docker
Docker Desktop (MacOS) loses network connectivity after reboot
Description
I am on a MacBook Air running Sequoia 15.0.
On a fresh install of Docker Desktop, everything functions normally: I can sign in via the desktop app, I can successfully run docker run hello-world and successfully pull the image, and minikube works as expected.
After a reboot, Docker can no longer reach the necessary network endpoints.
- I cannot sign in via the desktop app (the web sign-in works fine, but once handed off to the app it shows "Processing login data..." for a bit and then fails to login.
- I cannot run
docker run hello-worldand receive this error message:docker: Error response from daemon: failed to resolve reference "docker.io/library/hello-world:latest": failed to do request: Head "https://registry-1.docker.io/v2/library/hello-world/manifests/latest": dialing registry-1.docker.io:443 container via direct connection because has no HTTPS proxy: connecting to registry-1.docker.io:443: dial tcp: lookup registry-1.docker.io: no such host. See 'docker run --help'. - minikube builds cannot pull images from Docker Hub or elsewhere, and I'm told I need to configure a proxy.
Reproduce
- Do a fresh install of Docker Desktop on a Mac running MacOS 15.0
- Test signing into the app (success) and
docker run hello-world(success) - Reboot the machine
- Test signing into the app (fails) and
docker run hello-world(fails)
Expected behavior
After rebooting the machine, Docker Desktop should be able to connect to the network as it did before the reboot.
Performing a fresh reinstall every time I need Docker to have network connectivity is untenable.
docker version
Client:
Version: 27.2.0
API version: 1.47
Go version: go1.21.13
Git commit: 3ab4256
Built: Tue Aug 27 14:14:45 2024
OS/Arch: darwin/arm64
Context: desktop-linux
Server: Docker Desktop 4.34.2 (167172)
Engine:
Version: 27.2.0
API version: 1.47 (minimum version 1.24)
Go version: go1.21.13
Git commit: 3ab5c7d
Built: Tue Aug 27 14:15:41 2024
OS/Arch: linux/arm64
Experimental: false
containerd:
Version: 1.7.20
GitCommit: 8fc6bcff51318944179630522a095cc9dbf9f353
runc:
Version: 1.1.13
GitCommit: v1.1.13-0-g58aa920
docker-init:
Version: 0.19.0
GitCommit: de40ad0
docker info
Client:
Version: 27.2.0
Context: desktop-linux
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.16.2-desktop.1
Path: /Users/nate/.docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v2.29.2-desktop.2
Path: /Users/nate/.docker/cli-plugins/docker-compose
debug: Get a shell into any image or container (Docker Inc.)
Version: 0.0.34
Path: /Users/nate/.docker/cli-plugins/docker-debug
desktop: Docker Desktop commands (Alpha) (Docker Inc.)
Version: v0.0.15
Path: /Users/nate/.docker/cli-plugins/docker-desktop
dev: Docker Dev Environments (Docker Inc.)
Version: v0.1.2
Path: /Users/nate/.docker/cli-plugins/docker-dev
extension: Manages Docker extensions (Docker Inc.)
Version: v0.2.25
Path: /Users/nate/.docker/cli-plugins/docker-extension
feedback: Provide feedback, right in your terminal! (Docker Inc.)
Version: v1.0.5
Path: /Users/nate/.docker/cli-plugins/docker-feedback
init: Creates Docker-related starter files for your project (Docker Inc.)
Version: v1.3.0
Path: /Users/nate/.docker/cli-plugins/docker-init
sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
Version: 0.6.0
Path: /Users/nate/.docker/cli-plugins/docker-sbom
scout: Docker Scout (Docker Inc.)
