Docker Desktop (MacOS) loses network connectivity after reboot

nlambeth commented 1 month ago

Description

I am on a MacBook Air running Sequoia 15.0.

On a fresh install of Docker Desktop, everything functions normally: I can sign in via the desktop app, I can successfully run docker run hello-world and successfully pull the image, and minikube works as expected.

After a reboot, Docker can no longer reach the necessary network endpoints.

I cannot sign in via the desktop app (the web sign-in works fine, but once handed off to the app it shows "Processing login data..." for a bit and then fails to login.
I cannot run docker run hello-world and receive this error message: docker: Error response from daemon: failed to resolve reference "docker.io/library/hello-world:latest": failed to do request: Head "https://registry-1.docker.io/v2/library/hello-world/manifests/latest": dialing registry-1.docker.io:443 container via direct connection because has no HTTPS proxy: connecting to registry-1.docker.io:443: dial tcp: lookup registry-1.docker.io: no such host. See 'docker run --help'.
minikube builds cannot pull images from Docker Hub or elsewhere, and I'm told I need to configure a proxy.

Reproduce

Do a fresh install of Docker Desktop on a Mac running MacOS 15.0
Test signing into the app (success) and docker run hello-world (success)
Reboot the machine
Test signing into the app (fails) and docker run hello-world (fails)

Expected behavior

After rebooting the machine, Docker Desktop should be able to connect to the network as it did before the reboot.

Performing a fresh reinstall every time I need Docker to have network connectivity is untenable.

docker version

Client:
 Version:           27.2.0
 API version:       1.47
 Go version:        go1.21.13
 Git commit:        3ab4256
 Built:             Tue Aug 27 14:14:45 2024
 OS/Arch:           darwin/arm64
 Context:           desktop-linux

Server: Docker Desktop 4.34.2 (167172)
 Engine:
  Version:          27.2.0
  API version:      1.47 (minimum version 1.24)
  Go version:       go1.21.13
  Git commit:       3ab5c7d
  Built:            Tue Aug 27 14:15:41 2024
  OS/Arch:          linux/arm64
  Experimental:     false
 containerd:
  Version:          1.7.20
  GitCommit:        8fc6bcff51318944179630522a095cc9dbf9f353
 runc:
  Version:          1.1.13
  GitCommit:        v1.1.13-0-g58aa920
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

Client:
 Version:    27.2.0
 Context:    desktop-linux
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.16.2-desktop.1
    Path:     /Users/nate/.docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.29.2-desktop.2
    Path:     /Users/nate/.docker/cli-plugins/docker-compose
  debug: Get a shell into any image or container (Docker Inc.)
    Version:  0.0.34
    Path:     /Users/nate/.docker/cli-plugins/docker-debug
  desktop: Docker Desktop commands (Alpha) (Docker Inc.)
    Version:  v0.0.15
    Path:     /Users/nate/.docker/cli-plugins/docker-desktop
  dev: Docker Dev Environments (Docker Inc.)
    Version:  v0.1.2
    Path:     /Users/nate/.docker/cli-plugins/docker-dev
  extension: Manages Docker extensions (Docker Inc.)
    Version:  v0.2.25
    Path:     /Users/nate/.docker/cli-plugins/docker-extension
  feedback: Provide feedback, right in your terminal! (Docker Inc.)
    Version:  v1.0.5
    Path:     /Users/nate/.docker/cli-plugins/docker-feedback
  init: Creates Docker-related starter files for your project (Docker Inc.)
    Version:  v1.3.0
    Path:     /Users/nate/.docker/cli-plugins/docker-init
  sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
    Version:  0.6.0
    Path:     /Users/nate/.docker/cli-plugins/docker-sbom
  scout: Docker Scout (Docker Inc.)
    Version:  v1.13.0
    Path:     /Users/nate/.docker/cli-plugins/docker-scout

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 0
 Server Version: 27.2.0
 Storage Driver: overlayfs
  driver-type: io.containerd.snapshotter.v1
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 8fc6bcff51318944179630522a095cc9dbf9f353
 runc version: v1.1.13-0-g58aa920
 init version: de40ad0
 Security Options:
  seccomp
   Profile: unconfined
  cgroupns
 Kernel Version: 6.10.4-linuxkit
 Operating System: Docker Desktop
 OSType: linux
 Architecture: aarch64
 CPUs: 8
 Total Memory: 7.655GiB
 Name: docker-desktop
 ID: 52b0bb11-7286-435c-a7d6-01d05c3b1f1d
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 HTTP Proxy: http.docker.internal:3128
 HTTPS Proxy: http.docker.internal:3128
 No Proxy: hubproxy.docker.internal
 Labels:
  com.docker.desktop.address=unix:///Users/nate/Library/Containers/com.docker.docker/Data/docker-cli.sock
 Experimental: false
 Insecure Registries:
  hubproxy.docker.internal:5555
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: daemon is not using the default seccomp profile

Diagnostics ID

B6E4F571-74EE-492C-ABA8-BDB16CA63D48/20240925223101

Additional Info

No response

PetrusHahol commented 1 month ago

Having the same issue, I would appricate if somebody would post any ideas to work it arround. For me it happened that "docker logout", then "docker login" helped, but after some time even this WA does not work anymore.

nalandial commented 1 month ago

I'm seeing the same error all of the sudden after updating & rebooting, but when I try to build an image.

