Skip to content

Cannot use dependency proxy for docker-dind service image #1804

Open
Open
Cannot use dependency proxy for docker-dind service image#1804
@byron-hawkins

Description

@byron-hawkins
byron-hawkins
opened on Mar 17, 2026

Minimal .gitlab-ci.yml illustrating the issue

---
variables:
  CI_DEPENDENCY_PROXY_SERVER: "gitlab.mycorp.com:443"
  CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX: "${CI_DEPENDENCY_PROXY_SERVER}/myproject/dependency_proxy/containers"

# @Description Build alpine
alpine-image:
  image: ${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/docker:cli
  services:
    - name: "docker:dind"
      alias: "docker-dind"
    # [==== issue ====] Fails when pulling `docker:dind` through the dependency proxy
    # - name: "${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/docker:dind"
    #   alias: "docker-dind"
  needs: []
  stage: build
  script:
    - |
       printenv
       echo "==== ls -all /certs/client"
       ls -all /certs/client
       docker build .

Expected behavior
Replacing the dind service with the commented version (labeled [==== issue ====]) should successfully connect to the docker daemon and build the container.

Host information
Linux fedora 6.17.13-200.fc42.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Dec 18 22:18:24 UTC 2025 x86_64 GNU/Linux
gitlab-ci-local 4.65.1

Containerd binary
Docker version 29.1.4, build 1.fc42

Additional context
No problems running docker pull gitlab.mycorp.com:443/myproject/dependency_proxy/containers/docker:dind

shell output from gitlab-ci-local:

