Docker error response from daemon get https registry 1 docker io v2

I had this same issue when working on an Ubuntu server.

I was getting the following error:

deploy@my-comp:~$ docker login -u my-username -p my-password
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://registry-1.docker.io/v2/: dial tcp 35.175.83.85:443: connect: connection refused

Here are the things I tried that did not work:

• Restarting the docker service using sudo docker systemctl restart docker
• Powering off and restarting the Ubuntu server.
• Changing the name server to 8.8.8.8 in the /etc/resolv.conf file

Here’s what worked for me:

I tried checking if the server has access to the internet using the following netcat command:

nc -vz google.com 443

And it returned this output:

nc: connect to google.com port 443 (tcp) failed: Connection refused
nc: connect to google.com port 443 (tcp) failed: Network is unreachable

Instead of something like this:

Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Connected to 172.217.166.110:443.
Ncat: 0 bytes sent, 0 bytes received in 0.07 seconds.

I tried checking again if the server has access to the internet using the following wget command:

wget -q --spider http://google.com ; echo $?

And it returned:

4

Instead of:

0

Note: Anything other than 0 in the output means your system is not connected to the internet

I then tried the last time if the server has access to the internet using the following Nmap command:

nmap -p 443 google.com

And it returned:

Starting Nmap 7.01 ( https://nmap.org ) at 2021-02-16 11:50 WAT
Nmap scan report for google.com (216.58.223.238)
Host is up (0.00052s latency).
Other addresses for google.com (not scanned): 2c0f:fb50:4003:802::200e
rDNS record for 216.58.223.238: los02s04-in-f14.1e100.net
PORT    STATE  SERVICE
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 1.21 seconds

Instead something like this:

Starting Nmap 7.01 ( https://nmap.org ) at 2021-02-16 11:50 WAT
Nmap scan report for google.com (216.58.223.238)
Host is up (0.00052s latency).
Other addresses for google.com (not scanned): 2c0f:fb50:4003:802::200e
rDNS record for 216.58.223.238: los02s04-in-f14.1e100.net
PORT    STATE  SERVICE
443/tcp open https

Nmap done: 1 IP address (1 host up) scanned in 1.21 seconds

Note: The state of port 443/tcp is closed instead of open

All this was enough to make me realize that connections to the internet were not allowed on the server.

All I had to do was speak with the team in charge of infrastructure to fix the network connectivity issue to the internet on the server. And once that was fixed my docker command started working fine.

Resources: 9 commands to check if connected to internet with shell script examples

That’s all.

I hope this helps

@thaJeztah Doesn’t seem like it is

I’ve checked that both google DNS are reachable:

$ dig github.com @8.8.4.4

; <<>> DiG 9.11.3-RedHat-9.11.3-12.fc28 <<>> github.com @8.8.4.4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2352
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;github.com.			IN	A

;; ANSWER SECTION:
github.com.		36	IN	A	192.30.253.113
github.com.		36	IN	A	192.30.253.112

;; Query time: 44 msec
;; SERVER: 8.8.4.4#53(8.8.4.4)
;; WHEN: Wed Jul 18 21:38:11 EEST 2018
;; MSG SIZE  rcvd: 71

$ dig github.com @8.8.8.8

; <<>> DiG 9.11.3-RedHat-9.11.3-12.fc28 <<>> github.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3619
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;github.com.			IN	A

;; ANSWER SECTION:
github.com.		59	IN	A	192.30.253.112
github.com.		59	IN	A	192.30.253.113

;; Query time: 78 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Jul 18 21:38:15 EEST 2018
;; MSG SIZE  rcvd: 71

I’ve also had 1.1.1.1 and 1.0.0.1 in resolv.conf
Now it looks like:

$ cat /etc/resolv.conf 
# Generated by NetworkManager
nameserver 192.168.31.1
nameserver 1.1.1.1
nameserver 8.8.8.8

systemd unit doesn’t have any proxy-related settings in it

# systemctl show docker | grep -i proxy
#

I even tried commenting out everything but ExecStart and ExecReload in /usr/lib/systemd/system/docker.service (with daemon-reload and restart docker after each edit) to no avail

Do you know if there’s a way to know what DNS docker is using for that request?

