Unable to run docker image behind proxy

Hi

I have install docker ce with success but I can’t run an image.

Here my command

$ docker run -it --rm -p 8080:8080 --name wiremock wiremock/wiremock:3.10.0
Unable to find image 'wiremock/wiremock:3.10.0' locally
docker: Error response from daemon: Get "https://registry-1.docker.io/v2/": dial tcp: lookup registry-1.docker.io on 127.0.0.53:53: server misbehaving.
See 'docker run --help'.

I’m on Lubuntu:

$ uname -a
Linux 6.8.0-41-generic #41-Ubuntu SMP PREEMPT_DYNAMIC Fri Aug  2 20:41:06 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 24.04.1 LTS
Release:        24.04
Codename:       noble

I try to configure proxy:

$ cat /etc/systemd/system/docker.service.d/http-proxy.conf
[Service]
Environment="HTTP_PROXY=http://<USER>:<PWD>@PROXY.com:8080"
Environment="HTTPS_PROXY=http://<USER>:<PWD>@PROXY.com:8080"
$ sudo systemctl status docker
● docker.service - Docker Application Container Engine
     Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; preset: enabled)
    Drop-In: /etc/systemd/system/docker.service.d
             └─http-proxy.conf
     Active: active (running) since Tue 2024-12-17 08:32:07 CET; 3s ago
TriggeredBy: ● docker.socket
       Docs: https://docs.docker.com
   Main PID: 5235 (dockerd)
      Tasks: 10
     Memory: 20.4M (peak: 21.8M)
        CPU: 1.226s
     CGroup: /system.slice/docker.service
             └─5235 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock

déc. 17 08:32:06 dockerd[5235]: time="2024-12-17T08:32:06.010986744+01:00" level=info msg="[graphdriver] using prior storage driver: overlay2"
déc. 17 08:32:06 dockerd[5235]: time="2024-12-17T08:32:06.011273754+01:00" level=info msg="Loading containers: start."
déc. 17 08:32:06 dockerd[5235]: time="2024-12-17T08:32:06.731406846+01:00" level=info msg="Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. Da>
déc. 17 08:32:07 dockerd[5235]: time="2024-12-17T08:32:07.002511254+01:00" level=info msg="Loading containers: done."
déc. 17 08:32:07 dockerd[5235]: time="2024-12-17T08:32:07.058484320+01:00" level=warning msg="WARNING: bridge-nf-call-iptables is disabled"
déc. 17 08:32:07 dockerd[5235]: time="2024-12-17T08:32:07.058870894+01:00" level=warning msg="WARNING: bridge-nf-call-ip6tables is disabled"
déc. 17 08:32:07 dockerd[5235]: time="2024-12-17T08:32:07.059377264+01:00" level=info msg="Docker daemon" commit=92a8393 containerd-snapshotter=false storage-driver>
déc. 17 08:32:07 dockerd[5235]: time="2024-12-17T08:32:07.059436913+01:00" level=info msg="Daemon has completed initialization"
déc. 17 08:32:07 dockerd[5235]: time="2024-12-17T08:32:07.137556496+01:00" level=info msg="API listen on /run/docker.sock"
déc. 17 08:32:07 systemd[1]: Started docker.service - Docker Application Container Engine.

When I try to call registry from curl:

