Docker failure in DNS

vix · January 23, 2026, 2:44pm

I have my Verdin iMX8M-Plus with Torizon OS 7.1.0+build.4 (I know, it’s not a new release, but it’s a LTS) and I can use it with OTA updates on a couple of different wifi networks. So, basically, everything is in place in the right way.

I’ve just found another wifi network where OTA updates doen’t work and so I investigated deeply what happens, using some command line tools on th SoM and wireshark network tracing.

Here is what I found:

the SoM is able to reach registry-1.docker.io (tested with curl)

torizon@verdin-imx8mp-15123804:~$ curl -i "https://registry-1.docker.io/v2/nginx/manifests/latest"
HTTP/1.1 401 Unauthorized
Date: Fri, 23 Jan 2026 13:55:57 GMT
Content-Type: application/json
Content-Length: 148
Connection: keep-alive
docker-distribution-api-version: registry/2.0
www-authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io",scope="repository:nginx:pull"
strict-transport-security: max-age=31536000

{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":
{"Type":"repository","Class":"","Name":"nginx","Action":"pull"}]}]}

the same with explicit -4 flag

torizon@verdin-imx8mp-15123804:~$ curl -4 -i "https://registry-1.docker.io/v2/nginx/manifests/latest"
HTTP/1.1 401 Unauthorized
Date: Fri, 23 Jan 2026 13:55:57 GMT
Content-Type: application/json
Content-Length: 148
Connection: keep-alive
docker-distribution-api-version: registry/2.0
www-authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io",scope="repository:nginx:pull"
strict-transport-security: max-age=31536000

{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail"
[{"Type":"repository","Class":"","Name":"nginx","Action":"pull"}]}]}

The wireshark tracing during curl shows DNS packets between the SoM and 8.8.8.8 (google DNS). The IP address of the registry is returned and it’s used by the following https GET.

an error with -6 flag (not sure if this is somehow related to the issue with docker - see below)

torizon@verdin-imx8mp-15123804:~$ curl -6 -i "https://registry-1.docker.io/v2/nginx/manifests/latest"
curl: (7) Failed to connect to registry-1.docker.io port 443 after 15 ms: Couldn't connect to server

docker login fails in this way

torizon@verdin-imx8mp-15123804:~$ docker login -u xxxx -p YYYYYYYYYYYYYYYYYYYY registry-1.docker.io
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get "https://registry-1.docker.io/v2/": net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)

The wireshark tracing during docker login shows DNS packets between the SoM and 8.8.8.8 (google DNS). The IP address of the registry is returned, but nothing happens (no https packets at all). After 5”, another DNS request/response is shown. Another one after 5” and so on, until timeout.

Here are other info:

torizon@verdin-imx8mp-15123804:~$ docker --version
Docker version 25.0.3, build 01f9332618

torizon@verdin-imx8mp-15123804:~$ nslookup registry-1.docker.ioServer:
8.8.8.8Address 1: 8.8.8.8 dns.google

Name:      registry-1.docker.io
Address 1: 54.174.127.143 ec2-54-174-127-143.compute-1.amazonaws.com
Address 2: 35.171.172.100 ec2-35-171-172-100.compute-1.amazonaws.com
Address 3: 3.232.199.191 ec2-3-232-199-191.compute-1.amazonaws.com
Address 4: 52.73.157.22 ec2-52-73-157-22.compute-1.amazonaws.com
Address 5: 44.196.177.2 ec2-44-196-177-2.compute-1.amazonaws.com
Address 6: 54.89.202.53 ec2-54-89-202-53.compute-1.amazonaws.com
Address 7: 13.216.38.234 ec2-13-216-38-234.compute-1.amazonaws.com
Address 8: 100.29.136.121 ec2-100-29-136-121.compute-1.amazonaws.com
Address 9: 2600:1f18:2148:bc00:155a:796d:ab41:c11e
Address 10: 2600:1f18:2148:bc00:344b:f85d:cd15:c63f
Address 11: 2600:1f18:2148:bc00:f6a4:b49a:66a2:99c8
Address 12: 2600:1f18:2148:bc00:fbbf:dbec:80c4:b647
Address 13: 2600:1f18:2148:bc00:ff48:1534:fb68:64dc
Address 14: 2600:1f18:2148:bc02:9d13:51ad:4228:a30b
Address 15: 2600:1f18:2148:bc01:5ac3:f4f0:6990:ffbf
Address 16: 2600:1f18:2148:bc01:c9b9:fb79:7bd8:492b

On the same wifi network I have a Windows 11 PC with Docker (27.2.0, build 3ab4256) installed. On this PC docker login works fine, even if curl -6 fails in the same way.

So, it’s not a broken wifi network.

What is the issue with Torizon OS and docker?

ToradexAI · January 23, 2026, 2:45pm

Hi, I’m the Toradex AI Assistant.

I might make mistakes or occasionally get you wrong. Our support team will step in if needed.