Version: v1.13.0
Path: /Users/nate/.docker/cli-plugins/docker-scout
Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 0
Server Version: 27.2.0
Storage Driver: overlayfs
driver-type: io.containerd.snapshotter.v1
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 8fc6bcff51318944179630522a095cc9dbf9f353
runc version: v1.1.13-0-g58aa920
init version: de40ad0
Security Options:
seccomp
Profile: unconfined
cgroupns
Kernel Version: 6.10.4-linuxkit
Operating System: Docker Desktop
OSType: linux
Architecture: aarch64
CPUs: 8
Total Memory: 7.655GiB
Name: docker-desktop
ID: 52b0bb11-7286-435c-a7d6-01d05c3b1f1d
Docker Root Dir: /var/lib/docker
Debug Mode: false
HTTP Proxy: http.docker.internal:3128
HTTPS Proxy: http.docker.internal:3128
No Proxy: hubproxy.docker.internal
Labels:
com.docker.desktop.address=unix:///Users/nate/Library/Containers/com.docker.docker/Data/docker-cli.sock
Experimental: false
Insecure Registries:
hubproxy.docker.internal:5555
127.0.0.0/8
Live Restore Enabled: false
WARNING: daemon is not using the default seccomp profile
Diagnostics ID
B6E4F571-74EE-492C-ABA8-BDB16CA63D48/20240925223101
Additional Info
No response
Having the same issue, I would appricate if somebody would post any ideas to work it arround. For me it happened that "docker logout", then "docker login" helped, but after some time even this WA does not work anymore.
I'm seeing the same error all of the sudden after updating & rebooting, but when I try to build an image.
FROM circleci/runner-agent:machine-3.0.23-6196-60af6d5
SHELL ["/bin/bash", "-c"]
RUN sudo apt-get update -qq
RUN sudo apt-get install -yqq ssh git sudo curl wget npm
RUN sudo npm install -g n && sudo n x.y.z && sudo n prune
RUN whoami | xargs -I {} sudo chown -R {} /usr/local/bin /usr/local/lib /usr/local/include /usr/local/share
RUN sudo npm install -g yarn
build -t cypressio/circleci-runner:foo -f Dockerfile.circleci-runner .
[+] Building 14.6s (2/2) FINISHED docker:desktop-linux
=> [internal] load build definition from Dockerfile.circleci-runner 0.0s
=> => transferring dockerfile: 479B 0.0s
=> ERROR [internal] load metadata for docker.io/circleci/runner-agent:machine-3.0.23-6196-60af6d5 14.6s
------
> [internal] load metadata for docker.io/circleci/runner-agent:machine-3.0.23-6196-60af6d5:
------
Dockerfile.circleci-runner:1
--------------------
1 | >>> FROM circleci/runner-agent:machine-3.0.23-6196-60af6d5
2 | SHELL ["/bin/bash", "-c"]
3 |
--------------------
ERROR: failed to solve: circleci/runner-agent:machine-3.0.23-6196-60af6d5: failed to resolve source metadata for docker.io/circleci/runner-agent:machine-3.0.23-6196-60af6d5: failed to do request: Head "https://registry-1.docker.io/v2/circleci/runner-agent/manifests/machine-3.0.23-6196-60af6d5": dialing registry-1.docker.io:443 container via direct connection because has no HTTPS proxy: connecting to registry-1.docker.io:443: dial tcp: lookup registry-1.docker.io: no such host
It happened right after I updated to sequoia, because I rebooted again right after the update finished for an unrelated issue. I strongly suspect the sequoia update because I also heard there have been some specifically networking bugs in sequoia causing other weird issues with VPNs and anti-virus software, so Docker Desktop may be part of the collateral damage in that.
