#cant connect to docker.io

https://imgur.com/ifuRIii

What’s the exact error text you get (copy/paste the full docker pull ... output)? The fix depends a lot on whether this is DNS, TCP routing, or TLS/certs.

In the meantime, a quick triage that usually narrows it down in 2 minutes:

1) Confirm it’s not just Docker Hub but general outbound HTTPS

Run these and paste the output:

curl -v https://registry-1.docker.io/v2/

nslookup registry-1.docker.io
# or: dig registry-1.docker.io

docker pull hello-world

How to interpret results

• DNS problem (common):
  • Errors like lookup registry-1.docker.io: no such host, SERVFAIL, i/o timeout
  • nslookup fails or returns weird/private DNS results
• Network/routing problem:
  • dial tcp ...: i/o timeout, no route to host, hangs on connect
  • Often VPN, firewall, captive portal, or broken IPv6
• TLS/cert problem:
  • x509: certificate signed by unknown authority
  • Usually corporate MITM proxy / antivirus HTTPS inspection

2) Two very common gotchas

A) You’re behind a proxy / corporate network

If you see TLS MITM (x509) or curl shows a proxy being used, Docker needs proxy config too (Docker Desktop has UI for this; on Linux it’s daemon/systemd env). If you paste the error I can point to the right config path for your OS.

B) DNS inside Docker is broken (Linux especially)

If curl works on the host but docker pull fails with DNS-ish errors, it’s often Docker using a bad resolver (systemd-resolved / split DNS / VPN DNS).
Tell me your OS (Linux/macOS/Windows/WSL) and:

cat /etc/resolv.conf

(you can redact internal domains/IPs if needed)

3) One question that matters

• What OS + environment is this? (Ubuntu server, WSL2, Docker Desktop on macOS/Windows, inside a VPS, etc.)
• Does https://hub.docker.com load in a browser from the same machine/network?

Paste:

1. exact docker pull error
2. output of curl -v https://registry-1.docker.io/v2/

3. output of nslookup registry-1.docker.io
   …and I’ll tell you which branch you’re in and the shortest fix.

omw sry im a bit over my head overwhelmed XD

im so lost xD my docker says compose app is not running

i think ill delete everythign and start from scratch but is the 5th time lol ill run your commands before doing that

That screenshot helps: it’s failing during BuildKit image resolution at:

ERROR [internal] load metadata for docker.io/library/node:24-bokworm@sha256:...

Two big things here:

1) Double-check the tag spelling

It looks like 24-bokworm in the error line — the Debian codename is bookworm (with the second “o”):
node:24-bookworm

If it’s genuinely spelled bokworm in your Dockerfile, Docker Hub won’t have that tag.

2) We still need the real reason line (it’s just off-screen)

BuildKit always prints the actual cause right after that line (timeout / DNS / TLS / 401 / rate limit / manifest unknown), but the screenshot cuts it off.

Can you rerun and paste the full text with:

PS C:\cb\openclaw> curl -v https://registry-1.docker.io/v2/
DETALLADO: GET with 0-byte payload
curl : {"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":null}]}
En línea: 1 Carácter: 1

• curl -v https://registry-1.docker.io/v2/

•   + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc
   eption
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
  

PS C:\cb\openclaw>

docker build --progress=plain .

And also try this (this isolates “Docker Hub connectivity” from “build problem”):

docker pull node:24-bookworm

Paste the output of both. Once we see whether it’s dial tcp, x509, toomanyrequests, manifest unknown, etc., the fix is very different.

PS C:\cb\openclaw> nslookup registry-1.docker.io
Servidor: dns.google
Address: 8.8.8.8

Respuesta no autoritativa:
Nombre: registry-1.docker.io
Addresses: 2600:1f18:2148:bc02:7476:2c28:77c2:ec0d
2600:1f18:2148:bc00:125e:a0f1:61c4:f6f0
2600:1f18:2148:bc01:bf9:b2fb:4045:b7d3
2600:1f18:2148:bc01:c9ad:a3ce:930a:8e77
2600:1f18:2148:bc01:2b24:3a1f:44d3:a277
2600:1f18:2148:bc00:c202:d1e4:df30:d68f
2600:1f18:2148:bc02:ecc8:c72:61e:6603
2600:1f18:2148:bc01:cf97:364b:b223:cead
100.50.179.47
54.147.201.31
34.226.132.191
3.81.188.6
13.216.233.49
52.4.219.51
44.208.12.140
52.2.12.0

PS C:\cb\openclaw>

this is w11 personal home connection no proxy or stuff

No worries — this stuff is weirdly stressful when it fails, and the Docker errors are not friendly.

Let’s do one tiny step at a time. You don’t need to understand it all — just run the commands and paste the output here.

Step 1 (quick sanity check): is it a typo in your Dockerfile?

