Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error when docker daemon is secured with HTTPS but container is not #22

Open
mattinbits opened this issue Jun 25, 2019 · 0 comments
Open

Error when docker daemon is secured with HTTPS but container is not #22

mattinbits opened this issue Jun 25, 2019 · 0 comments

Comments

@mattinbits
Copy link

I discovered this using ShinyProxy 2.3.0 with containerproxy 0.8.3

I am using docker engine, secured with TLS, so part of my config looks like:

docker:
  cert-path: /docker_certs
  url: https://localhost:2376

When running ShinyProxy with the example applications, after attempting to launch an application I find the following in the logs:

Container unresponsive, trying again (2/10): https://localhost:20000

Until eventually it gives up with an exception. The problem is that the 01_hello application is listening on HTTP not HTTPS.

The reason that ShinyProxy/containerproxy is attempting to use https to check the container is here:

containerproxy/src/main/java/eu/openanalytics/containerproxy/backend/docker/DockerEngineBackend.java

Line 129 in e4a8dda

targetProtocol = getProperty(PROPERTY_CONTAINER_PROTOCOL, hostURL.getProtocol());

In case the property identified as PROPERTY_CONTAINER_PROTOCOL is not defined, then the protocol of the docker daemon is used to build the URI for checking the container.

I was able to fix this by extending my config as follows:

docker:
  cert-path: /docker_certs
  url: https://localhost:2376
  container-protocol: http

(The container-protocol property corresponds to PROPERTY_CONTAINER_PROTOCOL). This appears to be an undocumented feature, at least I couldn't find any reference to it in the ShinyProxy or containerproxy documentation. I found it through reviewing the code.

Note that the behaviour is different when using the internal network option:

containerproxy/src/main/java/eu/openanalytics/containerproxy/backend/docker/DockerEngineBackend.java

Line 118 in e4a8dda

targetProtocol = getProperty(PROPERTY_CONTAINER_PROTOCOL, DEFAULT_TARGET_PROTOCOL);

In that case there is DEFAULT_TARGET_PROTOCOL which is "http".

I can see a few possible resolutions:

  • Update the documentation so it is clear that this setting may be needed when using a docker daemon with https.
  • Amend the code so when not using the internal network option the behaviour is the same as with the internal network option - use DEFAULT_TARGET_PROTOCOL when it is not set
  • Move this setting from a general docker property down into the specs configuration, so it can be set differently for different containers in the same proxy. At the moment it appears to me that it would not be possible to proxy and http and an https app at the same time.

I see two possible solutions.
LEDfan pushed a commit that referenced this issue Mar 2, 2021
@fmichielssen
Merge pull request 'Refactor label and annotations containg metadata' (
9051682 
…#22) from feature/cleanup_labels into develop
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mattinbits