Error during build using corporate proxy #4725
Comments
|
Cross-linking #4643 |
|
Edit: Ooops, technically it is area/windows, since it's a Windows build of buildx trying to fetch the token on the client side, not the buildkitd in WSL2, that's hitting the failure. Edit again: Another oops, this might be unrelated to #4643, as that's shelled out to a command-line, and we explicitly provide an env that doesn't include http proxy info. This issue lies in our calls to the http client, and I noticed we changed HTTP clients between 0.12.1 and 0.13, so it might already be solved, but will need a version of buildx that implements 0.13 to re-test the repro case here. Edit: @amyboose: Docker BuildX 0.13.0 is out and includes BuildKit 0.13.0. Please retest with that release, as it may have solved the issue due to a change in HTTP client used for the failing operation. Also, I just noticed docker/buildx#1487 (comment) and docker/buildx#1979 which notes that BuildX doesn't currently get the Docker Desktop proxy configuration. So is the |
|
I've created buildkitd v13 using docker: buildctl is located on Windows machine. Result: Next time: After using debug: |
|
Try running the buildkit daemon with or if you already have the |
The same result. It's not the error of only my PC. Other computers also has the same error message. I think it can be the error on SSL sertificate. I've tested a command and it returns result: |
|
That error shows it's not getting or using the proxy settings, and is instead being transparently redirected to your corporate firewall (or possibly the local computer's firewall), which relies on having the firewall's own certificate trusted by the computer as a variant of a man-in-the-middle attack. The SSL setup in side the container does not trust this certificate of course, so it fails as you see. The real docker.com certificate is not signed by Kaspersky's firewall product, but by Amazon. So, try: and if that still doesn't work, then I think Once that's working, you can test with Once that is working, there's no reason I'm aware of that would not work, but if it still fails, then we've possibly identified a real bug somewhere, which will probably be a hassle to reproduce and diagnose from outside a corporately-firewalled network. >_< But we can cross that bridge when we come to it. |
|
Recently my organization disabled firewall for Executing docker with openssl on Result for both: Executing docker with openssl on reddit: Result: Kaspersky (firewall) is still exists. Executing Result: Executing curl with no proxy: Result: Executing curl with Result: success request Executing curl with proxy on Result: Most of the time Executing buildctl: Result: I think that http client ignores proxy when build image based on another image |
|
I am facing the exact same issue when running behind a corporate proxy. Everything else works fine but build doesn't honor proxy settings |
|
@TBBle Can you look at my last comment, please? |
|
It looks like a discussion started from 2019, may I know if there is some inner reason why we don't support it yet? |
|
(This should really be tracked at docker/buildx) Looks like the issue is that the client side request to auth.docker.io is blocked, presumably because the system is configured to only allow it through proxy. Note that this request is different as client is sending it directly from Options:
There is also old open PR docker/buildx#1487 to allow this case to be configured via config file but have not managed to get it merged yet. |
I've tried HTTP_PROXY, http_proxy, HTTPS_PROXY, https_proxy in many ways to solve the problem. Nothing works when |
|
Post how you are setting the proxy and what exact error you get. |
You can find almost all information above in my comment and in the head.
During some time my organization disabled traffic filtering and SSL bump for me. It also didn't help solve the problem. Also I did many tests using buildx with no docker. You can find all my test results above. Unfortunately now I can't do tests within a week. I've solved all my issues on corporate network using proxy setting, CA certificates and build-args. This is the only problem left. And I'm almost sure that there is a bug |
I can't spot any instance trying either solution from #4725 (comment) |
Ok, I will try solutions from your comment and let you know. |
|
Any luck/feedback @amyboose ? |
The first option works. The second I haven't testes yet. Will do within a month |
|
Remote RHEL Jenkins nodes. Docker 27.1 and 27.3. (No issue on local macOS or Windows laptops.) |
We are using corporate proxy and all our outside traffic goes only through a proxy. I can't connect to internet without a proxy.
I'm trying to build new image based on another image.
Dockerfile looks like:
The error message:
But another Dockerfile works well:
Also manually pulling image works well. A command for manually pulling:
A proxy is configured in Docker (desktop) for both http and https connections and also in windows settings.
I've tried to use debug command
docker --debug build .and it returns:I tried to run command
RUN curl -x "<mycorporateproxy>" "some url" -kusing docker build in another Dockerfile and it works. It means that corporate proxy works well.I think that command
docker build .ignores corporate proxy on Windows.OS: Windows 10 2022 H2
Docker desktop: v4.28.0
The text was updated successfully, but these errors were encountered: