apk update/add in the docker container under proxy giving permission denied

[pktippa]

Running docker in a host (centos Red Hat Enterprise Linux Server release 7.2 (Maipo)) which is under proxy, able to pull alpine:3.4 by following steps in stackoverflow.

Now starting the container form alpine:3.4, setting proxy, and running apk --update add curl giving me permission denied

[root@xxx ~]# docker run -it alpine:3.4 sh
/ # export http_proxy=http://proxyuser:proxypassword@proxyip:proxyport
/ # export https_proxy=http://proxyuser:proxypassword@proxyip:proxyport
/ # apk --update add curl
fetch http://dl-cdn.alpinelinux.org/alpine/v3.4/main/x86_64/APKINDEX.tar.gz
ERROR: http://dl-cdn.alpinelinux.org/alpine/v3.4/main: Permission denied
WARNING: Ignoring APKINDEX.167438ca.tar.gz: No such file or directory
fetch http://dl-cdn.alpinelinux.org/alpine/v3.4/community/x86_64/APKINDEX.tar.gz
ERROR: http://dl-cdn.alpinelinux.org/alpine/v3.4/community: Permission denied
WARNING: Ignoring APKINDEX.a2e6dac0.tar.gz: No such file or directory
ERROR: unsatisfiable constraints:
  curl (missing):
    required by: world[curl]
/ #

[WTFKr0]

Got something similar with the python:2.7-alpine image :

FROM python:2.7-alpine
RUN pip install virtualenv
RUN apk add --update git && rm -rf /var/cache/apk/*

Give me :

fetch http://dl-cdn.alpinelinux.org/alpine/v3.4/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.4/community/x86_64/APKINDEX.tar.gz
(1/6) Installing ca-certificates (20160104-r4)
(2/6) Installing libssh2 (1.7.0-r0)
(3/6) Installing libcurl (7.49.1-r0)
(4/6) Installing expat (2.1.1-r1)
(5/6) Installing pcre (8.38-r1)
(6/6) Installing git (2.8.3-r0)
ERROR: git-2.8.3-r0: Permission denied
Executing busybox-1.24.2-r9.trigger
Executing ca-certificates-20160104-r4.trigger
1 errors; 15 MiB in 23 packages

[absulation]

Got something similar with the nginx:alpine image :

FROM nginx:alpine

MAINTAINER Mahmoud Zalt <mahmoud@zalt.me>

ENV http_proxy 'http://user:pass@10.78.2.60:9090'
ENV https_proxy 'http://user:pass@10.78.2.60:9090'

ADD nginx.conf /etc/nginx/
ADD laravel.conf /etc/nginx/conf.d/laravel.conf

ARG PHP_UPSTREAM=php-fpm

RUN apk update \
    && apk upgrade \
    && apk add --no-cache bash \
    && adduser -D -H -u 1000 -s /bin/bash www-data \
    && rm /etc/nginx/conf.d/default.conf \
    && echo "upstream php-upstream { server ${PHP_UPSTREAM}:9000; }" > /etc/nginx/conf.d/upstream.conf

CMD ["nginx"]

EXPOSE 80 443

Error Result :

Step 8 : RUN apk update     && apk upgrade     && apk add --no-cache bash     && adduser -D -H -u 1000 -s /bin/bash www-data     && rm /etc/nginx/conf.d/default.conf     && echo "upstream php-upstream { server ${PHP_UPSTREAM}:9000; }" > /etc/nginx/conf.d/upstream.conf
 ---> Running in 204aabee34a1
fetch http://dl-cdn.alpinelinux.org/alpine/v3.3/main/x86_64/APKINDEX.tar.gz
ERROR: http://dl-cdn.alpinelinux.org/alpine/v3.3/main: Permission denied
WARNING: Ignoring APKINDEX.5a59b88b.tar.gz: No such file or directory
fetch http://dl-cdn.alpinelinux.org/alpine/v3.3/community/x86_64/APKINDEX.tar.gz
ERROR: http://dl-cdn.alpinelinux.org/alpine/v3.3/community: Permission denied
WARNING: Ignoring APKINDEX.7c1f02d6.tar.gz: No such file or directory
2 errors; 31 distinct packages available
ERROR: Service 'nginx' failed to build: The command '/bin/sh -c apk update     && apk upgrade     && apk add --no-cache bash     && adduser -D -H -u 1000 -s /bin/bash www-data     && rm /etc/nginx/conf.d/default.conf     && echo "upstream php-upstream { server ${PHP_UPSTREAM}:9000; }" > /etc/nginx/conf.d/upstream.conf' returned a non-zero code: 2

[kiranpradeep]

I tried this and saw that, it is just the apk tool that is failing. When I tried wget on alpine:3.4 docker container under proxy, wget succeeds. But apk tool continue giving permission denied error. Does the apk tool under alpine, honor http_proxy/https_proxy environment variables ?

