so besides docker info showing the proxy config, processes inside the container (as well as processes on the host) could read them, and thus get the username/password).

[shiguowang]

Problem solved!
The solution is %%25 to escape "%" . Thanks @thaJeztah for your hint.

If someone meet this problem, docker/docs#11701 will answer why we need double %