This tutorial guides you on how to resolve docker: Error response from daemon: Get https://registry-1.docker.io/v2/: dial tcp: lookup registry-1.docker.io: no such host while running docker run command to find and pull the image from docker hub.

I had setup docker in the ubuntu vm and tried to pull guacamole/guacd image to run as docker container. But it resulted in the following error.

$ sudo docker run --name guacd -d guacamole/guacd
Unable to find image 'guacamole/guacd:latest' locally
docker: Error response from daemon: Get https://registry-1.docker.io/v2/: dial tcp: lookup registry-1.docker.io: no such host.
See 'docker run --help'.

Solution – Setup Docker Proxy

I figured out that, since the docker is setup on development vm which is behind the corporate firewall it is not able to reach host registry-1.docker.io . Therefore, to fix the above docker error follow the below steps to setup Docker Proxy.

1: First, create a new directory called docker.service.d under /etc/systemd/system folder.

2: Next, create a new docker service configuration file under /etc/systemd/system/docker.service.d directory called http-proxy.conf.

$ cd /etc/systemd/system/docker.service.d

$ touch http-proxy.conf

$ sudo nano http-proxy.conf

3: Add the following contents matching your environment.

[Service]
Environment="HTTP_PROXY=http://proxy.hostname:80/"
Environment="HTTPS_PROXY=http://proxy.hostname:80/"
Environment="NO_PROXY="localhost,127.0.0.1,::1"

After adding contents save and exit the text editor.

4: In order to flush the changes, you need to reload the daemon configuration.

$ sudo systemctl daemon-reload

5: Finally restart  Docker to apply the changes.

$ sudo systemctl restart docker

6: To check the docker service status you can run the following command.

$ sudo systemctl status docker

Check Docker Proxy Status

In order to check whether Docker Proxy is setup correctly you can verify using the following command.

$ sudo docker info

The above command displays system wide information regarding the Docker installation. Information displayed includes the kernel version, number of containers and images etc.,. It also prints the following information using which you can verify the docker proxy setup.

---
---
HTTP Proxy: http://proxy.hostname:80/
HTTPS Proxy: http://proxy.hostname:80/
No Proxy: localhost,127.0.0.1,::1
---
---

That’s it. Now you should be able to pull any image from the docker hub after restarting docker daemon and docker service. And you won’t see docker: Error response from daemon: Get https://registry-1.docker.io/v2/: dial tcp : lookup registry-1.docker.io any more.

Hope this article is helpful 🙂

• How to Explore Docker Container’s File System ?
• Docker EXPOSE Port only to the Host on Google Cloud
• Get Docker Container’s IP Address from the Host
• Copy Files between Host and Docker Container
• Install Anthos Service Mesh (Istio) on GKE Kubernetes Cluster ?
• kubectl unable to connect to server: x509: certificate signed by unknown authority
• How to list all Containers running in Kubernetes Pod ?
• List all kafka topics using kafka testclient ?
• Google cloud shell command to get the default PROJECT_ID – GCP
• How to remove an image tag from docker hub ?
• Build a Docker Image with a Dockerfile and Cloud Build in GCP?
• How to create GCP project on Google Cloud Platform
• MariaDB – How to set max_connections permanently ?
• View Kafka messages using kafka testclient ?
• What is ImagePullBackOff status on a Kubernetes pod ?
• List all kafka topics using kafka testclient
• Delete docker repository from the docker hub
• Replication factor: 1 larger than available brokers: 0 – Create Kafka Topic
• Docker: Error response from daemon get https //registry-1.docker.io/v2/

References

• docker forum
• docker docs

Введение

Если вы хотите извлечь контейнер из реджестри Docker и обнаружили ошибку: « Error response from daemon: Get https://registry-1.docker.io/v2/: x509: certificate signed by unknown authority», тогда мы надеемся Это руководство поможет вам решить проблему.