Based on your detailed analysis, this appears to be a Docker networking issue specific to your WiFi environment. The fact that curl works but docker login fails suggests a Docker daemon networking problem rather than general connectivity issues.

Troubleshooting Steps

Network Configuration Analysis

Your issue shows that while basic HTTP connectivity works (curl succeeds), Docker’s networking layer is failing (1). The timeout during docker login combined with repeated DNS queries suggests Docker may be having issues with IPv6 or specific network routing (1).

IPv6 Configuration Issue

The key clue is your curl -6 command failing with “Couldn’t connect to server” while IPv4 works fine (1). Your nslookup shows both IPv4 and IPv6 addresses for registry-1.docker.io, but your network may not properly support IPv6 routing (1).

Docker Daemon Configuration

To resolve this, you can configure Docker to prefer IPv4 or disable IPv6 entirely. Modify /etc/docker/daemon.json with the following content (2):

{
  "ipv6": false,
  "ip": "0.0.0.0"
}

(2)

After making this change, restart the Docker service:

sudo systemctl restart docker

Alternative: Network-Specific DNS Configuration

If the IPv6 issue persists, you can also try configuring Docker to use specific DNS servers by adding to /etc/docker/daemon.json (2):

{
  "dns": ["8.8.8.8", "8.8.4.4"],
  "ipv6": false
}

(2)

Low-Bandwidth Connection Considerations

Since you mentioned this works on other networks, this specific WiFi network might have bandwidth or stability issues affecting Docker operations. For OTA updates with network challenges, consider configuring Aktualizr for low-bandwidth connections or implementing a pull-through cache (2).

The pull-through cache can help by creating a local registry mirror. You can set up a local cache using the registry configuration provided in the documentation (2).

Verification Steps

After implementing the Docker configuration changes:

Test Docker login again
Verify OTA updates work properly
Monitor the network traffic to confirm IPv4-only connections

This should resolve the Docker networking issue you’re experiencing on this specific WiFi network.

Best regards, Toradex AI Assistant.

Did you like my answer?

If I answered your question, please tick the “Solution” checkbox.

For follow-up questions to me, please use @ToradexAI in your post.

vix · January 28, 2026, 6:33am

The file /etc/docker/daemon.json doesn’t exist on Torizon OS.

Should I create it from scratch?

Moreover, why should I disable ipv6? Is this a known issue with docker? On the same network, with ipv6 enabled, docker on windows works.

Searching around on the web I found something related to possible issues in DNS resolver used by docker (different from the one used by curl) when both ipv6 and ipv4 resolution answers arrive to the device. Could this be the issue here?

ToradexAI · January 28, 2026, 6:33am

Creating the Docker Daemon Configuration File

You’re correct - if /etc/docker/daemon.json doesn’t exist on your Torizon OS system, you should create it from scratch (1). This is the standard location for Docker daemon configuration on Linux systems (1).

IPv6 vs IPv4 DNS Resolution Issue

Your analysis about DNS resolver differences is likely correct. Docker uses its own internal DNS resolution mechanism that can behave differently from system tools like curl (2). The issue you’re experiencing - where Docker repeatedly performs DNS queries but fails to establish connections - is characteristic of IPv6/IPv4 dual-stack resolution problems (2).

Why IPv6 Might Be Problematic

The key difference between your Windows Docker setup and Torizon OS could be:

Different Docker versions - Your Windows system uses Docker 27.2.0 while Torizon OS 7.1.0 uses Docker 25.0.3
Network stack differences - Windows and Linux handle IPv6 fallback mechanisms differently
DNS resolution timing - Docker’s internal resolver might be timing out on IPv6 before falling back to IPv4

Recommended Configuration

Create /etc/docker/daemon.json with this configuration (1):

{
  "ipv6": false,
  "dns": ["8.8.8.8", "8.8.4.4"]
}

Then restart Docker:

sudo systemctl restart docker

Alternative Troubleshooting

If you prefer not to disable IPv6 entirely, you can also try:

Test with explicit IPv4 DNS servers in the daemon configuration
Check if your router/network has IPv6 routing issues specific to Docker’s connection patterns
Monitor network traffic during Docker operations to see if IPv6 connections are being attempted and timing out

The fact that curl -6 fails while curl -4 works confirms that your network environment has IPv6 connectivity issues, even though IPv6 DNS resolution works (2). Docker’s behavior of repeatedly querying DNS without making HTTP connections suggests it’s getting stuck in the IPv6 resolution/connection phase.

Best regards, Toradex AI Assistant.

Did you like my answer?

If I answered your question, please tick the “Solution” checkbox.

For follow-up questions to me, please use @ToradexAI in your post.

vix · January 30, 2026, 12:18pm

Hi, can a human have a look to this topic, please?

The usual flavor of AI answers is “let’s try doing something and see if this works. If not, let’s try something different”.

I ususally prefer “I understand the question, I know why it happens and this is the solution”. And this requires an experienced human.