How do I connect to Google Cloud with a proxy server to download Docker images for Autonomous Identity?
The purpose of this article is to provide information on downloading Docker® images for Autonomous Identity from ForgeRock's Google Cloud® Registry (gcr.io) repository when you are using a proxy server.
Overview
If you use a proxy server to connect to gcr.io, your attempts to log in using the registry key will fail.
For example, when you use the following command to log in:$ docker login -u _json_key -p "$(cat autoid_registry_key.json)" https://gcr.io/forgerock-autoid
It will fail with a connection refused
response similar to
this:WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://gcr.io/v2/: proxyconnect tcp: dial tcp 192.0.2.0:3128: connect: connection refused
If you use a proxy server, you must configure Docker to allow access via your proxy server. There are two different approaches to achieving this:
- Allow access by updating the Docker configuration file
- Allow access by using systemd to control Docker
Use the option that works best in your environment.
Prerequisites
You have completed the necessary setup for a single node or multinode deployment, and are trying to install Autonomous Identity. Refer to the following documentation links to confirm:
- Install a Single Node Deployment
- Install a Single Node Air-Gapped Deployment
- Install a Multi-Node Deployment
- Install a Multi-Node Air-Gapped Deployment
Allow access via the proxy server by updating the Docker configuration file
- Confirm your proxy server setup works first by running one of the following commands on the deployer
machine:
- User name and password not required by proxy server:$ curl -x http://<proxy hostname>:<port> -L https://gcr.io/forgerock-autoid --insecure
- User name and password required by proxy server:$ curl -x http://<username>:<password>@<proxy hostname>:<port> -L https://gcr.io/forgerock-autoid
Only proceed to step 2 if the curl command is successful.
- Update the Docker config.json file (located in the ~/.docker directory) on the
deployer machine to include your proxy details as follows (exclude
<username>:<password>@
if they're not required by your proxy server):{ "proxies": { "default": { "httpProxy": "http://<username>:<password>@<proxy hostname>:<port>", "httpsProxy": "http://<username>:<password>@<proxy hostname>:<port>", "noProxy": "localhost" }, "https://gcr.io": { "httpProxy": "http://<username>:<password>@<proxy hostname>:<port>", "httpsProxy": "http://<username>:<password>@<proxy hostname>:<port>", } }Note these properties use http to ensure the proxy server terminates the TLS connection. - Attempt to log in again:$ docker login -u _json_key -p "$(cat autoid_registry_key.json)" https://gcr.io/forgerock-autoidYou should now see the following if you have successfully configured Docker to use your proxy server:Login Succeeded
- Check the access.log (located in the /var/log/squid directory) on the proxy server to check access attempts are being logged correctly.
Allow access via the proxy server by using systemd to control Docker
- Confirm your proxy server setup works first by running one of the following commands on the deployer
machine:
- User name and password not required by proxy server:$ curl -x http://<proxy hostname>:<port> -L https://gcr.io/forgerock-autoid --insecure
- User name and password required by proxy server:$ curl -x http://<username>:<password>@<proxy hostname>:<port> -L https://gcr.io/forgerock-autoid
Only proceed to step 2 if the curl command is successful.
- Create a systemd directory for the docker service on the deployer machine:$ sudo mkdir -p /etc/systemd/system/docker.service.d
- Create a file called http-proxy.conf in this new directory:$ cd /etc/systemd/system/docker.service.d $ vi http-proxy.conf
- Add the following contents to this file to define your proxy details (exclude
<username>:<password>@
if they're not required by your proxy server):[Service] Environment="HTTP_PROXY=http://<username>:<password>@<proxy hostname>:<port>" Environment="HTTPS_PROXY=http://<username>:<password>@<proxy hostname>:<port>"Note these Environment variables use http to ensure the proxy server terminates the TLS connection. - Reload the daemon:$ sudo systemctl daemon-reload
- Restart Docker:$ sudo systemctl restart docker
- Attempt to log in again:$ docker login -u _json_key -p "$(cat autoid_registry_key.json)" https://gcr.io/forgerock-autoidYou should now see the following if you have successfully configured Docker to use your proxy server:Login Succeeded
- Check the access.log (located in the /var/log/squid directory) on the proxy server to check access attempts are being logged correctly.