docker-alpine: apk update/add in the docker container under proxy giving permission denied

Closing as it sounds like the workaround here is to set HTTP_PROXY_AUTH=basic:*:proxyuser:proxypass as well as your normal proxy information.

Same issue without using a proxy! Alpine is such a pain…

After several attempts with several combinations, I found the magic solution : HTTP_PROXY_AUTH=basic:*:proxy_user:proxy_password HTTP_PROXY=http://proxy_host:proxy_port HTTPS_PROXY=http://proxy_host:proxy_port My password contains the @ character, I left it as it is.

It seems that apk uses libfetch, which accepts HTTP_PROXY_AUTH environment variable. I could workaround this issue as following:

export http_proxy=http://proxyhost:proxyport
export HTTP_PROXY_AUTH=basic:*:proxyuser:proxypass

Please note that upper case letters must be used for HTTP_PROXY_AUTH .

@kiranpradeep apk add --no-cache strace

Closing as it sounds like the workaround here is to set HTTP_PROXY_AUTH=basic:*:proxyuser:proxypass as well as your normal proxy information.

Unfortunately this workaround can’t be used if the proxy server does not accept any authentication credentials. In my environment, behind a coorporate firewall, I can’t get it to work as I cannot use HTTP_PROXY_AUTH 🤷

I tried this and saw that, it is just the apk tool that is failing. When I tried wget on alpine:3.4 docker container under proxy, wget succeeds. But apk tool continue giving permission denied error. Does the apk tool under alpine, honor http_proxy/https_proxy environment variables ?

I’ve tried it and got the same solution.

ng1

# export http_proxy=http://proxy@user:proxy_passwd@proxy.host:8080
# apk update
fetch http://dl-cdn.alpinelinux.org/alpine/v3.8/main/x86_64/APKINDEX.tar.gz
ERROR: http://dl-cdn.alpinelinux.org/alpine/v3.8/main: DNS lookup error
fetch http://dl-cdn.alpinelinux.org/alpine/v3.8/community/x86_64/APKINDEX.tar.gz
ERROR: http://dl-cdn.alpinelinux.org/alpine/v3.8/community: DNS lookup error

apk can’t resolve the proxy host name without percent-encoding.

ng2

# export http_proxy=http://proxy%40user:proxy_passwd@proxy.host:8080
# apk update
fetch http://dl-cdn.alpinelinux.org/alpine/v3.8/main/x86_64/APKINDEX.tar.gz
ERROR: http://dl-cdn.alpinelinux.org/alpine/v3.8/main: Permission denied
fetch http://dl-cdn.alpinelinux.org/alpine/v3.8/community/x86_64/APKINDEX.tar.gz
ERROR: http://dl-cdn.alpinelinux.org/alpine/v3.8/community: Permission denied

Probably libfetch does not support percent-encoding.
see: libfetch/http.c

ok

# export http_proxy=http://proxy.host:8080
# export HTTP_PROXY_AUTH=basic:*:proxy@user:proxy_passwd
# apk update

docker build

# cat Dockerfile
FROM alpine
ARG HTTP_PROXY_AUTH
RUN apk update
# docker build --build-arg http_proxy=... --build-arg HTTP_PROXY_AUTH=... -t mycontainer .

Got something similar with the nginx:alpine image :

FROM nginx:alpine

MAINTAINER Mahmoud Zalt <mahmoud@zalt.me>

ENV http_proxy 'http://user:pass@10.78.2.60:9090'
ENV https_proxy 'http://user:pass@10.78.2.60:9090'

ADD nginx.conf /etc/nginx/
ADD laravel.conf /etc/nginx/conf.d/laravel.conf

ARG PHP_UPSTREAM=php-fpm

RUN apk update \
    && apk upgrade \
    && apk add --no-cache bash \
    && adduser -D -H -u 1000 -s /bin/bash www-data \
    && rm /etc/nginx/conf.d/default.conf \
    && echo "upstream php-upstream { server ${PHP_UPSTREAM}:9000; }" > /etc/nginx/conf.d/upstream.conf

CMD ["nginx"]

EXPOSE 80 443

Error Result :

Step 8 : RUN apk update     && apk upgrade     && apk add --no-cache bash     && adduser -D -H -u 1000 -s /bin/bash www-data     && rm /etc/nginx/conf.d/default.conf     && echo "upstream php-upstream { server ${PHP_UPSTREAM}:9000; }" > /etc/nginx/conf.d/upstream.conf
 ---> Running in 204aabee34a1
fetch http://dl-cdn.alpinelinux.org/alpine/v3.3/main/x86_64/APKINDEX.tar.gz
ERROR: http://dl-cdn.alpinelinux.org/alpine/v3.3/main: Permission denied
WARNING: Ignoring APKINDEX.5a59b88b.tar.gz: No such file or directory
fetch http://dl-cdn.alpinelinux.org/alpine/v3.3/community/x86_64/APKINDEX.tar.gz
ERROR: http://dl-cdn.alpinelinux.org/alpine/v3.3/community: Permission denied
WARNING: Ignoring APKINDEX.7c1f02d6.tar.gz: No such file or directory
2 errors; 31 distinct packages available
ERROR: Service 'nginx' failed to build: The command '/bin/sh -c apk update     && apk upgrade     && apk add --no-cache bash     && adduser -D -H -u 1000 -s /bin/bash www-data     && rm /etc/nginx/conf.d/default.conf     && echo "upstream php-upstream { server ${PHP_UPSTREAM}:9000; }" > /etc/nginx/conf.d/upstream.conf' returned a non-zero code: 2

I don’t understand. The “solutions” are not working for us. We still get permission denied, no matter what we try.

