Develop Reference

Unable to Change Docker Registry URL

I am new to Docker, so I am trying to learn and build a docker image for my Spring Boot application.
My Dockerfile currently is very basic. I will add to it, once I figure out more about it.
# AS <NAME> to name this stage as maven
FROM eclipse-temurin:11-jdk-alpine as jdk
FROM maven:3.8.4 as maven
My Docker info is:
Client:
Context: default
Debug Mode: false
Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 0
Server Version: 20.10.17-ce
Storage Driver: btrfs
Build Version: Btrfs v4.15
Library Version: 102
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 1
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux oci runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 10c12954828e7c7c9b6e0ea9b0c02b01407d3ae1
runc version: v1.1.4-0-ga916309fff0f
init version:
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 5.14.21-150400.24.28-default
Operating System: openSUSE Leap 15.4
OSType: linux
Architecture: x86_64
CPUs: 1
Total Memory: 9.714GiB
Name: localhost.localdomain
ID: CHSH:Q5ZQ:5MPU:X5MR:FG7M:IFV7:RG5Z:MKNO:KWG6:ZM4L:QX6E:QMNE
Docker Root Dir: /var/lib/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Registry Mirrors:
https://MY_DOCKER_URL/
Live Restore Enabled: false
My /etc/docker/daemon.json file looks like this:
{
"log-level": "warn",
"log-driver": "json-file",
"log-opts": {
"max-size": "10m",
"max-file": "5"
},
"registry-mirrors": ["https://MY_DOCKER_URL/"]
}
I added the registry-mirror myself
My /usr/lib/systemd/system/docker.service looks like this:
[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.com
After=network.target lvm2-monitor.service SuSEfirewall2.service
[Service]
EnvironmentFile=/etc/sysconfig/docker
Environment=“HTTP_PROXY=MY_COMPANYS_PROXY”
Environment=“HTTPS_PROXY=MY_COMPANYS_PROXY”
Environment=“NO_PROXY=localhost,127.0.0.1”
# While Docker has support for socket activation (-H fd://), this is not
# enabled by default because enabling socket activation means that on boot your
# containers won't start until someone tries to administer the Docker daemon.
Type=notify
ExecStart=/usr/bin/dockerd --add-runtime oci=/usr/sbin/docker-runc $DOCKER_NETWORK_OPTIONS $DOCKER_OPTS
ExecReload=/bin/kill -s HUP $MAINPID
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=1048576
LimitNPROC=infinity
LimitCORE=infinity
# Uncomment TasksMax if your systemd version supports it.
# Only systemd 226 and above support this property.
TasksMax=infinity
# Set delegate yes so that systemd does not reset the cgroups of docker containers
# Only systemd 218 and above support this property.
Delegate=yes
# Kill only the docker process, not all processes in the cgroup.
KillMode=process
# Restart the docker process if it exits prematurely.
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s
[Install]
WantedBy=multi-user.target
I did login with the command:
sudo docker login -u MY_USERNAME -p MY_PASSWORD MY_CORPORATE_REGISTRY
But when I do a docker pull, it still tries to fetch from the docker hub registry:
Sending build context to Docker daemon 547.3kB
Step 1/3 : FROM eclipse-temurin:11-jdk-alpine as jdk
Get "https://registry-1.docker.io/v2/": net/http: TLS handshake timeout
Any help on this would be really nice. I am struggling with this for two days!

You have to add
{
"registry-mirrors": ["<your-registry-url>"]
}
to your /etc/docker/daemon.json and restart the docker daemon.

