Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

can't login to docker hub. Empty Response #2373

Open
3 tasks
hemna opened this issue Mar 6, 2024 · 3 comments
Open
3 tasks

can't login to docker hub. Empty Response #2373

hemna opened this issue Mar 6, 2024 · 3 comments

Comments

@hemna
Copy link

hemna commented Mar 6, 2024

I'm trying to login and/or docker pull an image. both are failing with no data coming back from registry-1.docker.io/v2

└─> wget https://registry-1.docker.io/v2/
--2024-03-06 17:35:29--  https://registry-1.docker.io/v2/
Resolving registry-1.docker.io (registry-1.docker.io)... 54.196.99.49, 34.226.69.105, 3.219.239.5
Connecting to registry-1.docker.io (registry-1.docker.io)|54.196.99.49|:443... connected.
HTTP request sent, awaiting response... No data received.
Retrying.
└─> curl https://registry-1.docker.io/v2/ && echo Works || echo Problem
curl: (52) Empty reply from server
Problem
└─> cat docker-passwd.txt | docker login --username hemna6969 --password-stdin
Error response from daemon: Get "https://registry-1.docker.io/v2/": EOF

I have no http proxy. I have restarted the docker daemon.
my dns setting is set to 8.8.8.8 and I can connect to any other sites on the net just fine.

I can telnet to port 443 of the registry and I get no data.

└─> telnet registry-1.docker.io 443
Trying 54.196.99.49...
Connected to registry-1.docker.io.
Escape character is '^]'.
GET / HTTP/1.1

^]
telnet> quit
Connection closed.
└─> host registry-1.docker.io
registry-1.docker.io has address 54.196.99.49
registry-1.docker.io has address 34.226.69.105
registry-1.docker.io has address 3.219.239.5
╭─root in ~ ❯
└─> telnet 34.226.69.105 443
Trying 34.226.69.105...
Connected to 34.226.69.105.
Escape character is '^]'.
GET / HTTP/1.0

^]
telnet> quit
Connection closed.
╭─root in ~ took 7s ❯
└─> telnet 3.219.239.5 443
Trying 3.219.239.5...
Connected to 3.219.239.5.
Escape character is '^]'.
GET / HTTP/1.0

^]
telnet> quit
Connection closed.

I understand that's an SSL port and doing a standard HTTP get isn't going to work, but I would expect some data.

Problem description

docker info output

Docker Info:

└─> docker info
Client: Docker Engine - Community
 Version:    25.0.3
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.12.1
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.24.6
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 10
  Running: 9
  Paused: 0
  Stopped: 1
 Images: 11
 Server Version: 25.0.3
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: ae07eda36dd25f8a1b98dfbf587313b99c0190bb
 runc version: v1.1.12-0-g51d5e94
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 5.15.0-97-generic
 Operating System: Ubuntu 22.04.4 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 24
 Total Memory: 118GiB
 Name: dl360-1
 ID: 49f3976c-b8ab-4130-b2d4-351831967b98
 Docker Root Dir: /var/lib/docker
 Debug Mode: true
  File Descriptors: 105
  Goroutines: 142
  System Time: 2024-03-06T17:47:10.557635755-05:00
  EventsListeners: 3
 Experimental: true
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: API is accessible on http://0.0.0.0:2376 without encryption.
         Access to the remote API is equivalent to root access on the host. Refer
         to the 'Docker daemon attack surface' section in the documentation for
         more information: https://docs.docker.com/go/attack-surface/
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled

Debug Information

Browser name and version:

URL:

Timetamp or time range:
EST

Public IP:

Hub Username:

Error messages (on screen or in browser console)

Screenshots of the issue (if applicable)

Task List

  • This is NOT a security issue
  • I do NOT have a Docker subscription
  • I have looked through other issues and they do NOT apply to me
@jcarter3
Copy link

jcarter3 commented Mar 7, 2024

Per the spec, hitting registry-1.docker.io/v2 will always return a 401 response with headers indicating how to obtain an authorization token. It will redirect you to auth.docker.io/token in order to retrieve the token. See this blog post

Do you get a 401 response on these endpoints?

@hemna
Copy link
Author

hemna commented Mar 7, 2024
edited
Loading

No, I'm not getting a 401 response. I'm literally getting nothing as a response. See the verbose curl output below.

hitting the endpoint with curl I get this.

└─> curl -v https://registry-1.docker.io/v2
*   Trying 54.196.99.49:443...
* Connected to registry-1.docker.io (54.196.99.49) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=*.docker.com
*  start date: Oct  2 00:00:00 2023 GMT
*  expire date: Oct 31 23:59:59 2024 GMT
*  subjectAltName: host "registry-1.docker.io" matched cert's "*.docker.io"
*  issuer: C=US; O=Amazon; CN=Amazon RSA 2048 M01
*  SSL certificate verify ok.
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET /v2 HTTP/1.1
> Host: registry-1.docker.io
> User-Agent: curl/7.81.0
> Accept: */*
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS alert, close notify (256):
* Empty reply from server
* Closing connection 0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS alert, close notify (256):
curl: (52) Empty reply from server

└─> curl -I -L https://registry-1.docker.io/v2
curl: (52) Empty reply from server

@jcarter3
Copy link

jcarter3 commented Mar 7, 2024

🤔 I'm unable to replicate this on any other system. Is this on any sort of VPN or work network, firewall, etc, ( I know you said no proxy, just trying to get the full picture)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hemna @jcarter3