$ docker pull alpine
Using default tag: latest
Error response from daemon: Get https://registry-1.docker.io/v2/library/alpine/manifests/latest: Get https://auth.docker.io/token?scope=repository%3Alibrary%2Falpine%3Apull&service=registry.docker.io: dial tcp: lookup auth.docker.io on 192.168.65.1:53: no such host
I have the same issue since about 30 Minutes - on one of my macs running docker 1.12.0-rc. The other mac, running the same version of docker, is fine.
The only difference in
`docker info`
is
failing mac:
Network: bridge overlay null host
working mac:
Network: overlay bridge null host
Same issue.
Docker for Mac: version: mac-v1.12.0-beta16.2
OS X: version 10.11.4 (build: 15E65)
Plugins:
Volume: local
Network: null host bridge overlay
So I’ve done a bit of research on this today (that is most of my day has been taken up in researching this).
My findings thus far:
- This has something to do with the EDNS record sizes returned for
auth.docker.io
and the new Alpine 3.4 based moby image. Previous versions of moby on my network do not have the issue - The error that I get is a failure to connect to the embedded DNS server in docker via TCP
- On my network, I am getting EDNS truncated responses back which should cause the DNS resolver to failover to TCP queries
- Alpine 3.4 does not have a problem with truncated issues on its own, so I’m guessing that the main issue here is lack of full EDNS/TCP support in the embedded docker DNS server, which seems to cause an issue when issuing a docker login/pull or anything else asking to resolve auth.docker.io since the record seems to be longer than the docker embedded DNS server can handle.
- When I am in the moby instance, I can not resolve auth.docker.io with the default settings:
moby:~# nslookup auth.docker.io
;; Truncated, retrying in TCP mode.
;; Connection to 192.168.65.1#53(192.168.65.1) for auth.docker.io failed: connection refused.
If I change the DNS server to 8.8.8.8, I do not have a problem:
moby:~# cat /etc/resolv.conf
search local
nameserver 8.8.8.8
moby:~# nslookup auth.docker.io
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
auth.docker.io canonical name = elb-registry.us-east-1.aws.dckr.io.
elb-registry.us-east-1.aws.dckr.io canonical name = us-east-1-elbregis-10fucsvj1tcgy-133821800.us-east-1.elb.amazonaws.com.
Name: us-east-1-elbregis-10fucsvj1tcgy-133821800.us-east-1.elb.amazonaws.com
Address: 52.73.165.108
Name: us-east-1-elbregis-10fucsvj1tcgy-133821800.us-east-1.elb.amazonaws.com
Address: 52.203.219.86
Name: us-east-1-elbregis-10fucsvj1tcgy-133821800.us-east-1.elb.amazonaws.com
Address: 52.71.80.248
Name: us-east-1-elbregis-10fucsvj1tcgy-133821800.us-east-1.elb.amazonaws.com
Address: 54.172.251.194
Name: us-east-1-elbregis-10fucsvj1tcgy-133821800.us-east-1.elb.amazonaws.com
Address: 52.71.245.229
Name: us-east-1-elbregis-10fucsvj1tcgy-133821800.us-east-1.elb.amazonaws.com
Address: 54.164.225.120
Name: us-east-1-elbregis-10fucsvj1tcgy-133821800.us-east-1.elb.amazonaws.com
Address: 52.72.94.105
Name: us-east-1-elbregis-10fucsvj1tcgy-133821800.us-east-1.elb.amazonaws.com
Address: 54.174.255.71
I’m not quite sure why the results are being truncated as the resolver for my laptop has a max-udp-size
and edns-udp-size
of 4096
. What that is material to the cause of the truncated EDNS UDP packets, it is not as much of a problem as Docker’s embedded DNS server running at 192.168.65.1
doesn’t seem to be listening for DNS queries via TCP.