mounting permission denied in docker

I was facing issues installing docker on cloud server according to the official guide(Install Docker Engine on Ubuntu). I finished old version's uninstallation, the repository setting up and docker engine installation (sudo apt-get install docker-ce docker-ce-cli containerd.io). However, I got an error when running hello-world.
wyf#VM1103-Timi:~$ sudo docker run hello-world
docker: Error response from daemon: OCI runtime create failed: container_linux.go:349: starting container process caused "process_linux.go:449: container init caused \"rootfs_linux.go:58: mounting \\\"proc\\\" to rootfs \\\"/var/lib/docker/overlay2/e9fedf64e8983aa01e513cee591cdfd7fc60962466a476b51fc1ead682ec8022/merged\\\" at \\\"/proc\\\" caused \\\"permission denied\\\"\"": unknown.
ERRO[0000] error waiting for container: context canceled
I tried restart docker and server, but the problem still exists.
So, it would be great if someone can guide me in fixing this error.
Please let me know if you have any idea about this issue.
Thank you very much!
Ps:
My system is Ubuntu 18.04. Thus, I did not have selinux. Instead of selinux, I checked AppArmor log.
May 19 21:14:55 VM1103-Timi networkd-dispatcher[155]: WARNING:Unknown index 37 seen, reloading interface list
May 19 21:14:55 VM1103-Timi systemd-networkd[126]: veth71cf495: Link UP
May 19 21:14:55 VM1103-Timi containerd[170]: time="2020-05-19T21:14:55.679793295+08:00" level=info msg="shim containerd-shim started" address="/containerd-shim/moby/4c207ce1273d2c863ee419c5ebb271163a031394bd4c17ee75d44267d631954d/shim.sock" debug=false pid=106265
May 19 21:14:55 VM1103-Timi containerd[170]: time="2020-05-19T21:14:55.767796543+08:00" level=info msg="shim reaped" id=4c207ce1273d2c863ee419c5ebb271163a031394bd4c17ee75d44267d631954d
May 19 21:14:55 VM1103-Timi dockerd[15100]: time="2020-05-19T21:14:55.776863367+08:00" level=error msg="stream copy error: reading from a closed fifo"
May 19 21:14:55 VM1103-Timi dockerd[15100]: time="2020-05-19T21:14:55.776953910+08:00" level=error msg="stream copy error: reading from a closed fifo"
May 19 21:14:55 VM1103-Timi systemd-networkd[126]: veth71cf495: Link DOWN
May 19 21:14:55 VM1103-Timi dockerd[15100]: time="2020-05-19T21:14:55.927805156+08:00" level=error msg="4c207ce1273d2c863ee419c5ebb271163a031394bd4c17ee75d44267d631954d cleanup: failed to delete container from containerd: no such container"
The strange thing is that there is no record of permission-denied error.
Here are my ubuntu version, kernal version and docker info:
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.4 LTS
Release: 18.04
Codename: bionic
5.3.18-3-pve
Client:
Debug Mode: false
Server:
Containers: 8
Running: 0
Paused: 0
Stopped: 8
Images: 1
Server Version: 19.03.8
Storage Driver: overlay2
Backing Filesystem: <unknown>
Supports d_type: true
Native Overlay Diff: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 7ad184331fa3e55e52b890ea95e65ba581ae3429
runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd
init version: fec3683
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 5.3.18-3-pve
Operating System: Ubuntu 18.04.4 LTS
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 4GiB
Name: VM1103-Timi
ID: 3G3F:LTVZ:NO25:C7LA:XKQV:ETMB:B6QU:3ZFJ:KBA5:R3KK:QZEA:ZONC
Docker Root Dir: /var/lib/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
It seemed that the AppArmor Profile "docker-default" was lost. "docker-default" was not correctly generated. Check as follows:
root#VM1103-Timi:/etc/apparmor.d# aa-status
apparmor module is loaded.
12 profiles are loaded.
12 profiles are in enforce mode.
/sbin/dhclient
/usr/bin/man
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/NetworkManager/nm-dhcp-helper
/usr/lib/connman/scripts/dhclient-script
/usr/lib/lightdm/lightdm-guest-session
/usr/lib/lightdm/lightdm-guest-session//chromium
/usr/sbin/mysqld
/usr/sbin/tcpdump
docker-default
man_filter
man_groff
0 profiles are in complain mode.
1 processes have profiles defined.
1 processes are in enforce mode.
/usr/sbin/mysqld (258)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

Solution is probably to open ports needed. Your system might be running selinux and (ufw or firewalld or iptables) ?and/or others?. Read up a bit on linux firewall tools, in particular the ones running on your system.
For the selinux case, you need to check selinux logs, is it blocking access? Add exceptions using selinux commands.
https://wiki.centos.org/HowTos/SELinux These tools are well worth learning but can be complicated. A quick test disabling selinux and firewalld can confirm that this is the source of problem and you can enable selinux and firewalld later and allow/open ports in a secure way.
Simple test: disable selinux and firewalld, e.g. on CentOS
systemctl stop firewalld;
setenforcing 0;
If you can create containers with selinux disabled then you have confirmed selinux is your problem. You can enable firewall and selinux and then add exceptions and open ports as needed later.
This looks good (specific to ubuntu but general enough IMHO), It details ufw commands, firewalld commands and iptables commands needed for opening ports to allow docker swarm to work) https://www.digitalocean.com/community/tutorials/how-to-configure-the-linux-firewall-for-docker-swarm-on-ubuntu-16-04
I originally got useful info on ufw commands to open ports needed from here:
Error response from daemon: attaching to network failed, make sure your network options are correct and check manager logs: context deadline exceeded
ufw allow 2376/tcp
ufw allow 2377/tcp
ufw allow 7946/tcp
ufw allow 7946/udp
ufw allow 4789/udp
ufw enable #maybe
ufw reload
systemctl restart docker
This is a common enough problem where something usually selinux is not allowing access to ports needed.
e.g.
https://github.com/google/cadvisor/issues/333