FROM circleci/runner-agent:machine-3.0.23-6196-60af6d5
SHELL ["/bin/bash", "-c"]

RUN sudo apt-get update -qq
RUN sudo apt-get install -yqq ssh git sudo curl wget npm

RUN sudo npm install -g n && sudo n x.y.z && sudo n prune
RUN whoami | xargs -I {} sudo chown -R {} /usr/local/bin /usr/local/lib /usr/local/include /usr/local/share
RUN sudo npm install -g yarn

build -t cypressio/circleci-runner:foo -f Dockerfile.circleci-runner .

[+] Building 14.6s (2/2) FINISHED                                                                                                                                                                  docker:desktop-linux
 => [internal] load build definition from Dockerfile.circleci-runner                                                                                                                                               0.0s
 => => transferring dockerfile: 479B                                                                                                                                                                               0.0s
 => ERROR [internal] load metadata for docker.io/circleci/runner-agent:machine-3.0.23-6196-60af6d5                                                                                                                14.6s
------
 > [internal] load metadata for docker.io/circleci/runner-agent:machine-3.0.23-6196-60af6d5:
------
Dockerfile.circleci-runner:1
--------------------
   1 | >>> FROM circleci/runner-agent:machine-3.0.23-6196-60af6d5
   2 |     SHELL ["/bin/bash", "-c"]
   3 |     
--------------------
ERROR: failed to solve: circleci/runner-agent:machine-3.0.23-6196-60af6d5: failed to resolve source metadata for docker.io/circleci/runner-agent:machine-3.0.23-6196-60af6d5: failed to do request: Head "https://registry-1.docker.io/v2/circleci/runner-agent/manifests/machine-3.0.23-6196-60af6d5": dialing registry-1.docker.io:443 container via direct connection because  has no HTTPS proxy: connecting to registry-1.docker.io:443: dial tcp: lookup registry-1.docker.io: no such host

It happened right after I updated to sequoia, because I rebooted again right after the update finished for an unrelated issue. I strongly suspect the sequoia update because I also heard there have been some specifically networking bugs in sequoia causing other weird issues with VPNs and anti-virus software, so Docker Desktop may be part of the collateral damage in that.

Jankbyte commented 1 month ago

Same error:

docker image pull artifactory.jankbyte.local/docker-registry-1-proxy-repo/swaggerapi/swagger-ui:v5.17.14

Response:

Error response from daemon: failed to resolve reference "artifactory.jankbyte.local/docker-registry-1-proxy-repo/swaggerapi/swagger-ui:v5.17.14": failed to do request: Head "https://artifactory.jankbyte.local/v2/docker-registry-1-proxy-repo/swaggerapi/swagger-ui/manifests/v5.17.14": dialing artifactory.jankbyte.local:443 container via direct connection because  has no HTTPS proxy: connecting to artifactory.jankbyte.local:443: dial tcp 192.168.1.103:443: connect: no route to host

That's works perfect for external images (from dockerhub) but my custom repository broken :/ (i tried write repository in /etc/hosts but still not working)

mattpabi commented 1 month ago

I've been having this same issue. For me, I can't reach any websites using a Python script with the requests module (which works perfectly fine when run outside of Docker).

The following Docker command, and basically anything requiring to connect to the internet, fails

RUN apt-get update && apt-get install -y ca-certificates && update-ca-certificates

As for the scraper in Python, I first thought it was something with my Python environment before coming across this issue where I realised it could very well be an issue of Docker with MacOS Sequoia.

The error in Python when using the requests.get() method:

ConnectionError: HTTPSConnectionPool(host='website.com', port=443): Max retries exceeded with url: exampleurl (Caused by NameResolutionError("<urllib3.connection.HTTPSConnection object at 0xffff940b5b50>: Failed to resolve 'website.com' ([Errno -3] Temporary failure in name resolution)"))

When trying to pip install pyOpenSSL, I get this:

ERROR: Could not install packages due to an OSError: HTTPSConnectionPool(host='files.pythonhosted.org', port=443): Max retries exceeded with url: /packages/d9/dd/e0aa7ebef5168c75b772eda64978c597a9129b46be17779054652a7999e4/pyOpenSSL-24.2.1-py3-none-any.whl.metadata (Caused by NewConnectionError('<pip._vendor.urllib3.connection.HTTPSConnection object at 0xffffb15794c0>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution'))

FrancisVillarba commented 1 month ago

I am also having the same issue with the following observations

Pre-Requisites

Mac is running Sequoia
Docker Desktop is on latest version
Allowed local network permissions on Sequoia using System Preferences

Observations:

Connectivity within docker is broken (i.e. Git on Dev Container)

Docker CLI fails to pull images

dialing registry-1.docker.io:443 container via direct connection because has no HTTPS proxy: connecting to registry-1.docker.io:443: dial tcp: lookup registry-1.docker.io: no such host

