feat(docker): Support corporate proxies and package mirror overrides for base image builds.

[jackluo923]

Description

Docker base image builds fail in corporate environments where TLS-intercepting proxies (e.g., Zscaler, Fortinet, Palo Alto) replace upstream SSL certificates with the organization's own CA. Package managers (dnf, apk, apt, pip) reject the proxy's certificate because it isn't in the container's trust store.

This PR adds proper corporate proxy support to all 6 base image variants by:

1. CA certificate injection — build.sh auto-detects the host's CA bundle and copies it into the Docker build context. An in-container script (setup-corporate-proxy.sh) installs it into the system trust store. When no corporate CA is present, this is a no-op.

2. Python/pip trust store override — ENV vars (SSL_CERT_FILE, CURL_CA_BUNDLE, REQUESTS_CA_BUNDLE, PIP_CERT) point pip/pipx at the system trust store instead of certifi's bundled CA store.

3. Proxy env var forwarding — HTTP_PROXY, HTTPS_PROXY, NO_PROXY, ALL_PROXY are forwarded as Docker build args.

4. Package mirror overrides — Each distro supports an env var to override default mirrors (for organization-internal or regional mirrors):

   • DNF_MIRROR_BASE_URL for manylinux_2_28 (AlmaLinux) and centos-stream-9
   • APK_MIRROR_URL for musllinux_1_2 (Alpine)
   • APT_MIRROR_URL for ubuntu-jammy

5. Docker network mode — Auto-enables --network host when proxy URLs point to localhost/127.0.0.1. Explicit override via DOCKER_NETWORK env var.

6. DOCKER_PULL=true — Opt-in flag to force-pull the latest base image.

7. Error hints — On install-all.sh failure, displays a helpful banner suggesting mirror override if the error is network-related.

All changes are backward-compatible. Without proxy env vars or mirror overrides, builds work identically to before.

Checklist

• The PR satisfies the contribution guidelines.
• This is a breaking change and that has been indicated in the PR title, OR this isn't a breaking change.
• Necessary docs have been updated, OR no docs need to be updated.

Validation performed

• Built manylinux_2_28-aarch64 image successfully with mirror override (DNF_MIRROR_BASE_URL=<url> ./build.sh)
• Verified setup-corporate-proxy.sh is a no-op when no CA bundle is provided (CI-safe — the GitHub Actions workflow uses docker/build-push-action directly, bypassing build.sh)
• Verified error hint banner displays on install-all.sh failure
• Verified --network host is only added when proxy URLs contain localhost/127.0.0.1

Summary by CodeRabbit

Release Notes

• New Features

  • Added corporate proxy support to Docker image builds with automatic CA certificate handling
  • Introduced optional mirror URL overrides for package managers (DNF, APK, APT) to support restricted network environments
  • Added support for custom CA certificates to enable TLS verification behind corporate proxies

• Improvements

  • Enhanced installation error handling with actionable guidance when package installation fails

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds corporate-proxy support and optional mirror overrides to multiple Docker base-image builds by introducing a proxy helper, a CA installer, updated Dockerfiles that stage host CA and set system CA env vars, and build scripts that inject proxy/mirror build args and finalize builds.

Changes

Cohort / File(s)	Summary
Proxy Support Infrastructure components/core/tools/docker-images/proxy-lib.sh, components/core/tools/scripts/lib_install/setup-corporate-proxy.sh, components/core/tools/scripts/lib_install/.gitignore	New proxy helper and CA installer: detect and stage host CA bundle into build context, prepare/cleanup CA file, inject proxy and optional mirror build-args, choose docker network mode, finalize/execute builds; .gitignore updated to ignore staged CA.
CentOS Stream 9 components/core/tools/docker-images/clp-env-base-centos-stream-9/Dockerfile, components/core/tools/docker-images/clp-env-base-centos-stream-9/build.sh	Runs setup-corporate-proxy.sh in-image, sets SSL/CURL/PIP env vars, adds DNF_MIRROR_BASE_URL support with conditional repo baseurl rewrite and cache refresh, wraps install step with failure guidance, and routes builds through finalize_build (removes unconditional --pull and inline git labels).
Manylinux (aarch64 & x86_64) components/core/tools/docker-images/clp-env-base-manylinux_2_28-*/Dockerfile, components/core/tools/docker-images/clp-env-base-manylinux_2_28-*/build.sh	Adds corporate CA install and system CA env vars, supports DNF_MIRROR_BASE_URL repo override and dnf cache refresh, improves install failure messaging, and uses finalize_build for builds (removed --pull and inline labels).
Musllinux (aarch64 & x86_64) components/core/tools/docker-images/clp-env-base-musllinux_1_2-*/Dockerfile, components/core/tools/docker-images/clp-env-base-musllinux_1_2-*/build.sh	Runs setup-corporate-proxy.sh, sets system CA env vars, adds APK_MIRROR_URL ARG with conditional apk update, wraps install with failure guidance, and invokes builds via finalize_build (removed --pull and inline labels).
Ubuntu Jammy components/core/tools/docker-images/clp-env-base-ubuntu-jammy/Dockerfile, components/core/tools/docker-images/clp-env-base-ubuntu-jammy/build.sh	Runs setup-corporate-proxy.sh in-image, configures system CA env vars, adds APT_MIRROR_URL ARG with conditional apt-get update, sets pipx env vars, improves install failure handling, and routes builds through finalize_build (removed unconditional --pull and inline labels).