Мы предполагаем, что у вас есть готовые SSL-сертификаты, потому что это руководство не распространяется на создание SSL-сертификатов.

Шаг 1: Установите CA-certificates

Я работаю на сервере CentOS 7.

Запустите следующую команду, чтобы установить ca-certificates

sudo yum check-update ca-certificates; (($?==100)) && sudo yum update ca-certificates || sudo yum -y reinstall ca-certificates

Шаг 2: Создайте каталог в /etc/docker/certs.d

Docker рекомендует разместить сертификаты в /etc/docker/certs.d.

Если вы используете личный реджестри, следуйте этому стилю.

sudo mkdir -p /etc/docker/certs.d/registry-1.docker.io:443 

Шаг 3: Скопируйте SSL-сертификаты

Теперь скопируйте ваши SSL-сертификаты в созданный каталог.

sudo cp CA.crt registry-1.docker.io:443/
sudo cp server.crt registry-1.docker.io:443/
sudo cp server.key registry-1.docker.io:443/ 

Шаг 4: Перезапустите Docker

Перезапустите сервис Docker

sudo systemctl restart docker

$ sudo docker pull alpine
Using default tag: latest
latest: Pulling from library/alpine
89d9c30c1d48: Extracting [=============>                          ]

Are you trying to find a solution for the docker error response from daemon i/o timeout? We can help you with it.

Here at Bobcares, we have seen several causes for this error while troubleshooting Docker issues as part of our Docker Hosting Support for Docker users, web hosts, and online service providers.

Today we’ll take a look at the cause for this error and how to fix it.

What causes Docker Error response from daemon I/O timeout to occur

In older versions of dockers, this error occurs due to the DNS issue.

In newer versions of docker, this error occurs due to issue in network infrastructure and is likely the product of latency between the client and the registry.

Here, we need to make sure that there are no proxies in between the client and the registry. Also, the two must be geographically close.

How we fix Docker Error response from daemon I/O timeout

Now let’s see the solution part of this error.

1. DNS Server issue

One of our customers received the below error in the Windows machine.

Error response from daemon: Get https://registry-1.docker.io/v2/library/hello-world/manifests/latest: Get https://auth.docker.io/token?account={your account name here}&scope=repository%3Alibrary%2Fhello-world%3Apull&service=registry.docker.io: dial tcp: lookup auth.docker.io on 192.168.xx.x:5x: read udp 192.168.xx.x:5xxxx->192.168.xx.x:5x: i/o timeout.
See ‘docker run –help’.

Here are the steps our Support Engineers provided to resolve this error.

1. First, right-click on the Docker icon to open Docker Settings.
2. Next, click on the Network tab and change the DNS server from Automatic to Fixed.
3. Finally, click on the Apply button to apply the changes.

Now, the Docker service will restart and must be able to pull the docker images without any issues now.

2. Proxy issue

In another case, the customer was trying to download a docker image using the below command,

sudo docker run hello-world

Since he didn’t have a direct connection and the proxy server was configured in .bashrc file, he was receiving the below error.

Unable to find image 'hello-world:latest' locally
docker: Error response from daemon: Get https://registry-1.docker.io/v2/: dial tcp: lookup registry-1.docker.io on 192.168.xx.xx:53: read udp 192.168.xx.xx:38062->192.168.xx.xx:53: i/o timeout.
See 'docker run --help'.

Below are the steps our Engineers provided to resolve this error.

In the above error, the docker proxy must be configured separately. For that, create a new folder /etc/systemd/system/docker.service.d and create a file http-proxy.conf inside it using the below commands.

mkdir /etc/systemd/system/docker.service.d
cat > /etc/systemd/system/docker.service.d/http-proxy.conf

After that, insert the below proxy information in the file and replace to your proxy IPs. (make use of vi text editor as well)

[Service]
Environment="HTTP_PROXY=:808"
Environment="HTTPS_PROXY=:808"
Environment="NO_PROXY=localhost,127.0.0.1,localaddress,.localdomain.com"

After file configuration, reload docker daemon and restart docker service using the below command.

sudo systemctl daemon-reload
sudo systemctl restart docker

Finally, now the image download must be successful. You can use docker ps -a check the container information.