$ curl -vvvvvvv https://registry-1.docker.io/v2/
* Uses proxy env variable https_proxy == 'http://<USER>:<PWD>@PROXY.com:8080'
* Host PROXY.com:8080 was resolved.
* IPv6: (none)
* IPv4: X.X.X.X
*   Trying X.X.X.X:8080...
* Connected to PROXY.com (X.X.X.X) port 8080
* CONNECT tunnel: HTTP/1.1 negotiated
* allocate connect buffer
* Proxy auth using Basic with user '<USER>'
* Establish HTTP proxy tunnel to registry-1.docker.io:443
> CONNECT registry-1.docker.io:443 HTTP/1.1
> Host: registry-1.docker.io:443
> Proxy-Authorization: Basic <USER>:<PWD>
> User-Agent: curl/8.5.0
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 Connection established
< Proxy-Agent: Proxy/1.0
< 
* CONNECT phase completed                                                                                                                                                   
* CONNECT tunnel established, response 200                                                                                                                                  
* ALPN: curl offers h2,http/1.1                                                                                                                                             
* TLSv1.3 (OUT), TLS handshake, Client hello (1):                                                                                                                           
*  CAfile: /etc/ssl/certs/ca-certificates.crt                                                                                                                               
*  CApath: /etc/ssl/certs                                                                                                                                                   
* TLSv1.3 (IN), TLS handshake, Server hello (2):                                                                                                                            
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):                                                                                                                    
* TLSv1.3 (IN), TLS handshake, Certificate (11):                                                                                                                            
* TLSv1.3 (IN), TLS handshake, CERT verify (15):                                                                                                                            
* TLSv1.3 (IN), TLS handshake, Finished (20):                                                                                                                               
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):                                                                                                                 
* TLSv1.3 (OUT), TLS handshake, Finished (20):                                                                                                                              
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / X25519 / RSASSA-PSS                                                                                               
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: CN=*.docker.com
*  start date: Sep  2 00:00:00 2024 GMT
*  expire date: Oct  1 23:59:59 2025 GMT
*  subjectAltName: host "registry-1.docker.io" matched cert's "*.docker.io"
*  issuer: C=US; O=Amazon; CN=Amazon RSA 2048 M02
*  SSL certificate verify ok.
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 2: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* using HTTP/1.x
> GET /v2/ HTTP/1.1
> Host: registry-1.docker.io
> User-Agent: curl/8.5.0
> Accept: */*
> 
< HTTP/1.1 401 Unauthorized
< content-type: application/json
< docker-distribution-api-version: registry/2.0
< www-authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io"
< date: Tue, 17 Dec 2024 07:33:42 GMT
< content-length: 87
< strict-transport-security: max-age=31536000
< 
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":null}]}
* Connection #0 to host PROXY.com left intact

Need Help :slight_smile:

It seems to be a DNS lookup issue. Since 127.0.0.53 is the DNS IP when the stub resolver is used, I had an idea of disabling it even though I can’t explain why it matters only when a proxy is used, but I found a post that confirms that idea

So try

sudo unlink /etc/resolv.conf
sudo ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf

Then instead of the stub resolver, you will use the actual DNS servers directly. The side effect is that you won’t get the features of the stub resolver like being able to “nslookup” domain names available only in the hosts file if I remember correctly.

I’m not 100% sure it helps, but that is my first idea too

1 Like

Thanks @rimelek, Sorry, It’s not work.

$ ls -al /etc/resolv.conf
lrwxrwxrwx 1 root root 32 déc.  18 11:36 /etc/resolv.conf -> /run/systemd/resolve/resolv.conf

When I try

$ docker --debug --log-level debug run -it --rm -p 8080:8080 --name wiremock wiremock/wiremock:3.10.0
Unable to find image 'wiremock/wiremock:3.10.0' locally                                                                                                                     
docker: Error response from daemon: Get "https://registry-1.docker.io/v2/": dial tcp: lookup registry-1.docker.io on 10.0.2.3:53: server misbehaving.
See 'docker run --help'.
$ nslookup registry-1.docker.io
;; Got SERVFAIL reply from 10.0.2.3
Server:         10.0.2.3
Address:        10.0.2.3#53

** server can't find registry-1.docker.io: SERVFAIL
$ dig registry-1.docker.io

; <<>> DiG 9.18.28-0ubuntu0.24.04.1-Ubuntu <<>> registry-1.docker.io
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39189
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;registry-1.docker.io.          IN      A

;; Query time: 47 msec
;; SERVER: 10.0.2.3#53(10.0.2.3) (UDP)
;; WHEN: Wed Dec 18 11:59:11 CET 2024
;; MSG SIZE  rcvd: 49

I think it’s work but in fact I use https://raw.githubusercontent.com/moby/moby/refs/heads/master/contrib/download-frozen-image-v2.sh to download manually the image. This way works

I’m sorry it didn’t help. Unfortunately I don’t have much time currently, but you can read about proxy configuration for Docke rhere:

Maybe you find something that we all missed so far. If you are sure that all configuration is correct, and the DNs resolution still doesn’t work when using the docker command but works when using that special script (which is not for generall ypulling images), you can report it as an issue on GitHub in the Moby reposiory

And if we missed something, I also hope someone will see this topic and correct us.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.