Sequence Diagram(s)

mermaid
sequenceDiagram
rect rgba(46,125,50,0.5)
participant Dev as Developer/CI
end
rect rgba(33,150,243,0.5)
participant BuildScript as build.sh
participant ProxyLib as proxy-lib.sh
participant HostFS as Host CA bundle
end
rect rgba(255,87,34,0.5)
participant DockerDaemon as Docker daemon
participant Dockerfile as Dockerfile / Container
end

Dev->>BuildScript: invoke build (env: HTTP_PROXY, DNF_MIRROR_BASE_URL, DOCKER_PULL...)
BuildScript->>ProxyLib: source functions (prepare_ca_cert_for_build, add_proxy_build_args)
ProxyLib->>HostFS: detect_ca_bundle()
ProxyLib->>BuildScript: copy CA into build context (`lib_install/ca-certificates.crt`)
BuildScript->>ProxyLib: build_cmd + finalize_build(build_cmd, script_dir, MIRROR_URL)
ProxyLib->>DockerDaemon: execute docker build with injected --build-arg (proxies, NO_PROXY, MIRROR), network mode
DockerDaemon->>Dockerfile: run image build steps (includes setup-corporate-proxy.sh)
Dockerfile->>Dockerfile: install CA into container trust store; set SSL_CERT_FILE/CURL/PIP env vars
Dockerfile->>Dockerfile: optionally rewrite repos using MIRROR_URL; run install-all.sh
Dockerfile->>DockerDaemon: build completes / failure (errors surfaced)
ProxyLib->>BuildScript: cleanup_ca_cert()

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Merge Conflict Detection	✅ Passed	✅ No merge conflicts detected when merging into main
Title check	✅ Passed	The title accurately reflects the main feature added: corporate proxy support and package mirror overrides for Docker base image builds across all variants.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@components/core/tools/docker-images/clp-env-base-ubuntu-jammy/Dockerfile`:
- Around line 28-36: The sed replacement in the Dockerfile block that runs when
ARG APT_MIRROR_URL is set only matches "http://" and should be made
protocol-agnostic; update the sed expressions used in the RUN (the sed -i ...
/etc/apt/sources.list invocation) to match both http and https (e.g., use a
pattern that allows an optional "s" after "http") so the mirror override works
for HTTPS mirrors, then leave the apt-get update and conditional logic (ARG
APT_MIRROR_URL and the surrounding RUN) unchanged.

In `@components/core/tools/docker-images/proxy-lib.sh`:
- Around line 22-38: detect_ca_bundle currently only scans hardcoded file paths
and misses user-specified bundles; update the detect_ca_bundle function to first
check the SSL_CERT_FILE environment variable (e.g., if [[ -n
"${SSL_CERT_FILE:-}" && -f "${SSL_CERT_FILE}" ]] then echo it and return 0)
before iterating the ca_paths array so any custom or corporate CA bundle pointed
to by SSL_CERT_FILE is used with priority.

[jackluo923]

Addressed both review comments:

1. Ubuntu Dockerfile sed patterns — Updated to use https\?:// to match both http and https protocols for future compatibility.

2. detect_ca_bundle SSL_CERT_FILE support — Now checks ${SSL_CERT_FILE:-} as the first priority before scanning hardcoded paths, so user/corporate CA bundle overrides are respected.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In
`@components/core/tools/docker-images/clp-env-base-musllinux_1_2-x86_64/Dockerfile`:
- Around line 27-31: The sed invocation that replaces the default repository URL
using ARG APK_MIRROR_URL can break if the user-supplied APK_MIRROR_URL contains
the '|' delimiter; modify the RUN block that contains the sed command so it
first validates/handles that case: either choose a safer delimiter (e.g., '@' or
use awk/printf to rewrite /etc/apk/repositories) or add a guard that checks
APK_MIRROR_URL for '|' and fails early with a clear error, ensuring the
replacement step (the sed/rewriting of /etc/apk/repositories) only runs when the
value is safe.