[Need any further assistance in fixing Docker errors? – We’re available 24*7]

Conclusion

In short, this Docker Error response from daemon I/O timeout mainly occurs due to either DNS error or network infrastructure issue. Today, we saw the solution to this error.

var google_conversion_label = «owonCMyG5nEQ0aD71QM»;

How can I fix this problem in Ubuntu 20.04?

[18:31:29] (dpcc) jalal@echo:~/research/code$ sudo docker pull docurdt/heal
[sudo] password for jalal: 
Using default tag: latest
Error response from daemon: Get https://registry-1.docker.io/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)


$ uname -a
Linux echo 5.4.0-99-generic #112-Ubuntu SMP Thu Feb 3 13:50:55 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux


$ docker --version
Docker version 20.10.7, build 20.10.7-0ubuntu5~20.04.2

I don’t have a problem with this $ docker pull on CentOS 7.

Here are the proxy I have used in ~/.bashrc:

export http_proxy="http://webproxy.bu.edu:8900"
export https_proxy="http://webproxy.bu.edu:8900"
export ftp_proxy="http://webproxy.bu.edu:8900"
export rsync_proxy=$http_proxy
export no_proxy="localhost,127.0.0.1,.bu.edu,.ad.bu.edu,128.197.,10."

Added these in config.json but the error still persist after logout:

$ cat ~/.docker/config.json 
{
 "proxies":
 {
   "default":
   {
     "httpProxy": "http://webproxy.bu.edu:8900",
     "httpsProxy": "http://webproxy.bu.edu:8900",
     "noProxy": "localhost,127.0.0.1,.bu.edu,.ad.bu.edu,128.197.,10."
   }
 }
}

I get:

[19:38:02] jalal@echo:~/research/code$ docker pull docurdt/heal
Using default tag: latest
Error response from daemon: Get https://registry-1.docker.io/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)

I installed Docker CE on a fresh Ubuntu 18.04 VM. When running hello-world, the following error response came up:

docker: Error response from daemon: Get registry-1.docker.io/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers).

I thought that’s weird because I was able to access various other services on the internet, but Docker was timing out when accessing registry-1.docker.io.

I could ping google.com and yahoo.com, so I knew the network was up. 

But I couldn’t ping docker.io.

Oh.

I fixed this by using 8.8.8.8 and 8.8.4.4 as nameservers. 

Up until recently this could be done by editing /etc/resolv.conf, but now there’s a new way to do this. It’s called netplan and it uses a yaml formatted file to specify, among other things, the nameservers used by a network interface.

So all I did was opened up /etc/netplan/50-cloud-init.yaml and there were the following lines:

# This file is generated from information provided by
# the datasource.  Changes to it will not persist across an instance.
# To disable cloud-init's network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}
network:
    ethernets:
        enp0s3:
            dhcp4: true
    version: 2

Then I edited the file so it looked like what you can see below:

# This file is generated from information provided by
# the datasource.  Changes to it will not persist across an instance.
# To disable cloud-init's network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}
network:
    ethernets:
        enp0s3:
            dhcp4: true
            nameservers:
                    addresses: [8.8.8.8, 8.8.4.4]
    version: 2

And then all that was needed was to activate the new configuration by running the following command:

sudo netplan apply

That was easy. Everything then worked. The nameservers 8.8.8.8 and 8.8.4.4 were in use and running «docker run hello-world» worked as expected.