TCP Resolver support was added to libnetwork in January and tagged in v0.8.0-dev.2:
I’ve confirmed that TCP resolution support is available in v1.12.0-rc2:
I found this interesting entry from my local system.log when I was trying to manually connect to 192.168.65.1:53 from moby:
Jun 28 09:36:34 gmr-work Docker[9291]: TCP 192.168.65.1:53 > 192.168.65.2:33576 rejected: Socket.TCPV4.connect_v4 127.0.0.1:53: Lwt_unix.connect: caught Unix.Unix_error(Unix.ECONNREFUSED, "connect", "")
And just confirmed it’s the same message when trying to do a docker pull:
6/28/16 9:46:11.991 AM Docker[9291]: TCP 192.168.65.1:53 > 192.168.65.2:33584 rejected: Socket.TCPV4.connect_v4 127.0.0.1:53: Lwt_unix.connect: caught Unix.Unix_error(Unix.ECONNREFUSED, "connect", "")
Same problem:
$ docker pull elasticsearch
Using default tag: latest
Error response from daemon: Get https://registry-1.docker.io/v2/library/elastic/manifests/latest: Get https://auth.docker.io/token?scope=repository%3Alibrary%2Felasticsearch%3Apull&service=registry.docker.io: dial tcp: lookup auth.docker.io on 192.168.65.1:53: dial tcp 192.168.65.1:53: getsockopt: connection refused
With:
$ docker info
Containers: 4
Running: 0
Paused: 0
Stopped: 4
Images: 56
Server Version: 1.12.0-rc2
Storage Driver: aufs
Root Dir: /var/lib/docker/aufs
Backing Filesystem: extfs
Dirs: 171
Dirperm1 Supported: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: null bridge host overlay
Swarm: inactive
Runtimes: default
Default Runtime: default
Security Options: seccomp
Kernel Version: 4.4.13-moby
Operating System: Alpine Linux v3.4
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 3.857 GiB
Name: moby
ID: CLXF:UMHV:G5PH:VQD6:KPLH:WO2G:O622:XVTA:QSJZ:UE5Z:IQBS:KBIY
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): true
File Descriptors: 21
Goroutines: 28
System Time: 2016-06-28T18:08:22.566930679Z
EventsListeners: 1
No Proxy: *.local, 169.254/16
Registry: https://index.docker.io/v1/
Experimental: true
Insecure Registries:
127.0.0.0/8
Setting 8.8.8.8 as the fist DNS entry fixes the problem on my machine (OS X).
When I move the entry again down to the second position I can reproduce the issue.
Got the same issue on my docker and as tala wrote - setting google dns as primary dns will fix the issue.
@zzkpl it fixes the issue if you don’t need to both private and public DNS resolution.
Yep. I am seeing the same problem as OP when installing the Docker for Mac Beta over an old installation of Docker Machine + Virtualbox, and when I add nameserver 8.8.8.8
as the first entry to /etc/resolv.conf I get:
$ docker pull centos:7
Pulling repository docker.io/library/centos
Network timed out while trying to connect to https://index.docker.io/v1/repositories/library/centos/images. You may want to check your internet connection or if you are behind a proxy.
I do not know what kind of DNS set up there is in my office (or much about networking if I’m being brutally honest), but I do know that using Docker Machine + Virtualbox works without any issues at all, and also that Docker for Mac Beta works on my home network (with the same laptop) without any issues.
Does anybody know if there is an issue for this already up on GitHub?
As others have said - I cannot set my Mac to use external DNS resolvers due to the requirement to access internal private DNS names.
Same problem in the newly released Docker 1.12.0-rc2-beta17.
Diagnostic ID 53B3B648-9D14-4757-B023-2DB47E4080B7
docker pull alpine
Using default tag: latest
Error response from daemon: Get https://registry-1.docker.io/v2/library/alpine/manifests/latest: Get https://auth.docker.io/token?account=gavinmroy&scope=repository%3Alibrary%2Falpine%3Apull&service=registry.docker.io: dial tcp: lookup auth.docker.io on 192.168.65.1:53: no such host
In moby:
Welcome to Moby alpha
Kernel 4.4.14-moby on an x86_64 (/dev/ttyS0)
## .
## ## ## ==
## ## ## ## ## ===
/"""""""""""""""""___/ ===
~~~ {~~ ~~~~ ~~~ ~~~~ ~~~ ~ / ===- ~~~
\______ o __/
\ \ __/
\____\_______/
moby login: root
Welcome to the Moby alpha, based on Alpine Linux.
moby:~# nslookup auth.docker.io
;; Truncated, retrying in TCP mode.
;; Connection to 192.168.65.1#53(192.168.65.1) for auth.docker.io failed: connection refused.
And bypassing 192.168.65.1:53
moby:~# nslookup auth.docker.io 10.10.4.105
;; Truncated, retrying in TCP mode.
Server: 10.10.4.105
Address: 10.10.4.105#53
Non-authoritative answer:
auth.docker.io canonical name = elb-registry.us-east-1.aws.dckr.io.
elb-registry.us-east-1.aws.dckr.io canonical name = us-east-1-elbregis-10fucsvj1tcgy-133821800.us-east-1.elb.amazonaws.com.
