add some Docker Desktop for Mac instructions (#58, #50 and others)

rpardini · rpardini · commit 93f3d5749f46 · 2020-11-09T12:32:19.000+01:00
diff --git a/Docker-for-Mac.md b/Docker-for-Mac.md
@@ -0,0 +1,48 @@
+# Using a Docker Desktop for Mac as a client for the proxy (stable version)
+
+First, know this is a MiTM, and could break with new Docker Desktop for Mac releases or during resets/reinstalls/upgrades.
+
+These instructions tested on Mac OS Catalina, and:
+- Docker Desktop for Mac `2.5.0.0` (Stable) (which provides Docker `19.03`)
+- Docker Desktop for Mac `2.4.2.0` (Edge) (which provides Docker `20.10.0-beta1`)
+
+This assumes you have `docker-registry-proxy` running _somewhere else_, eg, on a different machine on your local network.
+
+See the main [README.md](README.md) for instructions. (If you're trying to run both proxy and client on the same machine, see below).
+
+For these examples I will assume it is successfully running on `http://192.168.1.2:3128/`
+
+- Make sure you can access the proxy. On your Mac/Terminal (not Docker), run:
+  ```shell script
+  # with wget...
+  wget --quiet -O - "http://192.168.1.2:3128/"
+  # ... or, with curl:
+  curl "http://192.168.1.2:3128/"
+  ```
+- Make sure your Docker Desktop for Mac install is pristine like new, go into Troubleshoot > "Reset to Factory defaults".
+- Inject the CA certificates into the Docker install inside the HyperKit VM running LinuxKit that is used by Docker Desktop for Mac.
+  To do that, we use a privileged container. `justincormack/nsenter1` does the job nicely: 
+  ```shell script
+  docker run -it --privileged --pid=host justincormack/nsenter1 /bin/bash -c "wget -O - http://192.168.1.2:3128/ca.crt | tee -a /containers/services/docker/lower/etc/ssl/certs/ca-certificates.crt"
+  ```
+- Go into `Docker > Preferences`, and set `Resources > Proxies` to 
+  - "Manual proxy configuration" to ON
+    - HTTP proxy: `http://192.168.1.2:3128/`
+    - HTTPS proxy: `http://192.168.1.2:3128/`
+  - (Optional) I also recommend "Enable CLI experimental features" under "Experimental Features" (since I use `buildx` a lot)
+  - Click button "Apply & Restart", wait for it to restart.
+- Try a `docker pull` now. It should be using the proxy (watch the logs on the proxy server).
+- Important: **push**es done with this configured will either not work, or use the auth you configured on the proxy, if any. Beware, and report back.  
+  
+
+# Using Docker Desktop for Mac to both host the proxy server and use it as a client
+
+@TODO: This has a bunch of chicken-and-egg issues. 
+
+You need to pre-pull the proxy itself and `justincormack/nsenter1`.
+
+Then set up the proxy server, and then follow the instructions above (without the Factory Reset).
+
+Do NOT use 127.0.0.1, instead use your machine's local LAN IP address. (Hint: there's a good chance 192.168.64.1 is useable, due the the way Docker Desktop for Mac sets networking up).
+
+Make sure to bring the proxy up after applying/restarting the Docker Engine.
diff --git a/README.md b/README.md
@@ -73,7 +73,7 @@ for this to work it requires inserting a root CA certificate into system trusted
 - Since 0.5.x, they both carry the same images
 - This can be useful if you're already hitting DockerHub's rate limits and can't pull the proxy from DockerHub
 
-## Usage
+## Usage (running the Proxy server)
 
 - Run the proxy on a host close (network-wise: high bandwidth, same-VPC, etc) to the Docker clients
 - Expose port 3128 to the network
@@ -163,7 +163,11 @@ docker run --rm --name docker_registry_proxy -it \
        rpardini/docker-registry-proxy:0.6.0
 ```
 
-## Configuring the Docker clients / Kubernetes nodes
+## Configuring the Docker clients using Docker Desktop for Mac
+
+Separate instructions for Mac clients available in [this dedicated Doc Desktop for Mac document](Docker-for-Mac.md).
+
+## Configuring the Docker clients / Kubernetes nodes / Linux clients
 
 Let's say you setup the proxy on host `192.168.66.72`, you can then `curl http://192.168.66.72:3128/ca.crt` and get the proxy CA certificate.
 
@@ -254,6 +258,8 @@ Yeah. Docker Inc should do it. So should NPM, Inc. Wonder why they don't. 😼
 
 ### TODO:
 
+- [x] Basic Docker-for-Mac set-up instructions
+- [ ] Basic Docker-for-Windows set-up instructions. 
 - [ ] Test and make auth work with quay.io, unfortunately I don't have access to it (_hint, hint, quay_)
 - [x] Hide the mitmproxy building code under a Docker build ARG.
 - [ ] "Developer Office" proxy scenario, where many developers on a fast LAN share a proxy for bandwidth and speed savings (already works for pulls, but messes up pushes, which developers tend to use a lot)