Same error:
docker image pull artifactory.jankbyte.local/docker-registry-1-proxy-repo/swaggerapi/swagger-ui:v5.17.14
Response:
Error response from daemon: failed to resolve reference "artifactory.jankbyte.local/docker-registry-1-proxy-repo/swaggerapi/swagger-ui:v5.17.14": failed to do request: Head "https://artifactory.jankbyte.local/v2/docker-registry-1-proxy-repo/swaggerapi/swagger-ui/manifests/v5.17.14": dialing artifactory.jankbyte.local:443 container via direct connection because has no HTTPS proxy: connecting to artifactory.jankbyte.local:443: dial tcp 192.168.1.103:443: connect: no route to host
That's works perfect for external images (from dockerhub) but my custom repository broken :/ (i tried write repository in /etc/hosts but still not working)
I've been having this same issue. For me, I can't reach any websites using a Python script with the requests module (which works perfectly fine when run outside of Docker).
The following Docker command, and basically anything requiring to connect to the internet, fails
RUN apt-get update && apt-get install -y ca-certificates && update-ca-certificates
As for the scraper in Python, I first thought it was something with my Python environment before coming across this issue where I realised it could very well be an issue of Docker with MacOS Sequoia.
The error in Python when using the requests.get() method:
ConnectionError: HTTPSConnectionPool(host='website.com', port=443): Max retries exceeded with url: exampleurl (Caused by NameResolutionError("<urllib3.connection.HTTPSConnection object at 0xffff940b5b50>: Failed to resolve 'website.com' ([Errno -3] Temporary failure in name resolution)"))
When trying to pip install pyOpenSSL, I get this:
ERROR: Could not install packages due to an OSError: HTTPSConnectionPool(host='files.pythonhosted.org', port=443): Max retries exceeded with url: /packages/d9/dd/e0aa7ebef5168c75b772eda64978c597a9129b46be17779054652a7999e4/pyOpenSSL-24.2.1-py3-none-any.whl.metadata (Caused by NewConnectionError('<pip._vendor.urllib3.connection.HTTPSConnection object at 0xffffb15794c0>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution'))
I am also having the same issue with the following observations
Pre-Requisites
- Mac is running Sequoia
- Docker Desktop is on latest version
- Allowed local network permissions on Sequoia using System Preferences
Observations:
- Connectivity within docker is broken (i.e. Git on Dev Container)
- Docker CLI fails to pull images
dialing registry-1.docker.io:443 container via direct connection because has no HTTPS proxy: connecting to registry-1.docker.io:443: dial tcp: lookup registry-1.docker.io: no such host
Curious Observations:
- Same version on an older macOS build (Sonoma and Ventura) is fine
- Doesn't matter if VPN is enabled or not
- Doesn't matter if iCloud Private Relay is Enabled or Not
- Fresh installation and first run-time it works, but subsequent reboots, it stops working (this is untenable for serious work).
Hey, Sequoia introduced changes in its firewall: https://developer.apple.com/documentation/macos-release-notes/macos-15-release-notes#Application-Firewall
What you can do is add Docker Desktop to the allow list in the firewall using this command:
/usr/libexec/ApplicationFirewall/socketfilterfw --add /Applications/Docker.app
Does it solve your issue?
@jpbriend I am on a managed Mac, so I do not have the permissions to modify firewall rules via the command line or GUI. I will ask my organization about adding/allowing this change and report back when/if able.
Hey, I had the same problem. After the update to macOS Sequoia 15.0 I couldn't build any images. But when I disable the firewall via system settings it works. A dirty workaround.
@theoneandonlyseb have you tried to add Docker.app to the firewall rules?
/usr/libexec/ApplicationFirewall/socketfilterfw --add /Applications/Docker.app
@jpbriend yes, sadly no difference. The problem occurred like before.
Sadly, no difference for me either, as Docker was showing up as an entry "com.docker.docker" instead of the /Applications/Docker.app path. Adding the duplicate entry still results in a non-working Docker.
The CLI mentions [--add [path]] which means it expects a file path, so not sure how "com.docker.docker" was allowed when it isn't a path 😅
So, removing it via --remove [path], i.e. --remove /Applications/Docker.app (or --remove "com.docker.docker") does nothing and it remains.