In `@components/core/tools/docker-images/proxy-lib.sh`:
- Around line 97-104: The git commands can emit errors to stderr when not in a
repo; update the checks and label retrievals to suppress stderr by redirecting
it (e.g., add 2>/dev/null) for the git invocations used in the condition and
when setting labels (the calls to git -C "$script_dir" rev-parse
--is-inside-work-tree, git -C "$script_dir" rev-parse HEAD and git -C
"$script_dir" remote get-url origin) so the conditional still detects a worktree
but any error output is discarded and build output stays clean.

[jackluo923]

Addressed the second round of review comments:

1. git rev-parse stderr suppression — Applied. Added 2>&1 to suppress error output when building from a source tarball outside a git repo. (4372040)

2. sed | delimiter collision in APK_MIRROR_URL — Dismissed. The pipe character | is not a valid URL character, so this scenario cannot occur in practice. Adding a guard would be over-defensive for an impossible input.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@components/core/tools/docker-images/proxy-lib.sh`:
- Around line 130-137: The localhost check in the loop over proxy_vars (used to
set _build_cmd and has_localhost_proxy) currently regex-matches any value
containing "localhost" and misses IPv6 [::1]; change the conditional to only
match exact loopback addresses (allowing optional :port) such as "localhost",
"127.0.0.1", or "[::1]" (e.g. regex like
^(\[::1\]|localhost|127\.0\.0\.1)(:[0-9]+)?$) so hostnames containing
"localhost" don't false-match and IPv6 loopback is detected; update the
conditional that sets has_localhost_proxy accordingly while leaving the rest of
the loop logic intact.
- Around line 97-104: The git remote URL lookup can fail and produce an empty
label; update the block that populates _build_cmd_ref (the commands using git -C
"$script_dir" rev-parse HEAD and git -C "$script_dir" remote get-url origin) to
silence stderr and/or verify the origin remote exists before adding the source
label: run the rev-parse and remote get-url commands with stderr redirected to
/dev/null (or test for the remote with git -C "$script_dir" remote get-url
origin >/dev/null 2>&1 or git -C "$script_dir" remote show origin >/dev/null
2>&1) and only append the org.opencontainers.image.source label if the remote
lookup succeeds, keeping the rev-parse HEAD label behavior consistent.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@components/core/tools/docker-images/proxy-lib.sh`:
- Around line 49-61: The prepare_ca_cert_for_build function currently ignores
failures from cp and proceeds to touch the dest file; update it to propagate
errors by either enabling errexit locally or explicitly checking cp's exit
status: after detect_ca_bundle returns a path, attempt cp "$ca_bundle" "$dest"
and if cp fails, print an error to stderr (including $ca_bundle and $dest) and
return a non-zero status (or exit) so the caller/build fails; keep the existing
success and no-op branches for the no-bundle case and reference the
prepare_ca_cert_for_build and detect_ca_bundle symbols when making the change.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@components/core/tools/scripts/lib_install/setup-corporate-proxy.sh`:
- Line 47: The file ends with the line rm "$ca_cert" but lacks the
POSIX-required trailing newline; update the script so that the last line (the rm
"$ca_cert" statement) is followed by a newline character (i.e., ensure the file
ends with a final blank line) so tools that expect newline-terminated files
behave correctly.

[junhaoliao]

lgtm besides the posted questions. if time allows, let's add some docs in docs/src/dev-docs/tooling-containers.md in this PR or a future one

[junhaoliao]

to fix MD060/table-column-style

(detectable by npx markdownlint-cli2 --fix docs/src/dev-docs/tooling-containers.md --config tools/yscope-dev-utils/exports/lint-configs/.markdownlint-cli2.yaml)

[junhaoliao]

for the title, how about:

feat(docker): Support corporate proxies and package mirror overrides for base image builds.

[junhaoliao]

how do you think about the previously proposed title? i.e.,

feat(docker): Support corporate proxies and package mirror overrides for base image builds.