[stevezxu]

I am seeing the same thing, permission denied. Is there any solution or workaround for this?

[ncopa]

can you try running strace apk update and see what it tries to connect to? apk should honor http_proxy and HTTP_PROXY. Not sure if it honors the https variants.

[kiranpradeep]

@ncopa strace isn't installed in alpine image and so we cannot run it. Is strace for alpine downloadable from any URL ?. I could use wget if we have URL.

[ncopa]

@kiranpradeep apk add --no-cache strace

[kiranpradeep]

@ncopa :) I downloaded(wget) strace from here(1) and installed it as apk add strace-4.13-r0.apk. Then ran strace apk add --no-cache vim to get the attached error log

[ghost]

It seems that apk uses libfetch, which accepts HTTP_PROXY_AUTH environment variable. I could workaround this issue as following:

export http_proxy=http://proxyhost:proxyport
export HTTP_PROXY_AUTH=basic:*:proxyuser:proxypass

Please note that upper case letters must be used for HTTP_PROXY_AUTH .

[cridam]

Come back to that issue. The work around doens't work when no authentication is requried at proxy side. I m running over docker 1.12.1 (I see docker info | grep Security => seccomp). Running strace fails with also Operation not permitted.
My guess is something goes wrong with security options, but how to deal with ?

I still get the sequences :
docker run -it alpine:3.3 sh
apk update
fetch http://dl-cdn.alpinelinux.org/alpine/v3.3/main/x86_64/APKINDEX.tar.gz
^C
wget http://dl-cdn.alpinelinux.org/alpine/v3.3/main/x86_64/APKINDEX.tar.gz
Connecting to dl-cdn.alpinelinux.org (151.101.44.249:80)
^C
/ # export http_proxy=http://proxyhost:proxyport
/ # export https_proxy=http://proxyhost:proxyport
/ # wget http://dl-cdn.alpinelinux.org/alpine/v3.3/main/x86_64/APKINDEX.tar.gz
Connecting to proxy (proxy)
APKINDEX.tar.gz 100%
/ # apk update
fetch http://dl-cdn.alpinelinux.org/alpine/v3.3/main/x86_64/APKINDEX.tar.gz
ERROR: http://dl-cdn.alpinelinux.org/alpine/v3.3/main: Permission denied
/ strace apk update
strace: ptrace(PTRACE_TRACEME, ...): Operation not permitted

[cridam]

docker run -v /apk/addons:/custo --security-opt seccomp:unconfined --cap-add SYS_PTRACE -e http_proxy=http://proxyhost:proxyport -e https_proxy=http://proxyhost:proxyport -it alpine:3.3 sh
/# apk add /custo/strace-4.13-r0.apk
/# strace apk update
=> get a 407 .
The mistake comes with the proxy i was using.
Just to close the thread adding the tip for running strace over 1.12 docker.

[andyshinn]

Closing as it sounds like the workaround here is to set HTTP_PROXY_AUTH=basic:*:proxyuser:proxypass as well as your normal proxy information.

[unoexperto]

I have same problem with plain vanilla alpine on

docker run -it --name test alpine:latest /bin/ash

I have no proxy. What should I do ?

I can't install strace either

/ # wget http://dl-4.alpinelinux.org/alpine/edge/main/x86_64/strace-4.14-r0.apk
Connecting to dl-4.alpinelinux.org (74.117.189.114:80)
wget: server returned error: HTTP/1.1 403 Forbidden

It's happening only on AWS EC2 instance. Here is export output

declare -x AWS_AUTO_SCALING_HOME="/opt/aws/apitools/as"
declare -x AWS_CLOUDWATCH_HOME="/opt/aws/apitools/mon"
declare -x AWS_ELB_HOME="/opt/aws/apitools/elb"
declare -x AWS_PATH="/opt/aws"
declare -x EC2_AMITOOL_HOME="/opt/aws/amitools/ec2"
declare -x EC2_HOME="/opt/aws/apitools/ec2"
declare -x HISTCONTROL="ignoredups"
declare -x HISTSIZE="1000"
declare -x HOSTNAME="ip-172-30-0-247"
declare -x JAVA_HOME="/usr/lib/jvm/java"
declare -x LANG="en_US.UTF-8"
declare -x LESSOPEN="||/usr/bin/lesspipe.sh %s"
declare -x LESS_TERMCAP_mb=""
declare -x LESS_TERMCAP_md=""
declare -x LESS_TERMCAP_me=""
declare -x LESS_TERMCAP_se=""
declare -x LESS_TERMCAP_ue=""
declare -x LESS_TERMCAP_us=""
declare -x PATH="/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/opt/aws/bin"
declare -x SHELL="/bin/bash"
declare -x SHLVL="1"
declare -x SSH_TTY="/dev/pts/0"
declare -x TERM="xterm-256color"

[omoloro]

@unoexperto you've probably solved your issue by now but this may be useful to someone else.