parsing and downloads finished in 35 ms.
json schema validated in 94 ms
alpine-image starting gitlab.mycorp.com:443/myproject/dependency_proxy/containers/docker:cli (build)
alpine-image copied to docker volumes in 295 ms
alpine-image started service image: gitlab.mycorp.com:443/myproject/dependency_proxy/containers/docker:dind with aliases: gitlab.mycorp.com:443-myproject-dependency_proxy-containers-docker, gitlab.mycorp.com:443__myproject__dependency_proxy__containers__docker, docker-dind in 149 ms
alpine-image service image: gitlab.mycorp.com:443/myproject/dependency_proxy/containers/docker:dind healthcheck passed in 1.24 s
alpine-image $ echo "==== printenv" # collapsed multi-line command
alpine-image > ==== printenv
alpine-image > GITLAB_USER_LOGIN=byron.hawkins
alpine-image > CI_COMMIT_SHORT_SHA=8965e8b0
alpine-image > CI_DEPENDENCY_PROXY_SERVER=gitlab.mycorp.com:443
alpine-image > CI_ENVIRONMENT_URL=
alpine-image > CI=true
alpine-image > CI_PROJECT_NAME=experimental
alpine-image > CI_SERVER_PROTOCOL=https
alpine-image > HOSTNAME=3d55c5ee6437
alpine-image > CI_COMMIT_DESCRIPTION=More commit text
alpine-image > CI_JOB_STAGE=build
alpine-image > CI_DEPENDENCY_PROXY_USER=gitlab-ci-token
alpine-image > SHLVL=3
alpine-image > CI_PROJECT_ROOT_NAMESPACE=byron.hawkins
alpine-image > HOME=/root
alpine-image > OLDPWD=/builds/byron.hawkins/experimental
alpine-image > CI_SERVER_HOST=gitlab.mycorp.com
alpine-image > CI_COMMIT_REF_NAME=trunk
alpine-image > CI_JOB_ID=556311
alpine-image > CI_PIPELINE_SOURCE=push
alpine-image > CI_DEFAULT_BRANCH=trunk
alpine-image > CI_ENVIRONMENT_NAME=
alpine-image > CI_BUILDS_DIR=/builds
alpine-image > CI_SERVER_URL=https://gitlab.mycorp.com
alpine-image > CI_COMMIT_REF_PROTECTED=false
alpine-image > CI_ENVIRONMENT_ACTION=
alpine-image > CI_TEMPLATE_REGISTRY_HOST=registry.gitlab.com
alpine-image > CI_PROJECT_ID=1217
alpine-image > CI_REGISTRY_IMAGE=local-registry.gitlab.mycorp.com/byron.hawkins/experimental
alpine-image > GITLAB_CI=false
alpine-image > CI_COMMIT_SHA=8965e8b08be0e6d9c7f146030cea00fa996464ef
alpine-image > DOCKER_TLS_VERIFY=1
alpine-image > CI_SERVER_PORT=443
alpine-image > FF_DISABLE_UMASK_FOR_DOCKER_EXECUTOR=false
alpine-image > CI_PROJECT_PATH=byron.hawkins/experimental
alpine-image > CI_PROJECT_DIR=/builds/byron.hawkins/experimental
alpine-image > CI_PROJECT_NAMESPACE=byron.hawkins
alpine-image > CI_COMMIT_TIMESTAMP=2026-03-17T17:19:35Z
alpine-image > CI_NODE_TOTAL=1
alpine-image > CI_PIPELINE_CREATED_AT=2026-03-17T17:19:35Z
alpine-image > CI_JOB_NAME_SLUG=alpine-image
alpine-image > CI_PIPELINE_URL=https://gitlab.mycorp.com/byron.hawkins/experimental/pipelines/16
alpine-image > DOCKER_CERT_PATH=/certs/client
alpine-image > PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
alpine-image > CI_JOB_STARTED_AT=2026-03-17T17:19:35Z
alpine-image > GITLAB_USER_EMAIL=byron.hawkins@mycorp.com
alpine-image > CI_PROJECT_TITLE=experimental
alpine-image > CI_PROJECT_VISIBILITY=internal
alpine-image > CI_COMMIT_TITLE=Commit Title
alpine-image > teamcity_gitlab-access-token=glpat-xxxxxxxxxxxxxxxxxxxx
alpine-image > CI_SERVER_FQDN=gitlab.mycorp.com
alpine-image > teamcity_user=byron.hawkins
alpine-image > CI_COMMIT_BRANCH=trunk
alpine-image > CI_ENVIRONMENT_TIER=
alpine-image > DOCKER_VERSION=29.3.0
alpine-image > CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX=gitlab.mycorp.com:443/byron.hawkins/dependency_proxy/containers
alpine-image > GITLAB_USER_NAME=Byron Hawkins
alpine-image > CI_REGISTRY=local-registry.gitlab.mycorp.com
alpine-image > CI_API_V4_URL=https://gitlab.mycorp.com/api/v4
alpine-image > DOCKER_TLS_CERTDIR=/certs
alpine-image > CI_PIPELINE_IID=16
alpine-image > DOCKER_HOST=tcp://docker:2376
alpine-image > CI_JOB_URL=https://gitlab.mycorp.com/byron.hawkins/experimental/-/jobs/556311
alpine-image > teamcity_password=xxxxxxxxxxxxxxxx
alpine-image > CI_COMMIT_REF_SLUG=trunk
alpine-image > DOCKER_BUILDX_VERSION=0.32.1
alpine-image > DOCKER_COMPOSE_VERSION=5.1.0
alpine-image > PWD=/builds/byron.hawkins/experimental
alpine-image > CI_PROJECT_PATH_SLUG=byron.hawkins-experimental
alpine-image > CI_PIPELINE_ID=1016
alpine-image > CI_PROJECT_URL=https://gitlab.mycorp.com/byron.hawkins/experimental
alpine-image > CI_ENVIRONMENT_SLUG=
alpine-image > CI_COMMIT_MESSAGE=Commit Title
alpine-image > More commit text
alpine-image > CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX=gitlab.mycorp.com:443/myproject/dependency_proxy/containers
alpine-image > GITLAB_USER_ID=1000
alpine-image > CI_SERVER_SHELL_SSH_PORT=22
alpine-image > CI_JOB_NAME=alpine-image
alpine-image > GCL_PROJECT_DIR_ON_HOST=/home/fedora/mycorp/montage/own/experimental/features/box/android/dind
alpine-image > CI_JOB_STATUS=running
alpine-image > ==== ls -all /certs/client
alpine-image > total 20
alpine-image > drwxrwxrwt    1 root     root            78 Mar 17 17:19 .
alpine-image > drwxrwxrwt    1 root     root            12 Mar  5 18:46 ..
alpine-image > -rw-r--r--    1 root     root          1842 Mar 17 17:19 ca.pem
alpine-image > -rw-r--r--    1 root     root          1830 Mar 17 17:19 cert.pem
alpine-image > -rw-r--r--    1 root     root          1598 Mar 17 17:19 csr.pem
alpine-image > -rw-r--r--    1 root     root          3272 Mar 17 16:45 key.pem
alpine-image > -rw-r--r--    1 root     root            44 Mar 17 17:19 openssl.cnf
alpine-image > ==== docker build .
alpine-image > still running...
alpine-image > ERROR: failed to connect to the docker API at tcp://docker:2376: lookup docker on 127.0.0.11:53: server misbehaving
alpine-image finished in 17 s  FAIL 1

 FAIL  alpine-image
  > -rw-r--r--    1 root     root            44 Mar 17 17:19 openssl.cnf
  > ==== docker build .
  > ERROR: failed to connect to the docker API at tcp://docker:2376: lookup docker on 127.0.0.11:53: server misbehaving
pipeline finished in 17 s

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions