Docker pull i/o timeout and connection reset by peer - Linux Ubuntu 22.04

neongreendreaming · July 9, 2024, 5:19am

Hi there, recently started getting this issue - not sure how to resolve.

Description
Running docker pull hello-world fails with:

Using default tag: latest
latest: Pulling from library/hello-world
c1ec31eb5944: Retrying in 1 second 
error pulling image configuration: download failed after attempts=6: read tcp [2409:8a1e:1651:4a1:8f56:1e44:973a:3466]:55520->[2a03:2880:f131:83:face:b00c:0:25de]:443: read: connection reset by peer

Sometimes the error is also read: i/o timeout

Docker info

>>> docker info

Client: Docker Engine - Community
 Version:    26.1.3
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.14.0
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.27.0
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 2
  Running: 0
  Paused: 0
  Stopped: 2
 Images: 2
 Server Version: 26.1.3
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: runc io.containerd.runc.v2 nvidia
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 8b3b7ca2e5ce38e8f31a34f35b2b68ceb8470d89
 runc version: v1.1.12-0-g51d5e94
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.5.0-41-generic
 Operating System: Linux Mint 21.3
 OSType: linux
 Architecture: x86_64
 CPUs: 32
 Total Memory: 62.55GiB
 Name: alex-MS-7D89
 ID: 917b4a32-abcf-4ac7-8716-a5907f6035da
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Docker status

>>> systemctl status docker

● docker.service - Docker Application Container Engine
     Loaded: loaded (/lib/systemd/system/docker.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2024-07-09 12:14:41 CST; 48min ago
TriggeredBy: ● docker.socket
       Docs: https://docs.docker.com
   Main PID: 15196 (dockerd)
      Tasks: 35
     Memory: 39.7M
        CPU: 2.714s
     CGroup: /system.slice/docker.service
             └─15196 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock

Proxy setup:

>>> set | grep -i proxy

ALL_PROXY=https://127.0.0.1:7890/
HTTPS_PROXY=http://127.0.0.1:7890/
HTTP_PROXY=http://127.0.0.1:7890/
NO_PROXY=localhost,127.0.0.0/8,::1
all_proxy=https://127.0.0.1:7890/
http_proxy=http://127.0.0.1:7890/
https_proxy=http://127.0.0.1:7890/
no_proxy=localhost,127.0.0.0/8,::1
socks_proxy=https://127.0.0.1:7891/

DNS Check Docker.io:

>>> nslookup auth.docker.io
Server:		8.8.8.8
Address:	8.8.8.8#53

Non-authoritative answer:
Name:	auth.docker.io
Address: 3.219.239.5
Name:	auth.docker.io
Address: 34.226.69.105
Name:	auth.docker.io
Address: 54.196.99.49
Name:	auth.docker.io
Address: 2600:1f18:2148:bc01:20a3:9c3e:d4a7:9fb
Name:	auth.docker.io
Address: 2600:1f18:2148:bc02:2640:1b90:cea6:b6b5
Name:	auth.docker.io
Address: 2600:1f18:2148:bc00:41e1:f57f:e2e2:5e54

Curl request to docker.io:

>>> curl -v https://index.docker.io:443

* Uses proxy env variable no_proxy == 'localhost,127.0.0.0/8,::1'
* Uses proxy env variable https_proxy == 'http://127.0.0.1:7890/'
*   Trying 127.0.0.1:7890...
* Connected to (nil) (127.0.0.1) port 7890 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to index.docker.io:443
> CONNECT index.docker.io:443 HTTP/1.1
> Host: index.docker.io:443
> User-Agent: curl/7.81.0
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 Connection established
< 
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=*.docker.com
*  start date: Apr  4 00:00:00 2024 GMT
*  expire date: May  3 23:59:59 2025 GMT
*  subjectAltName: host "index.docker.io" matched cert's "*.docker.io"
*  issuer: C=US; O=Amazon; CN=Amazon RSA 2048 M03
*  SSL certificate verify ok.
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET / HTTP/1.1
> Host: index.docker.io
> User-Agent: curl/7.81.0
> Accept: */*
> 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< date: Tue, 09 Jul 2024 04:52:45 GMT
< content-type: text/html; charset=utf-8
< transfer-encoding: chunked
< x-xss-protection: 1; mode=block
< x-docker-correlation-id: 133e0cbd-4ce0-46b0-a652-8bf8810bbcb2
< x-docker-app-version: v4513.0.0
< accept-ch: Sec-CH-Prefers-Color-Scheme
< vary: Sec-CH-Prefers-Color-Scheme, Accept-Encoding
< x-frame-options: deny
< x-content-type-options: nosniff
< strict-transport-security: max-age=31536000

Domain info

>>> dig dseasb33srnrn.cloudfront.net

; <<>> DiG 9.18.24-0ubuntu0.22.04.1-Ubuntu <<>> dseasb33srnrn.cloudfront.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12646
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;dseasb33srnrn.cloudfront.net.	IN	A

;; ANSWER SECTION:
dseasb33srnrn.cloudfront.net. 60 IN	A	54.192.16.28
dseasb33srnrn.cloudfront.net. 60 IN	A	54.192.16.154
dseasb33srnrn.cloudfront.net. 60 IN	A	54.192.16.208
dseasb33srnrn.cloudfront.net. 60 IN	A	54.192.16.78

;; Query time: 64 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Tue Jul 09 13:00:24 CST 2024
;; MSG SIZE  rcvd: 121

Does anyone know what else I can try to narrow down the range of issues so I can diagnose the problem?
Any help appreciated, thanks!

Topic		Replies	Views
Error response from daemon: read: connection reset by peer General	1	1375	December 15, 2022
Docker Hub : Unable to pull container: "connection reset by peer" Docker Hub dockerhub , ubuntu	3	1967	August 26, 2024
Docker Pull - connection reset by peer Docker Hub	2	5268	August 22, 2024
Read: connection reset by peer Docker Hub	1	1509	March 13, 2024
Getting "connection reset by peer" when trying to pull Docker images Docker Hub	0	1131	April 22, 2022