[junhaoliao]

@coderabbitai create a bug report

components/core/tools/docker-images/clp-env-base-ubuntu-jammy/build.sh does not run successfully and the error seems related to the changes in this PR:

junhao@ASUS-X870E:~/workspace/8-clp/components/core/tools/docker-images/clp-env-base-ubuntu-jammy$ ./build.sh 
Corporate proxy support: copying CA bundle from /etc/ssl/certs/ca-certificates.crt
Running: docker build --tag clp-core-dependencies-x86-ubuntu-jammy:dev /home/junhao/workspace/8-clp/components/core/tools/docker-images/clp-env-base-ubuntu-jammy/../../../ --file /home/junhao/workspace/8-clp/components/core/tools/docker-images/clp-env-base-ubuntu-jammy/Dockerfile --pull --label org.opencontainers.image.revision=e3d23ee49a84b6eb3862d173c77d50611ff45bad --label org.opencontainers.image.source=https://github.com/y-scope/clp.git
[+] Building 1.4s (15/18)                                                            docker:default
 => [internal] load build definition from Dockerfile                                           0.0s
 => => transferring dockerfile: 2.82kB                                                         0.0s
 => resolve image config for docker-image://docker.io/docker/dockerfile:1                      0.4s
 => [auth] docker/dockerfile:pull token for registry-1.docker.io                               0.0s
 => CACHED docker-image://docker.io/docker/dockerfile:1@sha256:4a43a54dd1fedceb30ba47e76cfcf2  0.0s
 => => resolve docker.io/docker/dockerfile:1@sha256:4a43a54dd1fedceb30ba47e76cfcf2b47304f4161  0.0s
 => [internal] load metadata for docker.io/library/ubuntu:jammy                                0.3s
 => [auth] library/ubuntu:pull token for registry-1.docker.io                                  0.0s
 => [internal] load .dockerignore                                                              0.0s
 => => transferring context: 2B                                                                0.0s
 => [base 1/8] FROM docker.io/library/ubuntu:jammy@sha256:ce4a593b4e323dcc3dd728e397e0a866a1b  0.0s
 => => resolve docker.io/library/ubuntu:jammy@sha256:ce4a593b4e323dcc3dd728e397e0a866a1bf516a  0.0s
 => [internal] load build context                                                              0.1s
 => => transferring context: 246.91kB                                                          0.0s
 => CACHED [base 2/8] WORKDIR /root                                                            0.0s
 => [base 3/8] RUN mkdir -p ./tools/scripts/lib_install                                        0.2s
 => [base 4/8] COPY --link ./tools/scripts/lib_install ./tools/scripts/lib_install             0.1s
 => => merging                                                                                 0.0s
 => ERROR [base 5/8] RUN ./tools/scripts/lib_install/setup-corporate-proxy.sh                  0.1s
------                                                                                              
 > [base 5/8] RUN ./tools/scripts/lib_install/setup-corporate-proxy.sh:
0.126 setup-corporate-proxy: installing corporate CA certificates...
0.126 setup-corporate-proxy: WARNING: no recognized CA trust update tool found.
------
Dockerfile:13
--------------------
  11 |     # proxies (e.g., Zscaler, Fortinet, Palo Alto). No-op when not behind a
  12 |     # corporate proxy. See proxy-lib.sh for details.
  13 | >>> RUN ./tools/scripts/lib_install/setup-corporate-proxy.sh
  14 |     
  15 |     # Point pip/pipx and curl at the system trust store. By default, Python's
--------------------
ERROR: failed to build: failed to solve: process "/bin/sh -c ./tools/scripts/lib_install/setup-corporate-proxy.sh" did not complete successfully: exit code: 1

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

Let me first read the relevant files to understand the build order and confirm the root cause before creating the bug report.

---

🏁 Script executed:

#!/bin/bash
echo "=== Ubuntu Jammy Dockerfile ==="
fd -e Dockerfile . components/core/tools/docker-images/clp-env-base-ubuntu-jammy --exec cat {}

echo ""
echo "=== setup-corporate-proxy.sh ==="
fd "setup-corporate-proxy.sh" components/core/tools/scripts/lib_install --exec cat {}

Length of output: 1871

---

The root cause is clear: setup-corporate-proxy.sh runs at build step 5/8 (before install-all.sh), but the Ubuntu Jammy base image does not ship ca-certificates (which provides update-ca-certificates) by default. So neither update-ca-trust nor update-ca-certificates is present when the script executes, causing the non-zero exit.

Creating the bug report now.