How to connect IntelliJ's Docker plugin to Docker Desktop Windows

I'm running the latest Windows 10 Pro build (1903), the latest Docker Engine build (v19.03.8), and the latest IntelliJ (2019.3.4). I have set Expose daemon on tcp://localhost:2375 without TLS and Apply/Restart-ed the Engine. Trying to switch to a Windows container seemingly hangs the daemon, throwing an error, after which I need to destroy all settings and config files before I can start the daemon again.
Yet, when I'm trying to set tcp://localhost:2375 in my Docker plugin, the connection simply fails (probably with a timeout, but there's no log of it). Yet, simply using docker info and other commands from the CLI works as intended, so I'm fairly certain the Engine is running.
For reference, the output of docker info:
$ docker system info
Client:
Debug Mode: false
Plugins:
app: Docker Application (Docker Inc., v0.8.0)
buildx: Build with BuildKit (Docker Inc., v0.3.1-tp-docker)
Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 0
Server Version: 19.03.8
Storage Driver: overlay2
Backing Filesystem: <unknown>
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 7ad184331fa3e55e52b890ea95e65ba581ae3429
runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd
init version: fec3683
Security Options:
seccomp
Profile: default
Kernel Version: 4.19.76-linuxkit
Operating System: Docker Desktop
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 1.943GiB
Name: docker-desktop
ID: NGP3:BQCE:JSUO:6BSV:IUU6:2UEZ:4QTQ:N6IO:TA3T:A7I7:4GXS:IYD6
Docker Root Dir: /var/lib/docker
Debug Mode: true
File Descriptors: 34
Goroutines: 50
System Time: 2020-03-27T15:56:23.690394533Z
EventsListeners: 3
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine
What else can I try (short of using Docker Toolkit again) to get the integration up and running? How can I even test where the connection might be dropping?

So after three days of research, I have an answer. Apparently, Windows 10 reserves a port range of 2344-2444, which prevents the Docker daemon from actually exposing the TCP socket, despite the settings. I have a feeling it also relates to the daemon being unable to start after a reboot. You can verify if this is the root cause of the issue by executing the following in an elevated prompt/powershell: netsh interface ipv4 show excludedportrange protocol=tcp - if the output show a range that includes 2375, you are affected,
Remediation (this will include two reboots!):
Disable HyperV and reboot, to free up the port allocations: dism.exe /Online /Disable-Feature:Microsoft-Hyper-V
Manually allocate port 2375: netsh int ipv4 add excludedportrange protocol=tcp startport=2375 numberofports=1
Re-enable HyperV and reboot to take advantage of the fix: dism.exe /Online /Enable-Feature:Microsoft-Hyper-V /All
Optional: after this process, you can re-enable TLS on said socket, and the Docker plugin will be able to connect just fine.

2 years later (June 2022), this integration is easier to setup, assuming you have the latest Docker Desktop for Windows.
It uses as a back-end either WSL2 or HyperV.
The article "Getting Started with Visual Studio Code and IntelliJ IDEA Docker Plugins" from Tyler Charboneau details the IntelliJ IDEA part.
It will require a manual installation of the Docker plugin if you’re using the Community Edition.
Once you’ve installed the Docker plugin, you’ll need to connect it to Docker Desktop.
Follow these steps:
Navigate to IntelliJ IDEA > Preferences.
Expand the Build, Execution, Deployment group.
Click Docker, and then click the small "+" icon to the right.
Choose the correct Docker daemon for your platform (for example, Docker for Mac).
The installation may take a few minutes. Once it’s complete, you’ll see the "Connection successful" message toward the middle-bottom of the Preferences pane:

