The 'write: connection timed out' error occurs when Docker fails to complete a network write operation within the expected time. This typically happens during image push/pull operations, container-to-container communication, or when connecting to external services due to network congestion, firewall rules, or MTU mismatches.
The "write: connection timed out" error in Docker indicates that a network operation failed because data could not be transmitted within the allowed timeout period. Unlike a "connection refused" error (which happens immediately), this timeout error means Docker successfully established a connection but then failed to send or receive data through it. This error commonly appears in several scenarios: - **During `docker push` or `docker pull`**: When uploading or downloading image layers, the connection may be established but data transfer stalls or fails. - **Container networking**: When containers try to communicate with each other or external services, write operations can time out due to network issues. - **Build operations**: When Dockerfiles fetch dependencies from the internet, network timeouts can interrupt the build process. The root cause is typically network-related: unstable connections, packet loss, MTU mismatches (especially with VPNs), DNS resolution delays, or firewall/proxy interference. On Windows with WSL2, this error can also occur when the WSL2 network integration degrades over time.
The most common fix, especially on Windows with WSL2, is to restart the Docker daemon:
On Linux:
sudo systemctl restart dockerOn Windows (WSL2):
# Open PowerShell as Administrator
wsl --shutdown
# Wait a few seconds, then restart Docker DesktopOn macOS:
Click the Docker Desktop icon in the menu bar and select "Restart".
After restarting, test with a simple operation:
docker pull hello-worldVPNs typically require a lower MTU (Maximum Transmission Unit) value. Docker defaults to 1500, but VPNs often need 1400 or lower:
# Check current MTU on docker0
ip link show docker0
# Check your host network MTU
ip link show eth0 # or your primary interfaceCreate or edit the Docker daemon configuration:
sudo nano /etc/docker/daemon.jsonAdd MTU configuration:
{
"mtu": 1400
}Restart Docker to apply:
sudo systemctl restart dockerFor Docker Compose, you may also need to set MTU in your compose file:
networks:
default:
driver: bridge
driver_opts:
com.docker.network.driver.mtu: 1400Bypass Docker's bridge network to determine if the issue is network-layer specific:
# Test connectivity with host network
docker run --rm --network host alpine wget -O /dev/null https://registry-1.docker.io/v2/
# Build using host network
docker build --network host -t myimage .If host networking works but bridge doesn't, the problem is with Docker's virtual networking. Focus on MTU and firewall configuration.
DNS resolution issues can cause cascading timeout problems. Configure Docker to use reliable public DNS:
sudo nano /etc/docker/daemon.jsonAdd DNS servers:
{
"dns": ["8.8.8.8", "8.8.4.4", "1.1.1.1"]
}Restart Docker:
sudo systemctl restart dockerOn Docker Desktop (Windows/macOS):
Go to Settings > Docker Engine and add the DNS configuration there.
Verify DNS is working from inside a container:
docker run --rm alpine nslookup docker.comFirewalls may be silently dropping or delaying Docker's traffic:
# Check for firewall issues (Linux)
sudo iptables -L -n -v | grep -E 'DROP|REJECT'
# Allow Docker interface through firewall
sudo firewall-cmd --permanent --zone=trusted --add-interface=docker0
sudo firewall-cmd --reload
# Or with ufw
sudo ufw allow in on docker0
sudo ufw allow out on docker0Temporarily disable firewall to test (re-enable after!):
# Ubuntu
sudo ufw disable
# CentOS/RHEL
sudo systemctl stop firewalldIf disabling the firewall fixes the issue, add specific rules to allow Docker traffic.
If you're behind a corporate proxy, Docker needs explicit configuration:
# Create systemd override directory
sudo mkdir -p /etc/systemd/system/docker.service.d
# Create proxy configuration
sudo nano /etc/systemd/system/docker.service.d/http-proxy.confAdd your proxy settings:
[Service]
Environment="HTTP_PROXY=http://proxy.example.com:8080"
Environment="HTTPS_PROXY=http://proxy.example.com:8080"
Environment="NO_PROXY=localhost,127.0.0.1,docker-registry.local"Apply changes:
sudo systemctl daemon-reload
sudo systemctl restart dockerOn Docker Desktop:
Go to Settings > Resources > Proxies and configure your proxy settings.