Run:

grep -n "FROM node" Dockerfile

Paste what it prints.
(We’re specifically checking whether it says bookworm vs bokworm.)

Step 2: can your machine pull that image at all?

Run:

docker pull node:24-bookworm

Paste the output (even if it errors).

Also tell me: are you on Linux / macOS Docker Desktop / Windows / WSL? That changes the most likely fix.

i get error on grep, maybe i dont have what it requires installed?

im using powershell

docker pull node:24-bookworm <- this always gives timeout

im on windows 11

That error is actually before “can’t reach docker.io” — it means your local Docker engine isn’t running, so Compose can’t do anything.

First: what OS are you on?

Quick checks (pick the section that matches)

If you’re on macOS / Windows (Docker Desktop)

1. Open Docker Desktop
2. Wait until it says Engine running (usually bottom-left)
3. If it’s stuck: Quit Docker Desktop بالكامل and reopen (not just close the window)

Then run and paste:

docker info

If you’re on Linux

Run and paste:

docker info

If it says it can’t connect to the daemon, then run:

systemctl status docker --no-pager

(If you tell me your distro I’ll give the exact “start/enable” command, but let’s confirm status first.)

Once docker info works locally, we can go back to the docker.io / image pull issue.

im on windows 11
PS C:\cb\openclaw> docker info
Client:
Version: 29.2.1
Context: desktop-linux
Debug Mode: false
Plugins:
agent: create or run AI agents (Docker Inc.)
Version: v1.27.1
Path: C:\Program Files\Docker\cli-plugins\docker-agent.exe
ai: Docker AI Agent - Ask Gordon (Docker Inc.)
Version: v1.18.0
Path: C:\Program Files\Docker\cli-plugins\docker-ai.exe
buildx: Docker Buildx (Docker Inc.)
Version: v0.31.1-desktop.1
Path: C:\Program Files\Docker\cli-plugins\docker-buildx.exe
compose: Docker Compose (Docker Inc.)
Version: v5.1.0
Path: C:\Program Files\Docker\cli-plugins\docker-compose.exe
debug: Get a shell into any image or container (Docker Inc.)
Version: 0.0.47
Path: C:\Program Files\Docker\cli-plugins\docker-debug.exe
desktop: Docker Desktop commands (Docker Inc.)
Version: v0.3.0
Path: C:\Program Files\Docker\cli-plugins\docker-desktop.exe
extension: Manages Docker extensions (Docker Inc.)
Version: v0.2.31
Path: C:\Program Files\Docker\cli-plugins\docker-extension.exe
init: Creates Docker-related starter files for your project (Docker Inc.)
Version: v1.4.0
Path: C:\Program Files\Docker\cli-plugins\docker-init.exe
mcp: Docker MCP Plugin (Docker Inc.)
Version: v0.40.2
Path: C:\Program Files\Docker\cli-plugins\docker-mcp.exe
model: Docker Model Runner (Docker Inc.)
Version: v1.1.5
Path: C:\Program Files\Docker\cli-plugins\docker-model.exe
offload: Docker Offload (Docker Inc.)
Version: v0.5.56
Path: C:\Program Files\Docker\cli-plugins\docker-offload.exe
pass: Docker Pass Secrets Manager Plugin (beta) (Docker Inc.)
Version: v0.0.24
Path: C:\Program Files\Docker\cli-plugins\docker-pass.exe
sandbox: Docker Sandbox (Docker Inc.)
Version: v0.12.0
Path: C:\Program Files\Docker\cli-plugins\docker-sandbox.exe
sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
Version: 0.6.0
Path: C:\Program Files\Docker\cli-plugins\docker-sbom.exe
scout: Docker Scout (Docker Inc.)
Version: v1.20.0
Path: C:\Program Files\Docker\cli-plugins\docker-scout.exe

Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 1
Server Version: 29.2.1
Storage Driver: overlayfs
driver-type: io.containerd.snapshotter.v1
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 1
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
CDI spec directories:
/etc/cdi
/var/run/cdi
Discovered Devices:
cdi: docker.com/gpu=webgpu
Swarm: inactive
Runtimes: nvidia runc io.containerd.runc.v2
Default Runtime: runc
Init Binary: docker-init
containerd version: dea7da592f5d1d2b7755e3a161be07f43fad8f75
runc version: v1.3.4-0-gd6d73eb8
init version: de40ad0
Security Options:
seccomp
Profile: builtin
Kernel Version: 5.15.153.1-microsoft-standard-WSL2
Operating System: Docker Desktop
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 15.18GiB
Name: docker-desktop
ID: 880a3eb6-57e2-404a-8821-303822ddef67
Docker Root Dir: /var/lib/docker
Debug Mode: false
HTTP Proxy: http.docker.internal:3128
HTTPS Proxy: http.docker.internal:3128
No Proxy: hubproxy.docker.internal
Labels:
com.docker.desktop.address=npipe://\.\pipe\docker_cli
Experimental: false
Insecure Registries:
hubproxy.docker.internal:5555
127.0.0.0/8
::1/128
Live Restore Enabled: false
Firewall Backend: iptables

WARNING: No blkio throttle.read_bps_device support
WARNING: No blkio throttle.write_bps_device support
WARNING: No blkio throttle.read_iops_device support
WARNING: No blkio throttle.write_iops_device support
WARNING: Support for cgroup v1 is deprecated and planned to be removed by no later than May 2029 (https://github.com/moby/moby/issues/51111)

Yeah — don’t nuke it yet. Reinstalls rarely fix this kind of thing, and it’s super easy to end up in the same state again.