docker installation on ubuntu in virtualbox, cannot pull images

I have ubuntu 14.04.5 installed as guest os in virtualbox 5.0.26 running on windows 10. I am not aware of any issues with the ubuntu installation, it seems to run fine and has a bridged internet connection so gets its own ip.
I have installed docker following the directions on docker docs for linux. The installation goes fine without any errors and the docker daemon starts ok.
Here is the docker info:
root#ubuntu-z9:~# docker info
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 0
Server Version: 1.12.0
Storage Driver: aufs
Root Dir: /var/lib/docker/aufs
Backing Filesystem: extfs
Dirs: 0
Dirperm1 Supported: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: overlay bridge host null
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Security Options: apparmor
Kernel Version: 4.2.0-27-generic
Operating System: Ubuntu 14.04.5 LTS
OSType: linux
Architecture: x86_64
CPUs: 10
Total Memory: 31.42 GiB
Name: ubuntu-z9
ID: 7MPO:OHFW:3OBJ:KUVX:3YCS:XP4U:RE6W:SFC3:O4KK:GJJU:M6WJ:HYLY
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
WARNING: No swap limit support
Insecure Registries:
127.0.0.0/8
The machine can see the internet fine and access hub.docker.com from a browser.
However, when I run the simple hello-world test the daemon hangs
root#ubuntu-z9:~# docker run hello-world
Unable to find image 'hello-world:latest' locally
with a timeout.
I can run docker-machine without any issues on the host windows 10 machine so I believe the issue lies in my setup of the ubuntu machine in virtualbox and docker.
Here is the logging output of the docker daemon on the ubuntu guest machine:
$ docker pull hello-world
DEBU[0093] Calling POST /v1.24/images/create?fromImage=hello-world&tag=latest
DEBU[0093] Trying to pull hello-world from https://registry-1.docker.io v2
DEBU[0094] Increasing token expiration to: 60 seconds
ERRO[0494] Error trying v2 registry: error parsing HTTP 408 response body: invalid character '<' looking for beginning of value: "<html><body><h1>408 Request Time-out</h1>\nYour browser didn't send a complete request in time.\n</body></html>\n\n"
ERRO[0494] Attempting next endpoint for pull after error: error parsing HTTP 408 response body: invalid character '<' looking for beginning of value: "<html><body><h1>408 Request Time-out</h1>\nYour browser didn't send a complete request in time.\n</body></html>\n\n"
DEBU[0494] Skipping v1 endpoint https://index.docker.io because v2 registry was detected
ERRO[0494] Handler for POST /v1.24/images/create returned error: error parsing HTTP 408 response body: invalid character '<' looking for beginning of value: "<html><body><h1>408 Request Time-out</h1>\nYour browser didn't send a complete request in time.\n</body></html>\n\n"
Any suggestions on a way forward to diagnose or fix the issue?
Many thanks.

It was a simple issue, undoubtedly documented somewhere but I missed it. I post an answer here in case someone else has the same.
The virtualbox os (ubuntu in my case) has to have a NAT network adapter and the NAT adapter has to have higher priority than a bridge adapter (if you have one). You don't need a bridged adapter to run docker (but if you want the virtualbox to have an ip on your local network then you do need to add a bridged adapter.)
VirtualBox configuration examples that work to run docker:
VBox Adapter 1: NAT (eth0), VBox Adapter 2: Host-only Adapter (eth1)
VBox Adapter 1: NAT (eth0), VBox Adapter 2: Bridged Adapter (eth1)
VirtualBox configuration examples that do not work to run docker:
VBox Adapter 1: Bridged Adapter (eth0)
VBox Adapter 1: Bridged Adapter (eth0), VBox Adapter 2: NAT (eth1)
Note in all four cases the virtualbox ubuntu os has access to the internet but docker can only pull images when NAT has priority over the bridged interface.

docker and DNS issues

I am trying to install a docker repo on an Ubuntu server, but it seems Docker has issues with DNS.
docker run -d -p 5000:5000 --restart=always --name registry registry:2
Unable to find image 'registry:2' locally
Pulling repository registry
Get https://index.docker.io/v1/repositories/library/registry/images: dial tcp: lookup index.docker.io: no such host
However, all other applications work fine. I can also do a wget on index.docker.io, so no issues there.
I am using an internal DNS server, which is a Synology NAS device.
resolv.conf of the server:
nameserver 192.168.10.2
search internal.mydomain.com
my /etc/default/docker options:
DOCKER_OPTS="--bip=192.168.11.0/24 --dns 192.168.10.2"
I am using 192.168.10.0/24 as my internal ip range. the .2 ip belongs to my NAS/DNS server.
Docker version:
Docker version 1.7.1, build 786b29d
Anyone a clue?
Update: changing dns to Google solved the download issue, but now it gives an error afterwards:
Error response from daemon: Cannot start container 33757f59f942583ff949f421fb5c266e6d1c2b0fdc1363565e77febf44feb60f: invalid argument
Some additional info about my setup:
jeroen#docker01:~$ docker info
Containers: 3
Images: 22
Storage Driver: aufs
Root Dir: /var/lib/docker/aufs
Backing Filesystem: extfs
Dirs: 28
Dirperm1 Supported: false
Execution Driver: native-0.2
Logging Driver: json-file
Kernel Version: 3.13.0-32-generic
Operating System: Ubuntu 14.04.2 LTS
CPUs: 2
Total Memory: 1.955 GiB
Name: docker01
ID: X6JB:IH7Z:OK5O:II5I:OJ6V:OERE:IPEM:PN6S:HDDM:G2J7:HRB2:4ZKO
WARNING: No swap limit support

I had the same issue, and I notice that you have "--bip=192.168.11.0/24"
Try changing this to an actual IP address, rather than a subnet. For example, try "--bip=192.168.11.1/24".
You will have to stop docker, remove the docker0 bridge (ip link delete docker0) and then restart using the new bip option.