Proxy for podman in podman setup

garlicbrehd357 · October 4, 2023, 1:30pm

Has anyone here been able to get their rootless podman-in-podman runners working with a proxy (squid)? More specifically, to pull container images from an external container registry?

When I run a pipeline, it gets the error: dial tcp x.x.x.x:y: connect: no route to host when attempting to pull a container image from the internet.

Initially, I thought this was a networking/routing problem, but I see the same error when I remove the proxy environment variables from my rootless user and try a manual podman pull on the host.

To clarify, manually running podman pull works fine when those proxy variables are set. But for some reason, the runner seems to ignore these variables?

What’s really confusing is that the runner pipeline output is returning the value of $http_proxy. For example, here is my .gitlab-ci.yml file.

default:
  image: $http_proxy

and it’s showing this output

Pulling docker image squid.proxy.com:3128 ...

I am lost.

Environment Setup

http_proxy, https_proxy, HTTP_PROXY, HTTPS_PROXY have been configured for…

the rootless user’s .bashrc and .bash_profile
runner containers’ env variables
config.toml
.gitlab-ci.yml

Bodo · October 4, 2023, 1:54pm

Hi,
same error messae for me using an internal registry.
I can use this registry using command line.
Pulling images works for me using proper HTTP and HTTPS proxy vars

garlicbrehd357 · October 4, 2023, 2:51pm

It’s good to know someone else is getting this problem. I’ll see if I can submit a gitlab issue later today about this.

garlicbrehd357 · October 5, 2023, 2:04am

My colleagues found the solution. You need to do the following.

Login as your rootless podman user.
systemctl --user edit podman
Add these settings and save.

[Service]
Environment="HTTP_PROXY=your.proxy.com:3128"
Environment="HTTPS_PROXY=your.proxy.com:3128"

github.com

containers/podman/blob/main/docs/tutorials/socket_activation.md

# Podman socket activation

Socket activation conceptually works by having systemd create a socket (e.g. TCP, UDP or Unix
socket). As soon as a client connects to the socket, systemd will start the systemd service that is
configured for the socket. The newly started program inherits the file descriptor of the socket
and can then accept the incoming connection (in other words run the system call `accept()`).
This description corresponds to the default systemd socket configuration
[`Accept=no`](https://www.freedesktop.org/software/systemd/man/systemd.socket.html#Accept=)
that lets the service accept the socket.

Podman supports two forms of socket activation:

* Socket activation of the API service
* Socket activation of containers

## Socket activation of the API service

The architecture looks like this

``` mermaid

This file has been truncated. show original

aaron.dunn · October 6, 2023, 1:46pm

The approach you’ve mentioned involves configuring the HTTP_PROXY and HTTPS_PROXY environment variables for the systemd user service associated with your rootless Podman user. This should ensure that the proxy settings are applied when the Podman runner is trying to pull container images from external registries.

scruel · June 19, 2024, 1:00pm

I still won’t be able to pull with proxy after applied the same configuration

Topic		Replies	Views
Gitlab runner using Podman unable to pull helper image GitLab CI/CD	1	1717	July 7, 2023
Docker-machine proxy settings GitLab CI/CD ci , runner , docker	5	4853	June 22, 2022
Cannot connect to the Docker daemon at unix://var/run/docker.sock GitLab CI/CD ci , runner , docker	0	1339	September 3, 2020
Gitlab-runner with kubernetes executor behind proxy Infrastructure as Code & Cloud Native kubernetes	2	3214	October 15, 2024
Podman runner cannot resolve the repository hostname GitLab CI/CD runner , docker	2	534	September 16, 2024

Proxy for podman in podman setup

Related topics