Run these two and paste the output (screenshots are fine too):

docker version
docker info

Also tell me your OS (macOS/Windows/Linux + if it’s Docker Desktop).

What I’m looking for is basically:

• does it say “Cannot connect to the Docker daemon” (engine not running / wrong context)
• or does it connect fine locally and only fails when pulling from docker.io (network/DNS/proxy)

Once we know which one it is, the fix is usually quick.

Nice — that output actually tells us something important:

UNAUTHORIZED from https://registry-1.docker.io/v2/ is expected

Docker Hub’s registry answers 401 to anonymous requests as part of the normal auth handshake. PowerShell’s curl (aka Invoke-WebRequest) treats any 401 as an error, but network/DNS/TLS are working.

So the issue is likely Docker Desktop/engine mode or platform mismatch, not “can’t reach docker.io”.

Next 2 commands (Windows-friendly)

Please run these and paste output:

docker info --format "OSType={{.OSType}}  OS={{.OperatingSystem}}"

docker pull node:24-bookworm

What I expect we might see

• If OSType=windows, then pulling/building node:24-bookworm will fail (it’s a Linux image). Fix is: Docker Desktop → Switch to Linux containers (WSL2 backend).
• If the pull fails with toomanyrequests, you’ve hit Docker Hub rate limits → docker login (or sign into Docker Desktop).
• If the pull says it can’t connect to the daemon, then Docker Desktop/Engine isn’t running.

Paste those two outputs and we’ll pick the exact fix.

PS C:\cb\openclaw> docker info --format "OSType={{.OSType}} OS={{.OperatingSystem}}"
OSType=linux OS=Docker Desktop
PS C:\cb\openclaw>

PS C:\cb\openclaw> docker pull node:24-bookworm
24-bookworm: Pulling from library/node
failed to copy: httpReadSeeker: failed open: failed to do request: Get "https://docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com/registry-v2/docker/registry/v2/blobs/sha256/e9/e925c020d6d8277a3adf58cff70adc73b3535b43c8daf69d77147ce4bee167ff/data?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=f1baa2dd9b876aeb89efebbfc9e5d5f4%2F20260314%2Fauto%2Fs3%2Faws4_request&X-Amz-Date=20260314T184708Z&X-Amz-Expires=1200&X-Amz-SignedHeaders=host&X-Amz-Signature=b8aabeab07a26870bddb5e379c10a6ea8d47f5b20a4534ac881db225c57dbf67": dialing docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com:443 container via direct connection because Docker Desktop has no HTTPS proxy: connecting to docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com:443: dial tcp 172.64.66.1:443: connectex: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
PS C:\cb\openclaw>

DNS looks totally fine — you’re resolving both IPv6 (AAAA) and IPv4 (A) for registry-1.docker.io, which is exactly what we want.

Now we need to see what Docker itself is doing (because your earlier build failure after ~22s smells like a connection attempt timing out, often due to IPv6 weirdness or Docker being in the wrong mode).

Next: run these two and paste output

docker info --format "OSType={{.OSType}}  OS={{.OperatingSystem}}"

docker pull node:24-bookworm

Also: are you running this from PowerShell only, or inside WSL2?

Optional quick IPv6 sanity test (use real curl, not PowerShell’s alias)

PowerShell’s curl is Invoke-WebRequest, so use curl.exe:

curl.exe -4 -v https://registry-1.docker.io/v2/
curl.exe -6 -v https://registry-1.docker.io/v2/

• If -4 works but -6 hangs/fails → your network/WSL/Docker path likely has broken IPv6, which can cause those ~20s stalls.

But first: paste the docker info OSTyp e + the docker pull error — that’ll probably point straight to “Windows containers vs Linux containers” or “rate limit/auth/timeout”.

