Pulling from local registry fails - part II

I’m experiencing what I believe is the same issue as this post and have been unable to resolve it. I suspect it’s a Windows firewall issue and have reached out to our corporate IT for support, however they have been unable to resolve it.

Here’s the output from vscode when the module attempts to pull the image:

*  Executing task: DOCKER_HOST=192.168.10.1:2375 LOCAL_REGISTRY=192.168.10.10 DOCKER_LOGIN=192.168.10.10:5002 TAG=v0.0.0 GPU=-am62 DEBUG_SSH_PORT=2230 DEBUG_PORT1= DEBUG_PORT2= DEBUG_PORT3= docker compose pull network_manager_test 

WARN[0000] /home/torizon/networkmanagertest/docker-compose.yml: the attribute `version` is obsolete, it will be ignored, please remove it to avoid potential confusion 
[+] Pulling 1/1
 ! network_manager_test Warning Get "http://192.168.10.10:5002/v2/": net/http: request canceled while waiting for connection (Clien...                              30.1s 
WARNING: Some service image(s) must be built from source by running:
    docker compose build network_manager_test
1 error occurred:
        * Error response from daemon: Get "http://192.168.10.10:5002/v2/": net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)



 *  The terminal process "/usr/bin/bash '-c', 'DOCKER_HOST=192.168.10.1:2375 LOCAL_REGISTRY=192.168.10.10 DOCKER_LOGIN=192.168.10.10:5002 TAG=v0.0.0 GPU=-am62 DEBUG_SSH_PORT=2230 DEBUG_PORT1= DEBUG_PORT2= DEBUG_PORT3= docker compose pull network_manager_test'" terminated with exit code: 1. 
 *  Terminal will be reused by tasks, press any key to close it. 

When I test in wsl with curl using localhost I get a response:

🐧 torizon @STERIS-US-x3Jes~: curl http://localhost:5002/v2
<a href="/v2/">Moved Permanently</a>.

But if I test in wsl with curl using the IP address it times out:

🐧 torizon @STERIS-US-x3Jes~: curl http://192.168.10.10:5002/v2/
curl: (28) Failed to connect to 192.168.10.10 port 5002 after 133517 ms: Couldn't connect to server

It times out when tested from the device side as well:

torizon@verdin-am62-15601305:~$ curl http://192.168.10.10:5002/v2
curl: (28) Failed to connect to 192.168.10.10 port 5002 after 135016 ms: Couldn't connect to server

The output from the iptables command run in a new wsl terminal is:

🐧 torizon @STERIS-US-x3Jes~: sudo iptables -L -v -n
[sudo] password for torizon:
Chain INPUT (policy ACCEPT 17589 packets, 36M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER-USER  0    --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 DOCKER-FORWARD  0    --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 19589 packets, 20M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     6    --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:5002
    0     0 DROP       0    --  !docker0 docker0  0.0.0.0/0            0.0.0.0/0

Chain DOCKER-BRIDGE (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER     0    --  *      docker0  0.0.0.0/0            0.0.0.0/0

Chain DOCKER-CT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     0    --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED

Chain DOCKER-FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER-CT  0    --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 DOCKER-ISOLATION-STAGE-1  0    --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 DOCKER-BRIDGE  0    --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  docker0 *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER-ISOLATION-STAGE-2  0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       0    --  *      docker0  0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination

wsl release info:

🐧 torizon @STERIS-US-x3Jes~: cat /etc/os-release
PRETTY_NAME="Torizon Development Environment for WSL 2"
NAME="TorizonOS"
VERSION=1.0.3
VERSION_CODENAME="Development Environment for WSL 2 (Debian Bookworm)"
ID=torizon
VERSION_ID=1.0.3
VARIANT=Docker
HOME_URL="https://www.torizon.io"
SUPPORT_URL="https://community.toradex.com"
BUG_REPORT_URL="https://github.com/torizon/cookbook-torizon-wsl/issues"
🐧

Hi, I’m the Toradex AI Assistant.

I might make mistakes or occasionally get you wrong. Our support team will step in if needed.

Docker Registry Connection Issue Analysis

Based on your error logs and the symptoms you’re experiencing, this appears to be a network connectivity issue between your WSL2 environment and the local Docker registry. The key indicator is that localhost:5002 works within WSL2, but the external IP address 192.168.10.10:5002 times out from both WSL2 and the target device.

Root Cause Analysis

The issue stems from WSL2’s networking architecture and Docker registry configuration. When your registry responds to localhost but not to the external IP, it indicates the registry is binding only to the loopback interface rather than all network interfaces(1).

Solution Steps

1. Configure Docker Registry to Listen on All Interfaces

Ensure your Docker registry is configured to bind to 0.0.0.0 rather than 127.0.0.1. When running your registry container, use this configuration(1):

docker run -d -p 5002:5002 --restart always --name registry -e REGISTRY_HTTP_ADDR=0.0.0.0:5002 registry:2

(1)

2. Configure Docker Daemon for Insecure Registry

Since your registry is running over HTTP (not HTTPS), you must configure the Docker daemon to treat it as an insecure registry(2). Create or modify /etc/docker/daemon.json in your WSL2 environment(1):

{
  "insecure-registries" : ["192.168.10.10:5002"]
}

(2), (1)

After editing, restart the Docker daemon within WSL2(1):

sudo service docker restart

(1)

3. Windows Firewall Configuration

Ensure your Windows Firewall allows inbound connections on port 5002(1). Since you mentioned reaching out to corporate IT, this is likely where the blockage occurs in enterprise environments.

4. Docker Engine Conflicts

Make sure you’re only running one Docker Engine instance. Do not use Docker Desktop and WSL Docker Engine simultaneously, as this can cause networking conflicts(1), (3).

Testing the Fix

After implementing these changes, test the connection(1):

curl http://192.168.10.10:5002/v2/

(1)

Also test pulling an image manually(1):

docker pull 192.168.10.10:5002/your-image:tag

(1)

Alternative: Pull-Through Cache

If network issues persist, consider implementing a pull-through cache as documented in the container registry guide(2). This can help overcome network instability issues during container downloads(2).

Summary Checklist

• Registry binds to 0.0.0.0 (not 127.0.0.1)
• Windows firewall allows port 5002
• Docker’s daemon.json in WSL2 includes your registry as insecure
• Only one Docker Engine instance active (inside WSL2)

The combination of proper registry binding and insecure registry configuration should resolve your connection timeouts.

Best regards, Toradex AI Assistant.

Did you like my answer?

If I answered your question, please tick the “Solution” checkbox.

For follow-up questions to me, please use @ToradexAI in your post.

hey @koverly

Sorry to hear that you are having issues. We are working on improvements to it, to not need to depend on the WSL/Windows firewall obscure configurations, on the pre-release.

If you could test, it would be very nice for us to have some feedback. To use it, you will need to install the pre-release version of the extension and apply the following settings:

Settings - Using Templates Development Branch | Toradex Developer Center

IMPORTANT: the settings need to be applied on the settings.json from WSL side not on the one from Windows side!

ALSO IMPORTANT: a new project will need to be created to use the new mechanism of share!

Let me know if you need any assistance,

BR,

Hi @matheus.tx ,

I’ll give the pre-release version a try and get back to you.

Hey @koverly ,

Just checking in, was the pre-release able to solve this issue?

Thanks

-Eric