skip to Main Content

I’m trying to build an image from an AWS Lambda python base image via a VPN, as I’m behind the GFW.

I run the build command:

docker build --progress=plain --platform="linux/x86_64" --no-cache -t projects/my-project . -f projects/my-project/Dockerfile

But I get the following error:

ERROR: failed to solve: public.ecr.aws/lambda/python:3.11: failed to resolve source metadata for public.ecr.aws/lambda/python:3.11: failed to authorize: failed to fetch anonymous token: Get "https://public.ecr.aws/token/?scope=aws%3A%3A&scope=repository%3Alambda%2Fpython%3Apull&service=public.ecr.aws": proxyconnect tcp: EOF

I am able to follow the link in my browser to view the token, but Docker is unable retrieve it. The line that fails is the first line in the Dockerfile:
FROM public.ecr.aws/lambda/python:3.11

I am able to pull the image successfully with: docker pull public.ecr.aws/lambda/python:3.11

I have set up my proxy settings in /etc/systemd/system/docker.service.d/http-proxy.conf:

[Service]
Environment="HTTP_PROXY=http://127.0.0.1:7890/"
Environment="HTTPS_PROXY=https://127.0.0.1:7890/"

I have also set up a named DNS server (1.1.1.1) in etc/resolv.conf:

# Google DNS
# nameserver 8.8.8.8
# nameserver 8.8.4.4

# Cloudflare DNS
nameserver 1.1.1.1

# nameserver 127.0.0.53

IE I can run nslookup example.com to get:

Server:         1.1.1.1
Address:        1.1.1.1#53

Non-authoritative answer:
Name:   example.com
Address: 93.184.215.14
Name:   example.com
Address: 2606:2800:21f:cb07:6820:80da:af6b:8b2c

I can also run dig example.com to get:

; <<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu <<>> example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4358
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;example.com.                   IN      A

;; ANSWER SECTION:
example.com.            2768    IN      A       93.184.215.14

;; Query time: 392 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Wed Aug 14 12:28:57 CST 2024
;; MSG SIZE  rcvd: 56

I have tried running the build with --network=host which is still unsuccessful. I have also tried running with docker buildx build, but this is also unsuccessful.

I have proxies for http, https, socks5, mixed, and redirect ports. Besides this Docker pull issue, the VPN works as intended.

Docker usage has been affected recently due to GFW (https://medium.com/@PlanB./chinese-docker-hub-complete-shutdown-how-far-can-kubernetes-image-repositories-go-826706007b8e).

Any help appreciated!

UPDATE:
After correcting the proxy settings in /etc/systemd/system/docker.service.d/http-proxy.conf (use http not https protocol for both env vars) to:

[Service]
Environment="HTTP_PROXY=http://127.0.0.1:7890/"
Environment="HTTPS_PROXY=http://127.0.0.1:7890/"

I am able to run the first step of pulling the base image. However, the subsequent yum update -y step fails:

FROM public.ecr.aws/lambda/python:3.11
ARG DEBIAN_FRONTEND=noninteractive
RUN yum update -y
RUN yum install -y curl pip nano
RUN yum clean -y all

It produces the following:

#6 [ 2/14] RUN yum update -y
#6 0.235 Loaded plugins: ovl
#6 0.253 Could not retrieve mirrorlist http://amazonlinux.default.amazonaws.com/2/core/latest/x86_64/mirror.list error was
#6 0.253 14: curl#7 - "Failed to connect to 127.0.0.1 port 7890 after 0 ms: Couldn't connect to server"

It seems the docker build process is still struggling to reach out through the VPN.

2

Answers


  1. Chosen as BEST ANSWER

    The solution is to specify the proxy in the build command, as well as the --network flag:

    docker build --network="host" --build-arg="https_proxy=http://127.0.0.1:7890" --progress=plain --platform="linux/x86_64" --no-cache -t projects/my-project . -f projects/my-project/Dockerfile
    

  2. You can also just pull the image, and docker will use it as a cached image if you just want to test locally:

    docker pull public.ecr.aws/lambda/python:3.11

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search