Behind the Corporate Firewall - Building Docker Containers
Because Docker containers are built in layers, a lot of times the source container that you specify in the
FROM xxxx portion of the Dockerfile is located outside of your corporate firewall. In addition, the commands that you run for your container installing packages will also need to route to the Internet.
There is a couple methodologies we utilize take to apply proxy settings while building our containers. The best option depends on your individual use cases.
Our Simple Dockerfile
Both of these statements (
FROM) are going to require to connect to the public internet to pull packages and image files. The
s390x/ubuntu image is being pulled off of DockerHub and the
apt-get commands are connecting to Ubuntu’s repository servers.
Option 1 - Inline build-args
The first option we have to build docker containers behind a corporate firewall is to use build args. When doing docker builds there is many different options you can pass through and by giving the build an
http_proxy build arg it will be able to pull those packages.
Usage - Docker Build
We can add some build args to this statement above to tell it to route to a proxy for HTTP requests. For this example we are going to assume that we have a proxy server running at
This method is good if you are using scripts or a regression tool like Jenkins to run your builds for you. However for every-day testing of containers, copying or writing out these long build args can be a bit tedious. Instead we will look at a way to set HTTP Proxies for all builds.
Option 2 - Docker Service Config
This method is much more user friendly but depending on your project scope it could lock you into a configuration that may not be suitable for all of your builds. What we are going to do with this option is actually bake the HTTP/HTTPS proxy into the docker daemon so that it will always use this proxy config for all builds.
If you haven’t already you are going to want to create a docker
systemd directory. This is where we are going to define the proxy
Now there is a directory at
/etc/systemd/system/docker.service.d and inside this directory we are going to create couple files. The first is going to be
http-proxy.conf and the second is
If you want to access internal docker registries or other servers in your build that should not be routed through the proxy, Docker also supports the
NO_PROXY environment variable which can be created in a similar fasion.
Now all you need to do to make this configuration take affect is flush the changes…
and restart the Docker daemon