---

🏁 Script executed:

#!/bin/bash
gh issue create \
  --repo y-scope/clp \
  --title "bug(docker): setup-corporate-proxy.sh fails on Ubuntu Jammy — update-ca-certificates not available before package installation" \
  --body "## Description

\`components/core/tools/docker-images/clp-env-base-ubuntu-jammy/build.sh\` fails when \`setup-corporate-proxy.sh\` is executed inside the container build, with the following error:

\`\`\`
setup-corporate-proxy: installing corporate CA certificates...
setup-corporate-proxy: WARNING: no recognized CA trust update tool found.
ERROR: failed to build: failed to solve: process \"/bin/sh -c ./tools/scripts/lib_install/setup-corporate-proxy.sh\" did not complete successfully: exit code: 1
\`\`\`

## Root Cause

\`setup-corporate-proxy.sh\` is executed early in the Dockerfile (step 5/8), **before** \`install-all.sh\` runs. The script requires either \`update-ca-trust\` (RHEL/CentOS) or \`update-ca-certificates\` (Debian/Ubuntu) to be present. On Ubuntu Jammy, \`update-ca-certificates\` is provided by the \`ca-certificates\` package, which is **not pre-installed** in the \`ubuntu:jammy\` base Docker image. As a result, neither tool is available at the time the script runs, causing it to exit with code 1.

## Steps to Reproduce

\`\`\`bash
cd components/core/tools/docker-images/clp-env-base-ubuntu-jammy
./build.sh
\`\`\`

## Expected Behaviour

\`setup-corporate-proxy.sh\` should either install \`ca-certificates\` first (or have it pre-installed) before attempting to update the trust store, or gracefully handle the case where \`update-ca-certificates\` is not yet available by installing the package inline.

## Suggested Fix

In the Ubuntu Jammy Dockerfile, add an \`apt-get install -y --no-install-recommends ca-certificates\` step (or include it in the same \`RUN\` layer) before invoking \`setup-corporate-proxy.sh\`. This ensures \`update-ca-certificates\` is available when the proxy setup script executes.

Note: The Alpine-based images (musllinux_1_2) may have a similar issue depending on whether \`ca-certificates\` is pre-installed in the Alpine base image.

## References

- PR: https://github.com/y-scope/clp/pull/1991
- Reported by: `@junhaoliao`" \
  --assignee junhaoliao

Length of output: 42

---

@junhaoliao: I've filed the bug report at #2116.

Here's a summary of the root cause identified:

setup-corporate-proxy.sh runs early in the Dockerfile (step 5/8), before install-all.sh installs any packages. The script needs either update-ca-trust (RHEL/CentOS) or update-ca-certificates (Debian/Ubuntu) to be present, but the ubuntu:jammy base image does not ship ca-certificates (which provides update-ca-certificates) by default. Since neither tool exists yet when the script executes, it exits with code 1.

Suggested fix: Add apt-get install -y --no-install-recommends ca-certificates before invoking setup-corporate-proxy.sh in the Ubuntu Jammy Dockerfile — either as a preceding RUN step or inline in the same layer. The Alpine-based (musllinux_1_2) images may be worth checking for the same issue.

---

🧠 Learnings used

Learnt from: junhaoliao
Repo: y-scope/clp PR: 1242
File: components/core/tools/scripts/lib_install/ubuntu-jammy/install-prebuilt-packages.sh:39-41
Timestamp: 2025-08-25T00:45:05.464Z
Learning: Task v3.44.1 has a regression that breaks shell command processing, particularly rsync commands with brace expansion (e.g., `file.{d.ts,js,wasm}`). This causes CI failures in clp-ffi-js project (issue `#110`), so CLP should avoid v3.44.1 and use v3.44.0 instead, which fixes the dynamic variable bug without the shell processing regression.

---

Learnt from: quinntaylormitchell
Repo: y-scope/clp PR: 918
File: .github/workflows/clp-execution-image-build.yaml:77-97
Timestamp: 2025-05-26T16:03:05.519Z
Learning: In .github/workflows/clp-execution-image-build.yaml, the ubuntu-jammy-execution-image and ubuntu-noble-execution-image jobs are intentionally kept separate (rather than using a matrix strategy) to make it easier to remove individual platform versions when they reach end of life, such as when jammy eventually becomes obsolete.

---

Learnt from: junhaoliao
Repo: y-scope/clp PR: 1414
File: tools/docker-images/clp-package/Dockerfile:20-24
Timestamp: 2025-10-13T03:32:19.293Z
Learning: In the clp repository's Dockerfiles (e.g., tools/docker-images/clp-package/Dockerfile), ENV directives should be split into separate lines for readability rather than consolidated to reduce layer count. This is especially true for PATH modifications, as agreed upon in PR `#1166`. Later ENV settings may depend on earlier ones (e.g., referencing CLP_HOME).