How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I connect to Google Cloud with a proxy server to download Docker images for Autonomous Identity?

Last updated Jan 17, 2023

The purpose of this article is to provide information on downloading Docker® images for Autonomous Identity from ForgeRock's Google Cloud® Registry (gcr.io) repository when you are using a proxy server.

Overview

If you use a proxy server to connect to gcr.io, your attempts to log in using the registry key will fail.

For example, when you use the following command to log in:$ docker login -u _json_key -p "$(cat autoid_registry_key.json)" https://gcr.io/forgerock-autoid

It will fail with a connection refused response similar to this:WARNING! Using --password via the CLI is insecure. Use --password-stdin. Error response from daemon: Get https://gcr.io/v2/: proxyconnect tcp: dial tcp 192.0.2.0:3128: connect: connection refused

If you use a proxy server, you must configure Docker to allow access via your proxy server. There are two different approaches to achieving this:

Use the option that works best in your environment.

Prerequisites

You have completed the necessary setup for a single node or multinode deployment, and are trying to install Autonomous Identity. Refer to the following documentation links to confirm:

Allow access via the proxy server by updating the Docker configuration file

  1. Confirm your proxy server setup works first by running one of the following commands on the deployer machine:
    • User name and password not required by proxy server:$ curl -x http://<proxy hostname>:<port> -L https://gcr.io/forgerock-autoid --insecure
    • User name and password required by proxy server:$ curl -x http://<username>:<password>@<proxy hostname>:<port> -L https://gcr.io/forgerock-autoid

Only proceed to step 2 if the curl command is successful.

  1. Update the Docker config.json file (located in the ~/.docker directory) on the deployer machine to include your proxy details as follows (exclude <username>:<password>@ if they're not required by your proxy server):{  "proxies": {     "default": {       "httpProxy":  "http://<username>:<password>@<proxy hostname>:<port>",       "httpsProxy": "http://<username>:<password>@<proxy hostname>:<port>",       "noProxy": "localhost"     },     "https://gcr.io": {       "httpProxy":  "http://<username>:<password>@<proxy hostname>:<port>",       "httpsProxy": "http://<username>:<password>@<proxy hostname>:<port>",     } }Note these properties use http to ensure the proxy server terminates the TLS connection.
  2. Attempt to log in again:$ docker login -u _json_key -p "$(cat autoid_registry_key.json)" https://gcr.io/forgerock-autoidYou should now see the following if you have successfully configured Docker to use your proxy server:Login Succeeded
  3. Check the access.log (located in the /var/log/squid directory) on the proxy server to check access attempts are being logged correctly.

Allow access via the proxy server by using systemd to control Docker

  1. Confirm your proxy server setup works first by running one of the following commands on the deployer machine:
    • User name and password not required by proxy server:$ curl -x http://<proxy hostname>:<port> -L https://gcr.io/forgerock-autoid --insecure
    • User name and password required by proxy server:$ curl -x http://<username>:<password>@<proxy hostname>:<port> -L https://gcr.io/forgerock-autoid

Only proceed to step 2 if the curl command is successful.

  1. Create a systemd directory for the docker service on the deployer machine:$ sudo mkdir -p /etc/systemd/system/docker.service.d
  2. Create a file called http-proxy.conf in this new directory:$ cd /etc/systemd/system/docker.service.d $ vi http-proxy.conf
  3. Add the following contents to this file to define your proxy details (exclude <username>:<password>@ if they're not required by your proxy server):[Service] Environment="HTTP_PROXY=http://<username>:<password>@<proxy hostname>:<port>" Environment="HTTPS_PROXY=http://<username>:<password>@<proxy hostname>:<port>"Note these Environment variables use http to ensure the proxy server terminates the TLS connection.
  4. Reload the daemon:$ sudo systemctl daemon-reload
  5. Restart Docker:$ sudo systemctl restart docker
  6. Attempt to log in again:$ docker login -u _json_key -p "$(cat autoid_registry_key.json)" https://gcr.io/forgerock-autoidYou should now see the following if you have successfully configured Docker to use your proxy server:Login Succeeded
  7. Check the access.log (located in the /var/log/squid directory) on the proxy server to check access attempts are being logged correctly.

See Also

Installation

Docker CLI configuration file (config.json) properties

Control Docker with systemd

Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.