Skip to content

DP1410: add logic to handle networking behind a proxy, update readme #20

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pwildber merged 1 commit into from
Apr 13, 2026
Merged

DP1410: add logic to handle networking behind a proxy, update readme #20

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
126 changes: 125 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -645,6 +645,130 @@ If you configure external PostgreSQL or custom container registries, network acc

---


## 🌐 Proxy Configuration (Optional)

If your environment requires outbound traffic to go through an HTTP/HTTPS proxy, the deployment scripts support proxy configuration via standard environment variables.

This applies to:

- Downloading dependencies (packages, images)
- Podman image customization steps
- Container runtime behavior
- Systemd-managed services (Docker and Podman)

---

### πŸ”§ How to Configure a Proxy

Before running the installer (`bootstrap.sh`, `one-click.sh`, or `upgrade.sh`), export the required proxy environment variables in your shell.

Example:

```bash
export HTTP_PROXY=http://proxy.example.com:3128
export HTTPS_PROXY=http://proxy.example.com:3128
export NO_PROXY=localhost,127.0.0.1
```

Lowercase variants are also supported:

```bash
export http_proxy=http://proxy.example.com:3128
export https_proxy=http://proxy.example.com:3128
export no_proxy=localhost,127.0.0.1
```

Additional optional variables:

```bash
export FTP_PROXY=http://proxy.example.com:3128
export ALL_PROXY=http://proxy.example.com:3128
```

---

### ▢️ Running the Installer with Proxy

Once the variables are set, run the installer as normal:

```bash
./bootstrap.sh
```

or:

```bash
./one-click.sh
```

No additional flags or configuration are required.

---

### βš™οΈ What the Scripts Do Automatically

If proxy variables are detected, the automation will:

- Pass proxy settings into Podman build containers during image customization
- Inject proxy variables into systemd service definitions
- Ensure all runtime containers inherit the proxy configuration

If no proxy variables are set, the scripts behave exactly as normal with no changes to the deployment flow.

---

### πŸ” Verifying Proxy Configuration

Podman (rootless):

```bash
systemctl --user show-environment | grep -i proxy
```

Docker:

```bash
sudo systemctl show iriusrisk-docker | grep -i proxy
```

Check inside containers:

```bash
podman exec -it <container> env | grep -i proxy
```

or:

```bash
docker exec -it <container> env | grep -i proxy
```

---

### ⚠️ Notes and Best Practices

- Ensure your proxy allows access to:
- GitHub (github.com, raw.githubusercontent.com)
- Container registries (docker.io or your custom registry)
- OS package repositories
- Include internal services in NO_PROXY:
localhost,127.0.0.1,postgres,jeff,redis
- If using an external PostgreSQL database, include its host in NO_PROXY.

---

### πŸ“Œ Summary

| Scenario | Action |
|----------|--------|
| No proxy | No action needed |
| Proxy required | Export variables before running scripts |
| Already deployed | Restart systemd service after updating env vars |

---


### Fully Air-Gapped Environments

If outbound internet access is not allowed, deployment can still be performed using offline mode.
Expand Down Expand Up @@ -703,4 +827,4 @@ The installation automatically detects the container engine and will use:

## πŸ“Ž Support & Docs

- [Hardware and Software Requirements for IriusRisk](https://enterprise-support.iriusrisk.com/s/article/Hardware-and-Software-Requirements-for-IriusRisk)
- [Hardware and Software Requirements for IriusRisk](https://enterprise-support.iriusrisk.com/s/article/Hardware-and-Software-Requirements-for-IriusRisk)
41 changes: 39 additions & 2 deletions scripts/functions.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,37 @@ function refresh_base_images() {
export POSTGRES_BASE_IMAGE REDIS_BASE_IMAGE
}

function add_proxy_env_args() {
local -n podman_args_ref="$1"
local proxy_var proxy_value

for proxy_var in \
HTTP_PROXY HTTPS_PROXY NO_PROXY \
http_proxy https_proxy no_proxy \
FTP_PROXY ftp_proxy ALL_PROXY all_proxy; do
proxy_value="${!proxy_var:-}"
if [[ -n $proxy_value ]]; then
podman_args_ref+=(--env "${proxy_var}=${proxy_value}")
fi
done
}

function systemd_proxy_env_lines() {
local proxy_var proxy_value out=""

for proxy_var in \
HTTP_PROXY HTTPS_PROXY NO_PROXY \
http_proxy https_proxy no_proxy \
FTP_PROXY ftp_proxy ALL_PROXY all_proxy; do
proxy_value="${!proxy_var:-}"
if [[ -n $proxy_value ]]; then
out+=$'\n'"Environment=${proxy_var}=${proxy_value}"
fi
done

printf '%s' "$out"
}

function prompt_registry_settings() {
if [ "${OFFLINE:-0}" -eq 1 ]; then
echo "Offline mode detected."
Expand Down Expand Up @@ -702,6 +733,7 @@ function build_podman_secret_image() {
local run_as_user="${7:-}"
local commit_cmd="${8:-}"
local wrapper_file final_exec_file
local -a podman_create_args=()

local original_entrypoint_json original_cmd_json original_entrypoint_exec original_user

Expand Down Expand Up @@ -774,8 +806,11 @@ EOF
printf '\nexec "$@"\n' >>"$wrapper_file"
fi

add_proxy_env_args podman_create_args

podman rm -f "$tmp_name" 2>/dev/null || true
podman create \
"${podman_create_args[@]}" \
--name "$tmp_name" \
--user root \
--entrypoint /bin/sh \
Expand Down Expand Up @@ -1381,6 +1416,8 @@ function detect_engine_ctx() {
NEED_DOCKER_CFG=""

local extra_registry_env=""
local proxy_env_lines
proxy_env_lines="$(systemd_proxy_env_lines)"
if [[ ${REGISTRY_URL:-docker.io} != "docker.io" || ${REGISTRY_NAMESPACE:-continuumsecurity/iriusrisk-prod} != "continuumsecurity/iriusrisk-prod" ]]; then
extra_registry_env=$'\nEnvironment=REGISTRY_URL='"${REGISTRY_URL}"$'\nEnvironment=REGISTRY_NAMESPACE='"${REGISTRY_NAMESPACE}"
fi
Expand All @@ -1394,7 +1431,7 @@ function detect_engine_ctx() {
SYSTEMCTL="sudo systemctl"
UNIT_AFTER=$'After=network.target docker.service'
UNIT_REQUIRES=$'Requires=docker.service'
UNIT_ENV_LINES=$'Environment=DOCKER_CONFIG=/etc/docker\nEnvironment=COMPOSE_INTERACTIVE_NO_CLI=1'"${extra_registry_env}"
UNIT_ENV_LINES=$'Environment=DOCKER_CONFIG=/etc/docker\nEnvironment=COMPOSE_INTERACTIVE_NO_CLI=1'"${extra_registry_env}${proxy_env_lines}"
NEED_DOCKER_CFG="true"
;;
podman)
Expand All @@ -1406,7 +1443,7 @@ function detect_engine_ctx() {
UNIT_AFTER=$'After=network-online.target
Wants=network-online.target'
UNIT_REQUIRES=""
UNIT_ENV_LINES=$'Environment=PODMAN_SYSTEMD_UNIT=%n'"${extra_registry_env}"
UNIT_ENV_LINES=$'Environment=PODMAN_SYSTEMD_UNIT=%n'"${extra_registry_env}${proxy_env_lines}"
;;
*)
echo "Unknown engine '$ENGINE'." >&2
Expand Down
Loading