Dockerfile FROM command doesn't get image from insecure private registry

Question

I can't find docs anywhere describing whether the "FROM" Dockerfile command will automatically pull from a remote private registry, or whether you must do an explicit "docker pull" first before running "docker build".

I have an insecure private registry set up at http://192.168.1.1:5000. It is configured in /etc/docker/daemon.json. Pushes and pulls both work against this insecure registry.

But if an image doesn't exist in the local cache (i.e., it hasn't been pulled and doesn't already exist from a previous docker build) then when running docker build the Dockerfile FROM command results in:

 => ERROR [internal] load metadata for 192.168.1.1:5000/reponame  0.1s
------
 > [internal] load metadata for 192.168.1.1:5000/reponame:latest:
------
failed to solve with frontend dockerfile.v0: failed to create LLB definition: failed to do request: Head "https://192.168.1.1:5000/v2/reponame/manifests/latest": http: server gave HTTP response to HTTPS client

Strange that it is trying HTTPS even though it should know that the registry is insecure and thus use HTTP.

Anyway, is this normal behavior? Do I just need to always perform a "docker pull" for an image before attempting to reference it in a Dockerfile FROM command? Or am I missing something that would make this work without doing a pull first?

Answer 1

Posting answer for anyone who might run into this in the future. I finally found the root cause of this issue. Apparently the standard docker registry image doesn't respond to the http HEAD requests that DOCKER_BUILDKIT sends.

The workaround is to disable buildkit (set DOCKER_BUILDKIT=0 in environment). This falls back to the pre-buildkit logic, which doesn't make that HEAD call before pulling the image. Less efficient (and you lose some other buildkit advantages), but it works.

Alternatively, you can issue a pull command for the image before running the docker build, and FROM will pull from the local cache.