Got it — Win11 home + no proxy is good news: this is usually not “blocked internet”, it’s almost always one of these:

1. Docker Desktop isn’t actually running / engine not started
2. Docker is in Windows containers mode (but you’re trying to pull a Linux image like node:24-bookworm)
3. WSL2 backend is wedged

Let’s confirm which one in one command:

docker info --format "Server={{.ServerVersion}}  OSType={{.OSType}}"

How to read it

• If that command errors with “cannot connect to the Docker daemon” → open Docker Desktop and wait until it says Engine running (or restart Docker Desktop).
• If it prints OSType=windows → you’re in Windows containers mode.
  • Fix: Docker Desktop → (tray icon / top menu) Switch to Linux containers
  • Then rerun the command; you want OSType=linux.

After that, try:

docker pull node:24-bookworm

Paste those outputs and we’ll get you unstuck without reinstalling everything again.

Yep — totally normal on Windows. grep is a Linux/macOS tool, and PowerShell doesn’t ship with it by default.

Use one of these Windows equivalents:

Option A (PowerShell native)

Select-String -Path .\Dockerfile -Pattern "FROM node" -CaseSensitive:$false

Option B (classic Windows)

findstr /n /i "FROM node" Dockerfile

Either one will show you the FROM node:... line.

That said, the bigger blocker sounds like Docker engine/mode — if you haven’t yet, run this too (works everywhere on Windows):

docker info --format "Server={{.ServerVersion}}  OSType={{.OSType}}"

Perfect — PowerShell is fine.

Use this instead of grep:

Select-String -Path .\Dockerfile -Pattern "FROM" 

(or if you only want the node line)

Select-String -Path .\Dockerfile -Pattern "FROM node" -CaseSensitive:$false

And for the Docker engine/mode check (this is the one I care about most right now):

docker info --format "Server={{.ServerVersion}}  OSType={{.OSType}}  OS={{.OperatingSystem}}"

Paste both outputs.

Timeout on docker pull is the key symptom. Since your Windows curl to registry-1.docker.io works, this often means Docker Desktop’s Linux VM (WSL2 backend) can’t reach the blob/CDN endpoints, or it’s getting stuck on IPv6.

1) Quick “unstick Docker Desktop networking” reset (safe)

1. Quit Docker Desktop completely
2. In PowerShell run:

wsl --shutdown

3. Start Docker Desktop again, wait for “Engine running”
4. Retry:

docker pull hello-world
docker pull node:24-bookworm

2) If it still times out: grab the real error line

Run:

docker -D pull node:24-bookworm

…and paste the last ~30 lines (the debug output usually includes the exact URL/domain it’s timing out on).

3) Common root cause on home connections: IPv6 blackhole

Quick test (from Windows):

curl.exe -4 -I https://registry-1.docker.io/v2/
curl.exe -6 -I https://registry-1.docker.io/v2/

Tell me which one fails/hangs.

If you paste the docker -D pull tail, I can tell you exactly whether it’s:

• Windows-vs-Linux containers mode,
• auth.docker.io token fetch,
• or blob download redirect (often a different domain than registry-1.docker.io).

Yep — on Windows 11, everything Docker does goes through Docker Desktop + a Linux VM (WSL2), so “Windows has internet” doesn’t automatically mean “Docker pulls work”.

Can you run exactly these 3 commands in PowerShell and paste the output?

docker context ls

docker info --format "OSType={{.OSType}}  Server={{.ServerVersion}}"

docker -D pull hello-world

That will tell us immediately whether:

• Docker Desktop is actually talking to the right engine/context,
• you’re in Linux vs Windows containers mode,
• and what URL/domain the pull is timing out on.

(Also: if Docker Desktop is open, make sure it’s set to Linux containers.)

Found the smoking gun in your docker info:

HTTP Proxy:  http.docker.internal:3128
HTTPS Proxy: http.docker.internal:3128

So even if you aren’t using a proxy, Docker Desktop is configured to use one. If nothing is actually listening at that proxy (very common), Docker pulls will just hang/time out.

Fix (Docker Desktop UI)

1. Open Docker Desktop
2. Go to Settings → Proxies (sometimes under Resources / Network, depending on version)
3. Disable manual proxy / clear the proxy fields (anything like http.docker.internal:3128)
4. Apply & Restart Docker Desktop

Confirm it’s gone

After restart:

docker info | Select-String -Pattern "Proxy"

You want those Proxy lines to be empty/absent.

Then retry

docker pull hello-world
docker pull node:24-bookworm

If you can paste what shows up under Settings → Proxies (or a screenshot), I can tell you exactly what to toggle in your Docker Desktop version.

Perfect, now we finally have the real failure:

it’s not timing out to docker.io — it’s timing out to Docker Hub’s blob CDN on Cloudflare R2:
docker-images-prod....r2.cloudflarestorage.com → 172.64.66.1:443

So your machine can reach the registry/auth endpoints, but can’t reach the actual layer download host.

Quick confirm (from Windows host)

Run:

Test-NetConnection docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com -Port 443

If that test fails (very likely)

It’s a network block/route issue to Cloudflare (home router “security”, antivirus firewall, ISP weirdness, DNS filter, etc.).