Docker Community Forums

Share and learn in the Docker community.

Can't pull images behind authenticated proxy with version 17.12.1-ce or greater


(Synscan) #1

Issue type

Docker image pull failures on newer versions of Docker. These machines are behind an authenticated proxy which seems to be part of the problem as I do not have these issues with machines that are not behind a proxy.

OS Version/build

jessie/sid
Linux hostname 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

App version

Fails on 17.12.1-ce or greater

Steps to reproduce

Configure proxies in /etc/default/docker

export http_proxy="http://proxyUserDomain\proxyUser:proxyPass@ProxyServerIp:80/"
export https_proxy="https://proxyUserDomain\proxyUser:proxyPass@ProxyServerIp:80/"

Try pulling image with 17.12.0-ce or less

root@hostname:/var/log/upstart# docker -v
Docker version 17.12.0-ce, build c97c6d6

root@hostname:/var/log/upstart# docker pull us.gcr.io/my-priv-repo/my-image:1.0.2
1.0.2: Pulling from my-priv-repo/my-image
Digest: sha256:b8f02043f41767f29706f362e948ae02ee36a5902980f8fd6f823ec336789096
Status: Image is up to date for us.gcr.io/my-priv-repo/my-image:1.0.2

Upgrade to 17.12.1-ce or greater

root@hostname:/var/log/upstart# docker -v
Docker version 17.12.1-ce, build 7390fc6

root@hostname:/var/log/upstart# docker pull us.gcr.io/my-priv-repo/my-image:1.0.2
Error response from daemon: Get https://us.gcr.io/v2/: proxyconnect tcp: dial tcp: lookup https on DnsServerIp:53: server misbehaving

Results in odd DNS behavior with requests for https

19:04:30.756577 IP 10.10.10.36.35439 > my-dns-server.domain: 29458+ AAAA? https. (23)
19:04:30.756623 IP 10.10.10.36.41909 > my-dns-server.domain: 17142+ A? https. (23)
19:04:30.756698 IP my-dns-server.domain > 10.10.10.36.35439: 29458 ServFail 0/0/0 (23)
19:04:30.756760 IP 10.10.10.36.38132 > my-dns-server.domain.domain: 12564+ AAAA? https. (23)
19:04:30.756815 IP my-dns-server.domain > 10.10.10.36.41909: 17142 ServFail 0/0/0 (23)

I tried removing HTTPS from the equation by forcing insecure registries

{
“insecure-registries” : ["us.gcr.io"]
}

DNS error just went from HTTPS lookups to HTTP lookups

root@hostname:/var/log/upstart# docker pullus.gcr.io/my-priv-repo/my-image:1.0.2
Error response from daemon: Get http://us.gcr.io/v2/: proxyconnect tcp: dial tcp: lookup http on DnsServerIp:53: server misbehaving

Tried all versions up to and including the latest

root@hostname:/var/log/upstart# docker -v
Docker version 18.03.1-ce, build 9ee9f40

root@hostname:/var/log/upstart# docker pull us.gcr.io/my-priv-repo/my-image:1.0.2

Error response from daemon: Get https://us.gcr.io/v2/: proxyconnect tcp: dial tcp: lookup https on DnsServerIp:53: server misbehaving


(Synscan) #2

Can I bump this for visibility?


(Synscan) #3

If anyone comes across this thread I accidentally stumbled upon this post while looking for something else. Replace the “” in your domain creds with its encoded value “%5c”