This points to a MacOS 15 Sequoia Bug 100%
Fun fact, the new preference for firewall is stored in /usr/libexec/ApplicationFirewall/com.apple.alf.plist but it doesn't appear to be modifiable even in single user SIP disabled mode.
This is probably worse for people with MDM and those who run in non-privileged accounts where they wouldn't even have access to these 🤯
I updated to sequia and now I get apt get time out which seems to be the same thing and I can't build anymore....
37.47 E: Failed to fetch http://deb.debian.org/debian/pool/main/g/glibc/locales_2.31-13%2Bdeb11u11_all.deb Connection timed out [IP: 151.101 .110.132 80]
37.47 E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?
I thought the cause was that sequia's http access was slowing down, so I was able to work around it by adding the following settings. For your reference
RUN /bin/echo -e “Acquire::http::Timeout \”300\”;\n\
Acquire::ftp::Timeout \“300\”;” >> /etc/apt/apt.conf.d/99timeout
I did try /usr/libexec/ApplicationFirewall/socketfilterfw --add /Applications/Docker.app with NO luck. The only way was to completely disable the firewall, then the containers start without any issues. So it seems that we just don't know exactly what service is blocked.
@theoneandonlyseb have you tried to add Docker.app to the firewall rules?
/usr/libexec/ApplicationFirewall/socketfilterfw --add /Applications/Docker.app
It did work for me :)
I recently received the macOS Sequoia 15.0.1 update, and I believe that update resolved the issue. I can no longer recreate the failures in my original issue post.
I recently received the macOS Sequoia 15.0.1 update, and I believe that update resolved the issue. I can no longer recreate the failures in my original issue post.
I can confirm that updating macOS fixes my issue.
I'm sorry, but if anything, 15.0.1 made everything worse, at least for me.
- Firewall, even though deactivated, keeps reappearing, and
- even a clean install of Docker doesn't help with my issues.
Currently, Docker (4.34.3) is not usable for me on 15.0.1 (and I'm not blaming Docker for it). Mind my Mac is company configured ...
I'm using Sequoia 15.0.1 and encountered a similar error when connecting to a private registry:
dialing registry.local:5050 container via direct connection because has no HTTPS proxy: connecting to registry.local:5050: dial tcp: lookup registry.local: no such host
Interestingly, it works without issues when connecting to public registries like Docker Hub.
I tried adding a DNS server to the Docker daemon configuration file, but that didn’t resolve the issue. However, adding the entry directly in /etc/hosts solved it for me. 🤷♂️
Also facing this problem on macOS Sequioa 15.1 when logging in to a private v2 registry.
Login did not succeed, error: Error response from daemon: Get "https://private-repo/v2/": dialing private-repo:443 container via direct connection because has no HTTPS proxy: connecting to private-repo:443: dial tcp private-repo-ip:443: connect: no route to host
It was working fine on 14.7 before the upgrade.
I updated to macOs Sequoia 15.2 and had the same issue when trying to reach a private registry in my company network. Actually docker trying to access to the registry through local network for my case.
So I went to settings -> privacy and security -> local network and switch docker to enable.
I encountered a similar issue where Docker Desktop loses network connectivity after a reboot. A workaround that worked for me was to reset the Docker network settings:
rm -rf ~/Library/Group\ Containers/group.com.docker sudo ifconfig en0 down && sudo ifconfig en0 up
This reinitializes the network configuration and restores connectivity.
Would be great if others could test and confirm!
I updated to macOs Sequoia 15.2 and had the same issue when trying to reach a private registry in my company network. Actually docker trying to access to the registry through local network for my case.
So I went to settings -> privacy and security -> local network and switch docker to enable.
I don't see Docker under local network in privacy and security. I do see Chrome. I'm on Sequoia 15.2 and docker desktop 4.40 (downloaded today). Firewall off doesn't help. Can't do hello world.
Turns out it was just waiting for me to verify my identity via email. When I clicked on the email link from Docker, it worked...