Created
May 11, 2018 19:33
-
-
Save andruschak/d399704526262c27fb70d07e4fe23fdd to your computer and use it in GitHub Desktop.
install docker-ce on hyper-v behind enterprise ssl-mitm proxy
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| install docker-ce on hyper-v behind enterprise ssl-mitm proxy | |
| - could be manually installed via *.deb but wanted official repo support | |
| Part 1. Get ubuntu to recognize cert: | |
| ------------------------------------- | |
| Error: | |
| Ign:10 https://download.docker.com/linux/ubuntu xenial/stable Translation-en | |
| Reading package lists... Done | |
| W: The repository 'https://download.docker.com/linux/ubuntu xenial Release' does not have a Release file. | |
| N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use. | |
| N: See apt-secure(8) manpage for repository creation and user configuration details. | |
| E: Failed to fetch https://download.docker.com/linux/ubuntu/dists/xenial/stable/binary-amd64/Packages server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none | |
| E: Some index files failed to download. They have been ignored, or old ones used instead. | |
| 1. Windows mmc, add/remove certificates snapin, certs from Computer | |
| 2. Export Root-CA for corp as ca.crt | |
| 3. Copy to ubuntu and save as /usr/local/share/ca-certificates/ca.pem (can just rename) | |
| 4. Run "sudo update-ca-certificates" | |
| 5. The install should now work from the official repo (following docker-ce build guide) | |
| Part 2. Get docker to recognize cert: | |
| ------------------------------------- | |
| Error: | |
| sudo docker run hello-world | |
| Unable to find image 'hello-world:latest' locally | |
| docker: Error response from daemon: Get https://registry-1.docker.io/v2/: x509: certificate signed by unknown authority. | |
| See 'docker run --help'. | |
| 1. Create /etc/docker/daemon.json | |
| 2. Copy the pem f | |
| 2. Add the following line (ensure last line doesnt have a "," | |
| vi /etc/docker/daemon.json | |
| { | |
| "tlscert": "/usr/local/share/ca-certificates/ca.pem" | |
| } | |
| sudo service docker restart | |
| If you get an error like this: | |
| Job for docker.service failed because the control process exited with error code. See "systemctl status docker.service" and "journalctl -xe" for details. | |
| check the log: | |
| journalctl -xe | |
| Ensure that path to cert is good. | |
| Now run "sudo docker run hello-world" | |
| Hello from Docker! | |
| This message shows that your installation appears to be working correctly. | |
| To generate this message, Docker took the following steps: | |
| 1. The Docker client contacted the Docker daemon. | |
| 2. The Docker daemon pulled the "hello-world" image from the Docker Hub. | |
| (amd64) | |
| 3. The Docker daemon created a new container from that image which runs the | |
| executable that produces the output you are currently reading. | |
| 4. The Docker daemon streamed that output to the Docker client, which sent it | |
| to your terminal. | |
| To try something more ambitious, you can run an Ubuntu container with: | |
| $ docker run -it ubuntu bash | |
| Share images, automate workflows, and more with a free Docker ID: | |
| https://hub.docker.com/ | |
| For more examples and ideas, visit: | |
| https://docs.docker.com/engine/userguide/ | |
| Thumbs up!! | |
| =========================================== | |
| docker run -it -p 8888:8888 tensorflow/tensorflow:0.10.0rc0 bash | |
| # python | |
| import tensorflow as tf | |
| hello = tf.constant('Hello, TensorFlow!') | |
| sess = tf.Session() | |
| print(sess.run(hello)) | |
| cd $HOME | |
| docker run -v $HOME/tensorflow-tutorial:/tutorial -p 0.0.0.0:6006:6006 -p 0.0.0.0:8888:8888 -it tensorflow/tensorflow:0.10.0rc0 bash | |
| cd /tutorial | |
| /run_jupyter.sh & | |
| tensorboard --logdir=`pwd` & | |
| =========================== | |
| IPTABLES | |
| ## block outgoing, only allow tcp 22, 80, 443 and udp 53 from the container | |
| ## allow container to only access mycity ip | |
| ## allows me to connect via vdi and my machine so source i am not sure wtf | |
| ## ping out from container is icmp host prohib | |
| # working set | |
| *filter | |
| :INPUT ACCEPT [0:0] | |
| :FORWARD ACCEPT [0:0] | |
| :OUTPUT ACCEPT [0:0] | |
| :FILTERS - [0:0] | |
| :DOCKER-USER - [0:0] | |
| -F INPUT | |
| -F DOCKER-USER | |
| -F FILTERS | |
| -A INPUT -i lo -j ACCEPT | |
| -A INPUT -p icmp --icmp-type any -j ACCEPT | |
| -A INPUT -j FILTERS | |
| -A DOCKER-USER -i docker0 -j FILTERS | |
| -A FILTERS -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| -A FILTERS -m state --state NEW -s a.a.a.0/24 | |
| -A FILTERS -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT | |
| -A FILTERS -m state --state NEW -m tcp -p tcp -d x.x.x.x,y.y.y.y --dport 80 -j ACCEPT | |
| -A FILTERS -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT | |
| -A FILTERS -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT | |
| -A FILTERS -j REJECT --reject-with icmp-host-prohibited | |
| COMMIT | |
| iptables-restore -n /etc/iptables.conf |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment