I’m trying to build an image from an AWS Lambda python base image via a VPN, as I’m behind the GFW.
I run the build command:
docker build --progress=plain --platform="linux/x86_64" --no-cache -t projects/my-project . -f projects/my-project/Dockerfile
But I get the following error:
ERROR: failed to solve: public.ecr.aws/lambda/python:3.11: failed to resolve source metadata for public.ecr.aws/lambda/python:3.11: failed to authorize: failed to fetch anonymous token: Get "https://public.ecr.aws/token/?scope=aws%3A%3A&scope=repository%3Alambda%2Fpython%3Apull&service=public.ecr.aws": proxyconnect tcp: EOF
I am able to follow the link in my browser to view the token, but Docker is unable retrieve it. The line that fails is the first line in the Dockerfile:
FROM public.ecr.aws/lambda/python:3.11
I am able to pull the image successfully with: docker pull public.ecr.aws/lambda/python:3.11
I have set up my proxy settings in /etc/systemd/system/docker.service.d/http-proxy.conf
:
[Service]
Environment="HTTP_PROXY=http://127.0.0.1:7890/"
Environment="HTTPS_PROXY=https://127.0.0.1:7890/"
I have also set up a named DNS server (1.1.1.1) in etc/resolv.conf
:
# Google DNS
# nameserver 8.8.8.8
# nameserver 8.8.4.4
# Cloudflare DNS
nameserver 1.1.1.1
# nameserver 127.0.0.53
IE I can run nslookup example.com
to get:
Server: 1.1.1.1
Address: 1.1.1.1#53
Non-authoritative answer:
Name: example.com
Address: 93.184.215.14
Name: example.com
Address: 2606:2800:21f:cb07:6820:80da:af6b:8b2c
I can also run dig example.com
to get:
; <<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu <<>> example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4358
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;example.com. IN A
;; ANSWER SECTION:
example.com. 2768 IN A 93.184.215.14
;; Query time: 392 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Wed Aug 14 12:28:57 CST 2024
;; MSG SIZE rcvd: 56
I have tried running the build with --network=host
which is still unsuccessful. I have also tried running with docker buildx build
, but this is also unsuccessful.
I have proxies for http, https, socks5, mixed, and redirect ports. Besides this Docker pull issue, the VPN works as intended.
Docker usage has been affected recently due to GFW (https://medium.com/@PlanB./chinese-docker-hub-complete-shutdown-how-far-can-kubernetes-image-repositories-go-826706007b8e).
Any help appreciated!
UPDATE:
After correcting the proxy settings in /etc/systemd/system/docker.service.d/http-proxy.conf
(use http not https protocol for both env vars) to:
[Service]
Environment="HTTP_PROXY=http://127.0.0.1:7890/"
Environment="HTTPS_PROXY=http://127.0.0.1:7890/"
I am able to run the first step of pulling the base image. However, the subsequent yum update -y
step fails:
FROM public.ecr.aws/lambda/python:3.11
ARG DEBIAN_FRONTEND=noninteractive
RUN yum update -y
RUN yum install -y curl pip nano
RUN yum clean -y all
It produces the following:
#6 [ 2/14] RUN yum update -y
#6 0.235 Loaded plugins: ovl
#6 0.253 Could not retrieve mirrorlist http://amazonlinux.default.amazonaws.com/2/core/latest/x86_64/mirror.list error was
#6 0.253 14: curl#7 - "Failed to connect to 127.0.0.1 port 7890 after 0 ms: Couldn't connect to server"
It seems the docker build process is still struggling to reach out through the VPN.
2
Answers
The solution is to specify the proxy in the build command, as well as the
--network
flag:You can also just pull the image, and docker will use it as a cached image if you just want to test locally:
docker pull public.ecr.aws/lambda/python:3.11