RPJosh
/
docker-registry-proxy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add some Docker Desktop for Mac instructions (#58, #50 and others)

pull/64/head
Ricardo Pardini 2020-11-09 12:32:19 +01:00
parent 6bf3974ade
commit 93f3d5749f
2 changed files with 56 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
Docker-for-Mac.md 100644
View File

@ -0,0 +1,48 @@
# Using a Docker Desktop for Mac as a client for the proxy (stable version)
First, know this is a MiTM, and could break with new Docker Desktop for Mac releases or during resets/reinstalls/upgrades.
These instructions tested on Mac OS Catalina, and:
- Docker Desktop for Mac `2.5.0.0` (Stable) (which provides Docker `19.03`)
- Docker Desktop for Mac `2.4.2.0` (Edge) (which provides Docker `20.10.0-beta1`)
This assumes you have `docker-registry-proxy` running _somewhere else_, eg, on a different machine on your local network.
See the main [README.md](README.md) for instructions. (If you're trying to run both proxy and client on the same machine, see below).
For these examples I will assume it is successfully running on `http://192.168.1.2:3128/`
- Make sure you can access the proxy. On your Mac/Terminal (not Docker), run:
```shell script
# with wget...
wget --quiet -O - "http://192.168.1.2:3128/"
# ... or, with curl:
curl "http://192.168.1.2:3128/"
```
- Make sure your Docker Desktop for Mac install is pristine like new, go into Troubleshoot > "Reset to Factory defaults".
- Inject the CA certificates into the Docker install inside the HyperKit VM running LinuxKit that is used by Docker Desktop for Mac.
To do that, we use a privileged container. `justincormack/nsenter1` does the job nicely:
```shell script
docker run -it --privileged --pid=host justincormack/nsenter1 /bin/bash -c "wget -O - http://192.168.1.2:3128/ca.crt | tee -a /containers/services/docker/lower/etc/ssl/certs/ca-certificates.crt"
```
- Go into `Docker > Preferences`, and set `Resources > Proxies` to
- "Manual proxy configuration" to ON
- HTTP proxy: `http://192.168.1.2:3128/`
- HTTPS proxy: `http://192.168.1.2:3128/`
- (Optional) I also recommend "Enable CLI experimental features" under "Experimental Features" (since I use `buildx` a lot)
- Click button "Apply & Restart", wait for it to restart.
- Try a `docker pull` now. It should be using the proxy (watch the logs on the proxy server).
- Important: **push**es done with this configured will either not work, or use the auth you configured on the proxy, if any. Beware, and report back.
# Using Docker Desktop for Mac to both host the proxy server and use it as a client
@TODO: This has a bunch of chicken-and-egg issues.
You need to pre-pull the proxy itself and `justincormack/nsenter1`.
Then set up the proxy server, and then follow the instructions above (without the Factory Reset).
Do NOT use 127.0.0.1, instead use your machine's local LAN IP address. (Hint: there's a good chance 192.168.64.1 is useable, due the the way Docker Desktop for Mac sets networking up).
Make sure to bring the proxy up after applying/restarting the Docker Engine.

10
README.md
View File

@ -73,7 +73,7 @@ for this to work it requires inserting a root CA certificate into system trusted
- Since 0.5.x, they both carry the same images - Since 0.5.x, they both carry the same images
- This can be useful if you're already hitting DockerHub's rate limits and can't pull the proxy from DockerHub - This can be useful if you're already hitting DockerHub's rate limits and can't pull the proxy from DockerHub
## Usage ## Usage (running the Proxy server)
- Run the proxy on a host close (network-wise: high bandwidth, same-VPC, etc) to the Docker clients - Run the proxy on a host close (network-wise: high bandwidth, same-VPC, etc) to the Docker clients
- Expose port 3128 to the network - Expose port 3128 to the network
@ -163,7 +163,11 @@ docker run --rm --name docker_registry_proxy -it \
rpardini/docker-registry-proxy:0.6.0 rpardini/docker-registry-proxy:0.6.0
``` ```
## Configuring the Docker clients / Kubernetes nodes ## Configuring the Docker clients using Docker Desktop for Mac
Separate instructions for Mac clients available in [this dedicated Doc Desktop for Mac document](Docker-for-Mac.md).
## Configuring the Docker clients / Kubernetes nodes / Linux clients
Let's say you setup the proxy on host `192.168.66.72`, you can then `curl http://192.168.66.72:3128/ca.crt` and get the proxy CA certificate. Let's say you setup the proxy on host `192.168.66.72`, you can then `curl http://192.168.66.72:3128/ca.crt` and get the proxy CA certificate.
@ -254,6 +258,8 @@ Yeah. Docker Inc should do it. So should NPM, Inc. Wonder why they don't. 😼
### TODO: ### TODO:
- [x] Basic Docker-for-Mac set-up instructions
- [ ] Basic Docker-for-Windows set-up instructions.
- [ ] Test and make auth work with quay.io, unfortunately I don't have access to it (_hint, hint, quay_) - [ ] Test and make auth work with quay.io, unfortunately I don't have access to it (_hint, hint, quay_)
- [x] Hide the mitmproxy building code under a Docker build ARG. - [x] Hide the mitmproxy building code under a Docker build ARG.
- [ ] "Developer Office" proxy scenario, where many developers on a fast LAN share a proxy for bandwidth and speed savings (already works for pulls, but messes up pushes, which developers tend to use a lot) - [ ] "Developer Office" proxy scenario, where many developers on a fast LAN share a proxy for bandwidth and speed savings (already works for pulls, but messes up pushes, which developers tend to use a lot)