I am trying to learn about Docker by installing it on an Oracle Linux 7 VM on top of VirtualBox on my work laptop. My work laptop uses Zscaler. I had a bunch of certificate issues and ended up learning a lot about Docker by working around them. I tried to do the Sample Application – really the simplest first step in the Docker documentation – and had all kinds of trouble getting it to work. Ultimately, I ended up with a Dockerfile that looked like this:
[root@docker ~]# cat Dockerfile # syntax=docker/dockerfile:1 FROM oraclelinux:7 COPY z.pem /etc/pki/ca-trust/source/anchors/z.pem RUN update-ca-trust RUN echo sslverify=false >> /etc/yum.conf RUN yum install -y oracle-nodejs-release-el7 oracle-release-el7 RUN yum install -y nodejs RUN npm install -g npm RUN npm install -g yarn WORKDIR /app COPY . . RUN yarn config set "strict-ssl" false -g RUN yarn install --production CMD ["node", "src/index.js"] EXPOSE 3000
By contrast the Dockerfile that was supposed to work looks like this:
# syntax=docker/dockerfile:1 FROM node:12-alpine RUN apk add --no-cache python2 g++ make WORKDIR /app COPY . . RUN yarn install --production CMD ["node", "src/index.js"] EXPOSE 3000
I ended up using the oraclelinux:7 image because it had more stuff installed such as update-ca-trust. Because I could not get anything to work with Zscaler I had to start with an image that did not require me to pull more stuff down with yum. Then, after playing with it I still ended up disabling SSL verification on yum and yarn. I had to install node since I was starting with a plain Linux image and not a node image.
I had these instructions for getting Zscaler to work on my Oracle Linux 7 VirtualBox VMs on my company computer:
Had to extract Zscaler .cer root ca from Chrome browser as z.cer. Moved to linux and ran: openssl x509 -inform der -in z.cer -outform der -out z.pem copied z.pem to /etc/pki/ca-trust/source/anchors/ ran update-ca-trust worked.
I do not know if this is really doing anything. It affects curl so that I can use curl without the -k option to disable SSL verification. Maybe things that use curl under the covers are affected by adding z.pem to the trusted certificates.
Anyway, I just wanted to document this for myself. Maybe someone out there will benefit also.
I found a more standard work-around that works in most containers and that is to set HTTP_PROXY and similar environment variables, in this example:
# Zscaler requires these environment variables set
COPY ./zcert.pem /tmp/zcert.pem
# SKIP this bit as not needed on PC
# Adding build tools to make yarn install work on Apple silicon / arm64 machines
#RUN apk add –no-cache python2 g++ make
COPY . .
# Tell yarn to use Zscaler cert
RUN yarn config set strict-ssl true -g
RUN yarn config set cafile /tmp/zcert.pem -g
# Carry on with rest of usual approach
RUN yarn install –production
CMD [“node”, “src/index.js”]
Thank you for your comment. I have not had time to test this on my system but I appreciate the information.