Curious Observations:

Same version on an older macOS build (Sonoma and Ventura) is fine
Doesn't matter if VPN is enabled or not
Doesn't matter if iCloud Private Relay is Enabled or Not
Fresh installation and first run-time it works, but subsequent reboots, it stops working (this is untenable for serious work).

jpbriend commented 1 month ago

Hey, Sequoia introduced changes in its firewall: https://developer.apple.com/documentation/macos-release-notes/macos-15-release-notes#Application-Firewall

What you can do is add Docker Desktop to the allow list in the firewall using this command: /usr/libexec/ApplicationFirewall/socketfilterfw --add /Applications/Docker.app

Does it solve your issue?

nlambeth commented 1 month ago

@jpbriend I am on a managed Mac, so I do not have the permissions to modify firewall rules via the command line or GUI. I will ask my organization about adding/allowing this change and report back when/if able.

theoneandonlyseb commented 1 month ago

Hey, I had the same problem. After the update to macOS Sequoia 15.0 I couldn't build any images. But when I disable the firewall via system settings it works. A dirty workaround.

jpbriend commented 1 month ago

@theoneandonlyseb have you tried to add Docker.app to the firewall rules? /usr/libexec/ApplicationFirewall/socketfilterfw --add /Applications/Docker.app

theoneandonlyseb commented 1 month ago

@jpbriend yes, sadly no difference. The problem occurred like before.

FrancisVillarba commented 1 month ago

Sadly, no difference for me either, as Docker was showing up as an entry "com.docker.docker" instead of the /Applications/Docker.app path. Adding the duplicate entry still results in a non-working Docker.

The CLI mentions [--add [path]] which means it expects a file path, so not sure how "com.docker.docker" was allowed when it isn't a path 😅

So, removing it via --remove [path], i.e. --remove /Applications/Docker.app (or --remove "com.docker.docker") does nothing and it remains.

This points to a MacOS 15 Sequoia Bug 100%

Fun fact, the new preference for firewall is stored in /usr/libexec/ApplicationFirewall/com.apple.alf.plist but it doesn't appear to be modifiable even in single user SIP disabled mode.

This is probably worse for people with MDM and those who run in non-privileged accounts where they wouldn't even have access to these 🤯

kaz3284 commented 1 month ago

I updated to sequia and now I get apt get time out which seems to be the same thing and I can't build anymore....

37.47 E: Failed to fetch http://deb.debian.org/debian/pool/main/g/glibc/locales_2.31-13%2Bdeb11u11_all.deb Connection timed out [IP: 151.101 .110.132 80]
37.47 E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?

I thought the cause was that sequia's http access was slowing down, so I was able to work around it by adding the following settings. For your reference

RUN /bin/echo -e “Acquire::http::Timeout \”300\”;\n\
Acquire::ftp::Timeout \“300\”;” >> /etc/apt/apt.conf.d/99timeout

proadoo commented 1 month ago

I did try /usr/libexec/ApplicationFirewall/socketfilterfw --add /Applications/Docker.app with NO luck. The only way was to completely disable the firewall, then the containers start without any issues. So it seems that we just don't know exactly what service is blocked.

kadirisani commented 1 month ago

@theoneandonlyseb have you tried to add Docker.app to the firewall rules? /usr/libexec/ApplicationFirewall/socketfilterfw --add /Applications/Docker.app

It did work for me :)

nlambeth commented 1 month ago

I recently received the macOS Sequoia 15.0.1 update, and I believe that update resolved the issue. I can no longer recreate the failures in my original issue post.

mattpabi commented 1 month ago

I recently received the macOS Sequoia 15.0.1 update, and I believe that update resolved the issue. I can no longer recreate the failures in my original issue post.

I can confirm that updating macOS fixes my issue.

rswebdev commented 4 weeks ago

I'm sorry, but if anything, 15.0.1 made everything worse, at least for me.

Firewall, even though deactivated, keeps reappearing, and
even a clean install of Docker doesn't help with my issues.

Currently, Docker (4.34.3) is not usable for me on 15.0.1 (and I'm not blaming Docker for it). Mind my Mac is company configured ...

melmou commented 2 weeks ago

I'm using Sequoia 15.0.1 and encountered a similar error when connecting to a private registry:

dialing registry.local:5050 container via direct connection because has no HTTPS proxy: connecting to registry.local:5050: dial tcp: lookup registry.local: no such host

Interestingly, it works without issues when connecting to public registries like Docker Hub.

I tried adding a DNS server to the Docker daemon configuration file, but that didn’t resolve the issue. However, adding the entry directly in /etc/hosts solved it for me. 🤷‍♂️

roqueeee commented 1 week ago

Also facing this problem on macOS Sequioa 15.1 when logging in to a private v2 registry.

Login did not succeed, error: Error response from daemon: Get "https://private-repo/v2/": dialing private-repo:443 container via direct connection because has no HTTPS proxy: connecting to private-repo:443: dial tcp private-repo-ip:443: connect: no route to host

It was working fine on 14.7 before the upgrade.

docker / for-mac