I had a similar issue also on EC2, running Docker 17.06.0-ce.

To troubleshoot, I tried wget in my Dockerfile
wget http://dl-cdn.alpinelinux.org/alpine/v3.4/main/x86_64/APKINDEX.tar.gz
but got 403s as well, then instead of trying

I then switched to HTTPS and tried
wget https://dl-cdn.alpinelinux.org/alpine/v3.4/main/x86_64/APKINDEX.tar.gz and that worked after I turned the SSL certificate check off.

However https://dl-3.alpinelinux.org had a valid certificate so I set that as my repository in my Dockerfile.

RUN echo 'https://dl-3.alpinelinux.org/alpine/v3.4/main' > /etc/apk/repositories

However, while attempting to apk install --no-cache --update nodejs I got the following warning and error

WARNING: The repository tag for world dependency 'php5-redis@testing' does not exist
ERROR: Not committing changes due to missing repository tags. Use --force to override.

So I added testing and community repositories like so

RUN echo 'https://dl-3.alpinelinux.org/alpine/v3.4/main' > /etc/apk/repositories  && \
    echo '@testing https://dl-3.alpinelinux.org/alpine/edge/testing' >> /etc/apk/repositories && \
    echo '@community https://dl-3.alpinelinux.org/alpine/v3.4/community'

Everything worked happily after that.

[arikkfir]

Hi all - I'm sure all involved have moved on, but in case someone else finds this - this might also help (in addition to what @omoloro mentioned above)

I encountered this issue on our Google Cloud Compute instance running ubuntu 17.04. None of the fixes here helped, so I decided to see if the same thing happens on Centos 7 - and it worked on first try!

We don't use any proxy server ourselves, but I imagine that running in a VM inside a cloud would mean that there's some kind of proxy along the path in their infrastructure. In any case, I'm assuming there's something in Ubuntu's configuration (not necessarily related to Docker) that [indirectly] causes this.

[flavioribeirojr]

Someone was able to use this image with https proxy?

[Xuraiis]

All in all problems should have been fix with specifying --build-args http_proxy="$http_proxy" --build-args https_proxy="$https_proxy" for $ docker build, with http_proxy and https_proxy defined in /etc/environment on the host system.

Except I ran into the situation where http_proxy and https_proxy contained special characters in the username and password fields. Something like:

http://userlocation\username:password@proxy.xyz:80 (notably the "\")
and needed to be defined as:
http://userlocation%5Cusername:password@proxy.xyz:80 (notably the "%5C")

This worked on the host system (ubuntu), but apk did not support this, and vice-versa.

Problem was fixed by defining http_proxy_unescaped and https_proxy_unescaped and passing these to $ docker build. eg. --build-args http_proxy="$http_proxy_unescaped" --build-args https_proxy="$https_proxy_unescaped"

[montao]

I don't understand. The "solutions" are not working for us. We still get permission denied, no matter what we try.

[AndolsiZied]

After several attempts with several combinations, I found the magic solution :
HTTP_PROXY_AUTH=basic:*:proxy_user:proxy_password
HTTP_PROXY=http://proxy_host:proxy_port
HTTPS_PROXY=http://proxy_host:proxy_port
My password contains the @ character, I left it as it is.

[ghost]

I've tried it and got the same solution.

ng1

# export http_proxy=http://proxy@user:proxy_passwd@proxy.host:8080
# apk update
fetch http://dl-cdn.alpinelinux.org/alpine/v3.8/main/x86_64/APKINDEX.tar.gz
ERROR: http://dl-cdn.alpinelinux.org/alpine/v3.8/main: DNS lookup error
fetch http://dl-cdn.alpinelinux.org/alpine/v3.8/community/x86_64/APKINDEX.tar.gz
ERROR: http://dl-cdn.alpinelinux.org/alpine/v3.8/community: DNS lookup error

apk can't resolve the proxy host name without percent-encoding.

ng2

# export http_proxy=http://proxy%40user:proxy_passwd@proxy.host:8080
# apk update
fetch http://dl-cdn.alpinelinux.org/alpine/v3.8/main/x86_64/APKINDEX.tar.gz
ERROR: http://dl-cdn.alpinelinux.org/alpine/v3.8/main: Permission denied
fetch http://dl-cdn.alpinelinux.org/alpine/v3.8/community/x86_64/APKINDEX.tar.gz
ERROR: http://dl-cdn.alpinelinux.org/alpine/v3.8/community: Permission denied

Probably libfetch does not support percent-encoding.
see: libfetch/http.c

ok

# export http_proxy=http://proxy.host:8080
# export HTTP_PROXY_AUTH=basic:*:proxy@user:proxy_passwd
# apk update

docker build

# cat Dockerfile
FROM alpine
ARG HTTP_PROXY_AUTH
RUN apk update
# docker build --build-arg http_proxy=... --build-arg HTTP_PROXY_AUTH=... -t mycontainer .

