Running Docker on EC2 instance that is attached to a VPC and Proxy Server

In a corporate AWS account, when you launch an EC2 instance, most likely, the EC2 will be attached to a subnet and VPC. For security reasons, All outbound traffic will be routed to Transit Gateway specified by Route tables attached to the subnet. Hence, any outbound traffic from EC2 will have to go through the Proxy Server just as with any Workstations on the corporate network.

If you want to get up and running with docker and docker-compose on a new EC2 instance you just launched, here are some steps you may find helpful.

Note: Below steps assume you are logged in logged in as ec2-user and have sudo access. Many of these commands require elevated privileges and hence will work only when command is prefixed with sudo.

Launch with Amazon Linux AMI and SSH using Putty using your Key pair. Make sure the security group attached to your EC2 allows for inbound SSH connections from your corporate network. (ex: 10.0.0.0/8)

Without proxy settings configured correctly, a simple curl command shown below will fail.

curl -v https://www.google.com

You can pass proxy settings to CURL using -x flag. But for applying more broadly, create /etc/profile.d/my_env.sh file. Its contents should look like below.

PROXY_URL=”http://proxy.xyz.com:1234/"
export http_proxy=”$PROXY_URL”
export https_proxy=”$PROXY_URL”
export ftp_proxy=”$PROXY_URL”
export no_proxy=”127.0.0.1,localhost,*.xyz.com,.xyz.com”

# For curl
export HTTP_PROXY=”$PROXY_URL”
export HTTPS_PROXY=”$PROXY_URL”
export FTP_PROXY=”$PROXY_URL”
export NO_PROXY=”127.0.0.1,localhost,*.xyz.com,.xyz.com”

source /etc/profile.d/my_env.sh

Now repeating your curl test above should pass.

Note: You can obtain your proxy server, port used on your corporate desktop using command below.

But note, the proxy server, port to be used for the exercise below may be different.

netsh winhttp show proxy

To install docker using Yum, you need to configure Yum to use proxy settings. Add line below to /etc/yum.conf

proxy=http://proxy.xyz.com:1234

sudo yum update -y
sudo yum install -y docker

To have docker use the proxy server, update /etc/sysconfig/docker and add lines below.

HTTP_PROXY=”http://proxy.xyz.com:1234"
HTTPS_PROXY=”https://proxy.xyz.com:1234"

sudo /etc/init.d/docker start

To run docker without having to sudo, use command below to add ec2-user to the docker group.

sudo usermod -a -G docker ec2-user

Once you have docker up and running, you may want to build docker images.

Install git to obtain Dockerfile from a Git repo and then you can modify the Dockerfile to meet your needs.

sudo yum install -y git
git clone https://github.com/xyz/docker-project

Now if you try to build the docker image using command below, you may run into proxy issues again.

docker build -t xyz/project-abc .

If the Dockerfile has apt-get or wget commands, you may need to specify ENV variables within your Dockerfile to use proxy settings. Also, most corporate proxies may block access to public docker registries. Hence, you will need to find equivalent base images in your Internal Registry and update the FROM command to use that. For example, your Dockerfile may start to look like below.

FROM artifactory.xyz.com/verified-snapshot/python:3.7-slim-buster
ENV http_proxy http://proxy.xyz.com:1234
ENV https_proxy http://proxy.xyz.com:1234

Whenever sudo is used, by default, it drops/resets all environment variables. For sudo to keep the proxy settings, you may need to update env_keep in the /etc/sudoers file using visudo as shown below.

env_keep = “http_proxy https_proxy ftp_proxy COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS”

Disclaimer — These guidelines are provided to help you be productive in your workplace and not to circumvent any corporate policies.