Stale DNS entries can cause connection issues. Clear the DNS cache:
On Windows:
ipconfig /flushdnsOn macOS:
sudo dscacheutil -flushcache
sudo killall -HUP mDNSResponderOn Linux:
# systemd-resolved
sudo systemd-resolve --flush-caches
# Or restart the DNS service
sudo systemctl restart systemd-resolvedThen restart Docker and retry your operation.
If Docker Hub is consistently timing out, configure a registry mirror:
sudo nano /etc/docker/daemon.jsonAdd a mirror:
{
"registry-mirrors": ["https://mirror.gcr.io"]
}Restart Docker:
sudo systemctl restart dockerAvailable mirrors include:
- Google: https://mirror.gcr.io
- Azure: https://dockerhub.azk8s.cn (China)
- Alibaba: https://registry.cn-hangzhou.aliyuncs.com (China)
Docker Hub rate limits unauthenticated pulls. If you're hitting limits, authenticate:
# Log in to Docker Hub
docker login
# Check your rate limit status
TOKEN=$(curl -s "https://auth.docker.io/token?service=registry.docker.io&scope=repository:library/alpine:pull" | jq -r '.token')
curl -s -H "Authorization: Bearer $TOKEN" "https://registry-1.docker.io/v2/library/alpine/manifests/latest" -D - 2>&1 | grep -i ratelimitConsider upgrading to Docker Pro or using a private registry for heavy usage.
### WSL2-Specific Troubleshooting
Windows Subsystem for Linux 2 has known networking issues that cause timeouts to worsen over time. The virtual network adapter can lose its connection reliability after extended uptime.
Permanent fix for WSL2 DNS issues:
# In WSL2, prevent auto-generation of resolv.conf
sudo nano /etc/wsl.conf
# Add:
[network]
generateResolvConf = falseThen set a static DNS:
sudo rm /etc/resolv.conf
echo "nameserver 8.8.8.8" | sudo tee /etc/resolv.conf
sudo chattr +i /etc/resolv.conf # Prevent modificationRestart WSL: wsl --shutdown in PowerShell.
### MTU Deep Dive
The Maximum Transmission Unit defines the largest packet size that can be sent without fragmentation. When VPNs or overlay networks are involved, MTU mismatches cause packets to be silently dropped.
Diagnosing MTU issues:
# Find the optimal MTU by testing with ping
# Start at 1500 and decrease until packets get through
ping -c 3 -M do -s 1472 registry-1.docker.io
# 1472 = 1500 (MTU) - 28 (IP + ICMP headers)
# If this fails, try 1372 (for VPNs with overhead)Per-network MTU in Docker Compose:
networks:
vpn-compatible:
driver: bridge
driver_opts:
com.docker.network.driver.mtu: 1300
services:
app:
networks:
- vpn-compatible### Debugging Write Timeouts
To capture more details about where the timeout occurs:
# Enable Docker debug logging
sudo nano /etc/docker/daemon.json
# Add: "debug": true
# View detailed logs
sudo journalctl -u docker -f
# Test with verbose curl from inside container
docker run --rm alpine sh -c "apk add curl && curl -v --connect-timeout 10 --max-time 30 https://registry-1.docker.io/v2/"### Network Bridge Issues
If the docker0 bridge loses its IP configuration (common with systemd-networkd):
# Recreate the bridge network
docker network rm bridge
sudo systemctl restart docker
# Or manually check the bridge
ip addr show docker0To prevent systemd-networkd from interfering:
sudo nano /etc/systemd/network/10-docker.network
# Add:
[Match]
Name=docker0 br-* veth*
[Link]
Unmanaged=yesimage operating system "linux" cannot be used on this platform
How to fix 'image operating system linux cannot be used on this platform' in Docker
manifest unknown: manifest unknown
How to fix 'manifest unknown' in Docker
cannot open '/etc/passwd': Permission denied
How to fix 'cannot open: Permission denied' in Docker
Error response from daemon: failed to create the ipvlan port
How to fix 'failed to create the ipvlan port' in Docker
toomanyrequests: Rate exceeded for anonymous users
How to fix 'Rate exceeded for anonymous users' in Docker Hub