[etlfg]

@crts-xxx I managed to make it work doing as @AndolsiZied said :

• HTTP_PROXY_AUTH has to be basic:*:proxy_user:proxy_password not basic:*:proxy@proxy_user:proxy_password # remove 'proxy@'
• HTTP_PROXY must be defined, not http_proxy but the pattern is as you say

[bakayolo]

Crazy I spent so much time on it... Thanks @crts-xxx .
I would just add the quotes on the password.

export HTTP_PROXY_AUTH='basic:*:proxy@user:proxy_passwd'

@etlfg proxy@user is the username. ;)
He just highlight that we must not percent encode the characters.

[nikhilbakshi]

It appears that apk only honours the HTTP_PROXY variable and not http_proxy. So your environment variable has to be all caps. Same for HTTPS_PROXY. Do not use small case proxy environment variable here.

[ajaysheoran2323]

I am using only an EC2 ..I dont have any proxy .. still I am facing same issue.

[MartinMajewski]

Same issue without using a proxy!
Alpine is such a pain...

[ncopa]

Same issue without using a proxy!

Then you have a different issue, since this was about the use of proxy.

[MartinMajewski]

Same issue without using a proxy!

Then you have a different issue, since this was about the use of proxy.

The issue is precisely the same, but the environmental circumstances are different. I'm getting the same error, but the solution is not feasible for my case. What to do? Open a new issue ticket which will be closed because everyone assumes it must be the proxy to which a solution was given here in this thread? Please instruct...

[ncopa]

Then you have a different issue, since this was about the use of proxy.

The issue is precisely the same, but the environmental circumstances are different. I'm getting the same error, but the solution is not feasible for my case. What to do? Open a new issue ticket which will be closed because everyone assumes it must be the proxy to which a solution was given here in this thread? Please instruct...

Please create a new ticket, but without using the word proxy in the title. Then describe how to reproduce it.

[spidgorny]

Setting environment variables and then running sudo is a bad idea. Commands under sudo have their own environment variables.

> export http_proxy=xxx
> sudo apk add something

will not work. Solution:

> sudo bash
# export ...
# apk add something

[deniswal]

sudo -E keeps your environment variables.

[IPreferWater]

same problem for golang image with

RUN apk update && apk add alpine-sdk git && rm -rf /var/cache/apk/*

add in Dockerfile

ENV http_proxy=**your_proxy**
ENV https_proxy=**your_proxy**

worked

[utrotzek]

Closing as it sounds like the workaround here is to set HTTP_PROXY_AUTH=basic:*:proxyuser:proxypass as well as your normal proxy information.

Unfortunately this workaround can't be used if the proxy server does not accept any authentication credentials. In my environment, behind a coorporate firewall, I can't get it to work as I cannot use HTTP_PROXY_AUTH 🤷

[joespitch]

Still seeing this. For me it was also DNS related. I did not have the option of rebuilding the container however.
I was however able to correctly ping 8.8.8.8 but not access dl-cdn.alpinelinux.org. In my case it was sufficient to add a new entry to the top of /etc/resolv.conf:

nameserver 8.8.8.8

[felixsilberstein]

In my case I was able to avoid this error after disconnecting from my company's VPN

[nodje]

This solution consistently doesn't work with special characters.
Has it really been fixed in https://git.alpinelinux.org/apk-tools/tree/libfetch/http.c ?

[sunw31]

RUN apk add ca-certificates --no-cache

[im-alexandre]

After several attempts with several combinations, I found the magic solution : HTTP_PROXY_AUTH=basic:*:proxy_user:proxy_password HTTP_PROXY=http://proxy_host:proxy_port HTTPS_PROXY=http://proxy_host:proxy_port My password contains the @ character, I left it as it is.

I've spent sooooo much time changing my image from a slim and gorgeous alpine to a bloated ubuntu based...
Glad to see it now. Thanks!!!!

[rodcloutier]

Unfortunately this workaround can't be used if the proxy server does not accept any authentication credentials. In my environment, behind a coorporate firewall, I can't get it to work as I cannot use HTTP_PROXY_AUTH

@utrotzek you must use export HTTP_PROXY_AUTH= without any value.

[luisgulo]

docker build --build-arg http_proxy="http://proxy:port" https_proxy="http://proxy:port" --tag my-image:x.y .

!!! "http://proxy:port" !!!!
It's running !

[TimurIskandarov]

docker build --build-arg HTTPS_PROXY="http://192.168.225.35:8888" -t app:build .