I am trying to learn about Docker by installing it on an Oracle Linux 7 VM on top of VirtualBox on my work laptop. My work laptop uses Zscaler. I had a bunch of certificate issues and ended up learning a lot about Docker by working around them. I tried to do the Sample Application – really the simplest first step in the Docker documentation – and had all kinds of trouble getting it to work. Ultimately, I ended up with a Dockerfile that looked like this:
[root@docker ~]# cat Dockerfile
# syntax=docker/dockerfile:1
FROM oraclelinux:7
COPY z.pem /etc/pki/ca-trust/source/anchors/z.pem
RUN update-ca-trust
RUN echo sslverify=false >> /etc/yum.conf
RUN yum install -y oracle-nodejs-release-el7 oracle-release-el7
RUN yum install -y nodejs
RUN npm install -g npm
RUN npm install -g yarn
WORKDIR /app
COPY . .
RUN yarn config set "strict-ssl" false -g
RUN yarn install --production
CMD ["node", "src/index.js"]
EXPOSE 3000
By contrast the Dockerfile that was supposed to work looks like this:
# syntax=docker/dockerfile:1
FROM node:12-alpine
RUN apk add --no-cache python2 g++ make
WORKDIR /app
COPY . .
RUN yarn install --production
CMD ["node", "src/index.js"]
EXPOSE 3000
I ended up using the oraclelinux:7 image because it had more stuff installed such as update-ca-trust. Because I could not get anything to work with Zscaler I had to start with an image that did not require me to pull more stuff down with yum. Then, after playing with it I still ended up disabling SSL verification on yum and yarn. I had to install node since I was starting with a plain Linux image and not a node image.
I had these instructions for getting Zscaler to work on my Oracle Linux 7 VirtualBox VMs on my company computer:
Had to extract Zscaler .cer root ca from Chrome browser as z.cer.
Moved to linux and ran:
openssl x509 -inform der -in z.cer -outform der -out z.pem
copied z.pem to /etc/pki/ca-trust/source/anchors/
ran
update-ca-trust
worked.
I do not know if this is really doing anything. It affects curl so that I can use curl without the -k option to disable SSL verification. Maybe things that use curl under the covers are affected by adding z.pem to the trusted certificates.
Anyway, I just wanted to document this for myself. Maybe someone out there will benefit also.
Bobby
I found a more standard work-around that works in most containers and that is to set HTTP_PROXY and similar environment variables, in this example:
“`
FROM node:12-alpine
# Zscaler requires these environment variables set
ENV HTTP_PROXY=’http://gateway.zscloud.net:80′
ENV HTTPS_PROXY=’http://gateway.zscloud.net:80′
ENV NO_PROXY=’.local,localhost’
COPY ./zcert.pem /tmp/zcert.pem
# SKIP this bit as not needed on PC
# Adding build tools to make yarn install work on Apple silicon / arm64 machines
#RUN apk add –no-cache python2 g++ make
WORKDIR /app
COPY . .
# Tell yarn to use Zscaler cert
RUN yarn config set strict-ssl true -g
RUN yarn config set cafile /tmp/zcert.pem -g
# Carry on with rest of usual approach
RUN yarn install –production
CMD [“node”, “src/index.js”]
EXPOSE 3000
“`
Thank you for your comment. I have not had time to test this on my system but I appreciate the information.
Bobby