Name: us-east-1-elbregis-10fucsvj1tcgy-133821800.us-east-1.elb.amazonaws.com
Address: 52.20.128.116
Name: us-east-1-elbregis-10fucsvj1tcgy-133821800.us-east-1.elb.amazonaws.com
Address: 52.205.32.238
Name: us-east-1-elbregis-10fucsvj1tcgy-133821800.us-east-1.elb.amazonaws.com
Address: 54.84.250.150
Name: us-east-1-elbregis-10fucsvj1tcgy-133821800.us-east-1.elb.amazonaws.com
Address: 54.84.25.27
Name: us-east-1-elbregis-10fucsvj1tcgy-133821800.us-east-1.elb.amazonaws.com
Address: 52.3.139.208
Name: us-east-1-elbregis-10fucsvj1tcgy-133821800.us-east-1.elb.amazonaws.com
Address: 54.88.91.189
Name: us-east-1-elbregis-10fucsvj1tcgy-133821800.us-east-1.elb.amazonaws.com
Address: 52.1.193.204
Name: us-east-1-elbregis-10fucsvj1tcgy-133821800.us-east-1.elb.amazonaws.com
Address: 52.200.180.22
And
moby:~# nslookup auth.docker.io 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
auth.docker.io canonical name = elb-registry.us-east-1.aws.dckr.io.
elb-registry.us-east-1.aws.dckr.io canonical name = us-east-1-elbregis-10fucsvj1tcgy-133821800.us-east-1.elb.amazonaws.com.
Name: us-east-1-elbregis-10fucsvj1tcgy-133821800.us-east-1.elb.amazonaws.com
Address: 52.205.32.238
Name: us-east-1-elbregis-10fucsvj1tcgy-133821800.us-east-1.elb.amazonaws.com
Address: 52.20.128.116
Name: us-east-1-elbregis-10fucsvj1tcgy-133821800.us-east-1.elb.amazonaws.com
Address: 52.200.180.22
Name: us-east-1-elbregis-10fucsvj1tcgy-133821800.us-east-1.elb.amazonaws.com
Address: 54.88.91.189
Name: us-east-1-elbregis-10fucsvj1tcgy-133821800.us-east-1.elb.amazonaws.com
Address: 52.3.139.208
Name: us-east-1-elbregis-10fucsvj1tcgy-133821800.us-east-1.elb.amazonaws.com
Address: 54.84.25.27
Name: us-east-1-elbregis-10fucsvj1tcgy-133821800.us-east-1.elb.amazonaws.com
Address: 54.84.250.150
Name: us-east-1-elbregis-10fucsvj1tcgy-133821800.us-east-1.elb.amazonaws.com
Address: 52.1.193.204
From system log:
6/29/16 3:19:42.934 PM Docker[17247]: TCP 192.168.65.1:53 > 192.168.65.2:38037 rejected: Socket.TCPV4.connect_v4 127.0.0.1:53: Lwt_unix.connect: caught Unix.Unix_error(Unix.ECONNREFUSED, "connect", "")
Do we know if anything is happening with this issue?
Seems to have to do with custom DNS in the host’s (mac’s) network settings. Seems like there’s still a bug in that the docker VM isn’t trying other DNS entries.
@twhid Unfortunately it is not solved.
The crux of the issue is that Docker’s DNS server is not listening or reachable via TCP.
I just confirmed that 1.12.0-rc3-beta18 does not solve this.
I created a GitHub issue which I should have done last week
Version 1.12.0-rc3-beta18 (build: 9969) appears to have fixed the problem for me on both my Macs.
It appears to working for me as well.
I’m seeing this issue as well using version 1.12.0-rc3-beta18 (build: 9996). Thanks @gavinmroy for entering that issue.
Maybe this is the fix: https://github.com/docker/vpnkit/pull/72
However, a hacky workaround for the time being is to do an SSH tunnel so that you get a local TCP DNS:
sudo ssh somebody@some-computer -L 53:your.dns.server.ip.address:53
Has this issue been resolved ? I am getting a similar error communicating with private v1 registry
I just downloaded the stable version for Docker on Mac with 1.12 and I am still seeing that error.
dial tcp: lookup private.registry on 192.168.65.1:53: no such host
Thanks for the information. I got same error with latest docker for mac.
Version 1.12.0-beta22 (build: 11222)
Could you tell me how to login moby?