Use "--driver docker-container" network was timeout or reset peer when connect github or raw.github

[AnMokoto]

ISSUE

1. Use "--driver docker-container" network was timeout or reset peer when connect github.com or raw.githubusercontent.com
2. Use "--driver docker" network was OK when connect github.com or raw.githubusercontent.com

CODE

script:
    - docker run --rm --privileged tonistiigi/binfmt --install all
    - docker context create ctx-$ARCH-$CI_PROJECT_ID
    - docker buildx create --name mybuilders --driver docker-container --use ctx-$ARCH-$CI_PROJECT_ID
    - |
      docker buildx build \
        --load \
        --builder mybuilders \
        --build-arg FLUTTER_VERSION=$FLUTTER_VERSION \
        --platform linux/${ARCH} \
        --cache-from type=registry,ref=${TAG_NAME} \
        --cache-to type=inline,mode=max \
        --tag ${TAG_NAME} \
        --network host \
        --file Dockerfile \
        --push .

ENVIROMENT

$ docker info
Client:
 Version:    27.2.0
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.16.2
    Path:     /usr/local/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.29.2
    Path:     /usr/local/libexec/docker/cli-plugins/docker-compose
Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 0
 Server Version: 27.2.0
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 472731909fa34bd7bc9c087e4c27943f9835f111
 runc version: v1.1.13-0-g58aa920
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 5.15.0-76-generic
 Operating System: Alpine Linux v3.20 (containerized)
 OSType: linux
 Architecture: x86_64
 CPUs: 4
 Total Memory: 15.58GiB
 Name: runner-81syxtawp-project-104201-concurrent-0-bo3hvyq0
 ID: c05a2[24](https://gitlab.gz.cvte.cn/tv-infrastructure/cicd/hub.image/flutter/-/jobs/963034#L24)0-b373-4bc2-920c-da8622e70000
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  1[27](https://gitlab.gz.cvte.cn/tv-infrastructure/cicd/hub.image/flutter/-/jobs/963034#L27).0.0.0/8
 Live Restore Enabled: false
 Product License: Community Engine

FROM ubuntu:24.04
....

GITLAB-RUNNER: 17.02

tonistiigi/binfmt:latest
sha256:66e11bea77a5ea9d6f0fe79b57cd2b189b5d15b93a2bdb925be22949232e4e55

CHECK LIST

In Container:

• ✅ DNS

• ✅ ping & nslookup & dig
  

• ❎ curl
  

In Node:

• ✅ DNS
• ✅ ping & nslookup & dig
• ✅ curl

TRY FIXING

❎ CURL -V

Install ca-certificates

apt-get -y update \
&& apt-get -y install ca-certificates wget \
&& mkdir -p /usr/share/ca-certificates/cacert.org \
&& wget -P /usr/share/ca-certificates/cacert.org http://www.cacert.org/certs/root.crt http://www.cacert.org/certs/class3.crt \
&& update-ca-certificates

Refer：https://stackoverflow.com/questions/35821245/github-server-certificate-verification-failed/35824116#35824116

STILL ERROR.

❎ Custom Parameters

STILL ERROR.

✅ RESET "--driver" DEFAULT

But, "--driver docker " not support multi-platforms.

[tonistiigi]

What about if you run docker run <your-base-image>, can you curl inside of that container?

[AnMokoto]

What about if you run docker run <your-base-image>, can you curl inside of that container?

@tonistiigi Thx reply.
Yes, it is normal, only error when using curl to access "github".
The network access to GitHub in our country is unstable, so we need to go through the company's DNS.
Maybe Is it possible that the container does not through the our's DNS?

Now, only use "--driver docker-container" failure, "--driver docker" always successful.

[tonistiigi]

For buildkit to not use default DNS inside the container, you need to either use host networking or the resolv.conf inside the container needs to contain non-localhost addresses.

[AnMokoto]

Sorry, i do not understand. @tonistiigi

    - docker context create ctx-$ARCH-$CI_PROJECT_ID
    - docker buildx create --name mybuilders --driver docker-container --buildkitd-flags '--oci-worker-net host' --use ctx-$ARCH-$CI_PROJECT_ID
    - |
      docker buildx build \
        --load \
        --builder mybuilders \
        --platform linux/${ARCH} \
        --build-arg FLUTTER_VERSION=$FLUTTER_VERSION \
        --cache-from type=registry,ref=${TAG_NAME} \
        --cache-to type=inline,mode=max \
        --tag ${TAG_NAME} \
        --allow network.host \
        --network host \
        --file Dockerfile \
        . 

host/system DNS

$ cat /etc/resolv.conf
search gitlab-runner.svc.cluster.local svc.cluster.local cluster.local gz.xxx.cn
nameserver 10.43.0.10
options ndots:5

container using the host/system DNS

#10 [3/5] RUN cat /etc/resolv.conf
#10 0.120 # Generated by Docker Engine.
#10 0.120 # This file can be edited; Docker Engine will not make further changes once it
#10 0.120 # has been modified.
#10 0.120 
#10 0.120 nameserver 10.43.0.10
#10 0.120 search gitlab-runner.svc.cluster.local svc.cluster.local cluster.local gz.xxx.cn
#10 0.120 options ndots:5
#10 0.120 
#10 0.120 # Based on host file: '/etc/resolv.conf' (legacy)
#10 0.120 # Overrides: []
#10 0.120 # Option ndots from: host
#10 DONE 0.1s

I checked the following information：
#2404
https://docs.docker.com/engine/network/tutorials/host/
https://docs.docker.com/engine/network/drivers/host/
https://docs.docker.com/reference/cli/docker/buildx/build/#allow
https://docs.docker.com/reference/cli/docker/buildx/build/#network
https://docs.docker.com/reference/cli/docker/buildx/create/#buildkit-daemon-network-mode