@unoexperto you’ve probably solved your issue by now but this may be useful to someone else.

I had a similar issue also on EC2, running Docker 17.06.0-ce.

To troubleshoot, I tried wget in my Dockerfile wget http://dl-cdn.alpinelinux.org/alpine/v3.4/main/x86_64/APKINDEX.tar.gz but got 403s as well, then instead of trying

I then switched to HTTPS and tried wget https://dl-cdn.alpinelinux.org/alpine/v3.4/main/x86_64/APKINDEX.tar.gz and that worked after I turned the SSL certificate check off.

However https://dl-3.alpinelinux.org had a valid certificate so I set that as my repository in my Dockerfile.

RUN echo 'https://dl-3.alpinelinux.org/alpine/v3.4/main' > /etc/apk/repositories

However, while attempting to apk install --no-cache --update nodejs I got the following warning and error

WARNING: The repository tag for world dependency 'php5-redis@testing' does not exist
ERROR: Not committing changes due to missing repository tags. Use --force to override.

So I added testing and community repositories like so

RUN echo 'https://dl-3.alpinelinux.org/alpine/v3.4/main' > /etc/apk/repositories  && \
    echo '@testing https://dl-3.alpinelinux.org/alpine/edge/testing' >> /etc/apk/repositories && \
    echo '@community https://dl-3.alpinelinux.org/alpine/v3.4/community'

Everything worked happily after that.

All in all problems should have been fix with specifying --build-args http_proxy="$http_proxy" --build-args https_proxy="$https_proxy" for $ docker build, with http_proxy and https_proxy defined in /etc/environment on the host system.

Except I ran into the situation where http_proxy and https_proxy contained special characters in the username and password fields. Something like:

http://userlocation\username:password@proxy.xyz:80 (notably the “\”) and needed to be defined as: http://userlocation%5Cusername:password@proxy.xyz:80 (notably the “%5C”)

This worked on the host system (ubuntu), but apk did not support this, and vice-versa.

Problem was fixed by defining http_proxy_unescaped and https_proxy_unescaped and passing these to $ docker build. eg. --build-args http_proxy="$http_proxy_unescaped" --build-args https_proxy="$https_proxy_unescaped"

sudo -E keeps your environment variables.

Come back to that issue. The work around doens’t work when no authentication is requried at proxy side. I m running over docker 1.12.1 (I see docker info | grep Security => seccomp). Running strace fails with also Operation not permitted. My guess is something goes wrong with security options, but how to deal with ?

I still get the sequences : docker run -it alpine:3.3 sh apk update fetch http://dl-cdn.alpinelinux.org/alpine/v3.3/main/x86_64/APKINDEX.tar.gz ^C wget http://dl-cdn.alpinelinux.org/alpine/v3.3/main/x86_64/APKINDEX.tar.gz Connecting to dl-cdn.alpinelinux.org (151.101.44.249:80) ^C / # export http_proxy=http://proxyhost:proxyport / # export https_proxy=http://proxyhost:proxyport / # wget http://dl-cdn.alpinelinux.org/alpine/v3.3/main/x86_64/APKINDEX.tar.gz Connecting to proxy (proxy) APKINDEX.tar.gz 100% / # apk update fetch http://dl-cdn.alpinelinux.org/alpine/v3.3/main/x86_64/APKINDEX.tar.gz ERROR: http://dl-cdn.alpinelinux.org/alpine/v3.3/main: Permission denied / strace apk update strace: ptrace(PTRACE_TRACEME, …): Operation not permitted

Someone was able to use this image with https proxy?

docker run -v /apk/addons:/custo --security-opt seccomp:unconfined --cap-add SYS_PTRACE -e http_proxy=http://proxyhost:proxyport -e https_proxy=http://proxyhost:proxyport -it alpine:3.3 sh /# apk add /custo/strace-4.13-r0.apk /# strace apk update => get a 407 . The mistake comes with the proxy i was using. Just to close the thread adding the tip for running strace over 1.12 docker.

In my case I was able to avoid this error after disconnecting from my company’s VPN

same problem for golang image with

RUN apk update && apk add alpine-sdk git && rm -rf /var/cache/apk/*

add in Dockerfile

ENV http_proxy=**your_proxy**
ENV https_proxy=**your_proxy**

worked

Same issue without using a proxy!

Then you have a different issue, since this was about the use of proxy.

The issue is precisely the same, but the environmental circumstances are different. I’m getting the same error, but the solution is not feasible for my case. What to do? Open a new issue ticket which will be closed because everyone assumes it must be the proxy to which a solution was given here in this thread? Please instruct…

It appears that apk only honours the HTTP_PROXY variable and not http_proxy. So your environment variable has to be all caps. Same for HTTPS_PROXY. Do not use small case proxy environment variable here.

Hi all - I’m sure all involved have moved on, but in case someone else finds this - this might also help (in addition to what @omoloro mentioned above)

I encountered this issue on our Google Cloud Compute instance running ubuntu 17.04. None of the fixes here helped, so I decided to see if the same thing happens on Centos 7 - and it worked on first try!

We don’t use any proxy server ourselves, but I imagine that running in a VM inside a cloud would mean that there’s some kind of proxy along the path in their infrastructure. In any case, I’m assuming there’s something in Ubuntu’s configuration (not necessarily related to Docker) that [indirectly] causes this.