I get this consistenly (Ubuntu 16.04 LTS):

$ docker pull nginx
Using default tag: latest
Error response from daemon: Get https://registry-1.docker.io/v2/: net/http: TLS handshake timeout

However curl TLS works fine (apart from the auth error):

$ curl https://registry-1.docker.io/v2/
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":null}]}

And even a small golang program (to mimic docker) works fine:

package main
import (
    "fmt"
    "io/ioutil"
    "net/http"
)
func main() {
    resp, err := http.Get("https://registry-1.docker.io/v2/")
    if err != nil {
        panic(err)
    }
    defer resp.Body.Close()
    body, err := ioutil.ReadAll(resp.Body)
    if err != nil {
        panic(err)
    }
    fmt.Println("Got: ", string(body))
}

The pcap for the docker TLS timeout request:

reading from file docker-timeout.pcap, link-type LINUX_SLL (Linux cooked)
00:38:54.782452 IP my-ubuntu.52036 > registry-1.docker.io.https: Flags [S], seq 26945613, win 29200, options [mss 1460,sackOK,TS val 1609360 ecr 0,nop,wscale 7], length 0
00:38:54.878630 IP registry-1.docker.io.https > my-ubuntu.52036: Flags [S.], seq 2700732154, ack 26945614, win 26847, options [mss 1460,sackOK,TS val 947941366 ecr 1609360,nop,wscale 8], length 0
00:38:54.878691 IP my-ubuntu.52036 > registry-1.docker.io.https: Flags [.], ack 1, win 229, options [nop,nop,TS val 1609384 ecr 947941366], length 0
00:38:54.878892 IP my-ubuntu.52036 > registry-1.docker.io.https: Flags [P.], seq 1:156, ack 1, win 229, options [nop,nop,TS val 1609384 ecr 947941366], length 155
00:38:55.175931 IP my-ubuntu.52036 > registry-1.docker.io.https: Flags [P.], seq 1:156, ack 1, win 229, options [nop,nop,TS val 1609459 ecr 947941366], length 155
00:38:55.475954 IP my-ubuntu.52036 > registry-1.docker.io.https: Flags [P.], seq 1:156, ack 1, win 229, options [nop,nop,TS val 1609534 ecr 947941366], length 155
00:38:56.076327 IP my-ubuntu.52036 > registry-1.docker.io.https: Flags [P.], seq 1:156, ack 1, win 229, options [nop,nop,TS val 1609684 ecr 947941366], length 155
00:38:57.280103 IP my-ubuntu.52036 > registry-1.docker.io.https: Flags [P.], seq 1:156, ack 1, win 229, options [nop,nop,TS val 1609985 ecr 947941366], length 155
00:38:59.684095 IP my-ubuntu.52036 > registry-1.docker.io.https: Flags [P.], seq 1:156, ack 1, win 229, options [nop,nop,TS val 1610586 ecr 947941366], length 155
00:39:04.492102 IP my-ubuntu.52036 > registry-1.docker.io.https: Flags [P.], seq 1:156, ack 1, win 229, options [nop,nop,TS val 1611788 ecr 947941366], length 155
00:39:04.879468 IP my-ubuntu.52036 > registry-1.docker.io.https: Flags [F.], seq 156, ack 1, win 229, options [nop,nop,TS val 1611884 ecr 947941366], length 0
00:39:04.976015 IP registry-1.docker.io.https > my-ubuntu.52036: Flags [.], ack 1, win 105, options [nop,nop,TS val 947943890 ecr 1609384,nop,nop,sack 1 {156:157}], length 0
00:39:04.976073 IP my-ubuntu.52036 > registry-1.docker.io.https: Flags [P.], seq 1:156, ack 1, win 229, options [nop,nop,TS val 1611909 ecr 947943890], length 155
00:39:05.275922 IP my-ubuntu.52036 > registry-1.docker.io.https: Flags [P.], seq 1:156, ack 1, win 229, options [nop,nop,TS val 1611984 ecr 947943890], length 155
00:39:05.876104 IP my-ubuntu.52036 > registry-1.docker.io.https: Flags [P.], seq 1:156, ack 1, win 229, options [nop,nop,TS val 1612134 ecr 947943890], length 155

What could possibly be going wrong?