docker
network_error
ai_generated
partial
守护进程响应错误:Get https://registry-1.docker.io/v2/:net/http:TLS 握手超时
Error response from daemon: Get https://registry-1.docker.io/v2/: net/http: TLS handshake timeout
ID: docker/tls-handshake-timeout
75%修复率
88%置信度
1证据数
2023-09-05首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| Docker 20.10.0 | active | — | — | — |
| Docker 24.0.0 | active | — | — | — |
| Docker 25.0.0 | active | — | — | — |
| Docker CE 26.0.0 | active | — | — | — |
根因分析
Docker 守护进程无法与 Docker Hub 注册表建立 TLS 连接,原因是网络延迟、防火墙阻止或 DNS 解析问题。
English
The Docker daemon cannot establish a TLS connection to the Docker Hub registry due to network latency, firewall blocks, or DNS resolution issues.
官方文档
https://docs.docker.com/engine/reference/commandline/pull/解决方案
-
Configure Docker daemon to use a mirror registry by editing /etc/docker/daemon.json: add '{"registry-mirrors": ["https://mirror.gcr.io"]}' and restart Docker. Then pull the image again. -
Increase TLS handshake timeout by setting environment variable: 'export DOCKER_CLIENT_TIMEOUT=120' and 'export COMPOSE_HTTP_TIMEOUT=120' before running docker commands.
-
Check and update DNS settings: add '8.8.8.8' to /etc/resolv.conf or use systemd-resolved: 'sudo resolvectl dns docker0 8.8.8.8'.
无效尝试
常见但无效的做法:
-
60% 失败
Setting HTTP_PROXY without HTTPS_PROXY in daemon.json does not affect TLS connections; the timeout persists.
-
70% 失败
Flushing DNS cache (e.g., 'sudo systemctl restart systemd-resolved') rarely resolves the issue if the root cause is network congestion or firewall rules.