Skip to content

docs: add troubleshooting for okteto up image pull EOF failure#1269

Open
ekline[bot] wants to merge 5 commits into
mainfrom
docs/okteto-up-image-pull-eof
Open

docs: add troubleshooting for okteto up image pull EOF failure#1269
ekline[bot] wants to merge 5 commits into
mainfrom
docs/okteto-up-image-pull-eof

Conversation

@ekline

@ekline ekline Bot commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

What this documents

Adds a troubleshooting entry to the Known Issues reference page for an okteto up failure where activating the Development Container fails while the base image is pulled, with a failed to pull and unpack image "docker.io/library/node:25-alpine3.22" ... cloudfront.docker.com ...: EOF error.

Why

A customer hit this error on okteto up (CLI 3.19.0). The entry explains the cause and gives actionable remediation steps, keyed on the error text so it surfaces in search.

What it says

  • The image pull runs on the Kubernetes node (kubelet), not on the user's machine — the Okteto CLI relays the node's event message and does not auto-retry this failure.
  • The EOF is a node-to-Docker Hub CDN connection issue; common causes are dropped or throttled connections, Docker Hub anonymous pull rate limits, and proxy/firewall/TLS inspection.
  • Remediations: retry okteto up, inspect pod events, configure Docker Hub credentials via Registry Credentials, allow egress to Docker Hub hosts, or host the image in the Okteto Registry and reference it via the manifest image field.

How to verify

  • Technical claims are grounded in the Okteto CLI source (cmd/up/activate.go relays node pod-event messages; pull failures are not auto-retried) and the platform Registry Credentials webhook.
  • Internal links point to existing pages and anchors.

📝 Created with EkLine · View session

ekline[bot] <202747777+ekline[bot]@users.noreply.github.com>

Signed-off-by: ekline[bot] <202747777+ekline[bot]@users.noreply.github.com>
@netlify

netlify Bot commented Jun 15, 2026

Copy link
Copy Markdown

Deploy Preview for okteto-docs ready!

Name Link
🔨 Latest commit b071db8
🔍 Latest deploy log https://app.netlify.com/projects/okteto-docs/deploys/6a3c5567e9f6a2000860d104
😎 Deploy Preview https://deploy-preview-1269--okteto-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

The original entry framed the EOF pull failure as a transient CDN issue
to retry. The real cause is a cluster egress allowlist that doesn't
include the host in the error: Docker added the CDN domain
production.cloudfront.docker.com (May 2026), and allowlists scoped to
the registry and an older CDN start dropping layer downloads while the
manifest still resolves. Lead with that cause, drop the rate-limit
guidance (a distinct 429 failure), and trim the entry.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: Cody Landstrom <cody@okteto.com>
Comment thread src/content/reference/known-issues.mdx Outdated

## Pulling the development image fails with an `EOF` error

The image pull runs on the Kubernetes node, not on your machine. When the node can't finish downloading the image from Docker Hub, `okteto up` relays the node's error and exits:

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This still mentions okteto up. I don't know if we want to leave it, but it sounds odd that we mention the problem is in the cluster side, but we only mention okteto up (or if that happens during an okteto up).

I would try to make it generic.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tried to make it more generic while leaving okteto up as the example

Comment thread src/content/reference/known-issues.mdx Outdated
Failed to pull image "node:25-alpine3.22": failed to pull and unpack image "docker.io/library/node:25-alpine3.22": failed to copy: httpReadSeeker: failed open: failed to do request: Get "https://production.cloudfront.docker.com/...": EOF
```

The `EOF` means the connection to the host in the error closed before the image layer finished downloading. The usual cause is an egress policy on the cluster — a firewall, proxy, or domain allowlist — that doesn't permit that host. Pulling from Docker Hub is a two-stage flow: the node authenticates against `auth.docker.io` and reads the manifest from `registry-1.docker.io`, then follows a redirect to a CDN host to download each layer. Docker changes its CDN domains over time — it added `production.cloudfront.docker.com` in May 2026 — so an allowlist that only covers the registry and an older CDN starts failing on layer downloads while the manifest still resolves.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems this is only focused to DockerHub issues, but this error could happen with any registry.

I don't knot if we want to make it generic to other scenarios/registries, but if we don't, maybe we should change the title Pulling the development image fails with an EOF error to reflect that this only talks about DockerHub.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes good call. Changed this up and pulled out docker hub as a "common example"

Let me know what you think

Comment thread src/content/reference/known-issues.mdx Outdated
codyjlandstrom and others added 3 commits June 24, 2026 14:53
Co-authored-by: Ignacio Fuertes <nacho@okteto.com>
Address review feedback from @ifbyol:

- Frame the failure generically: image pulls run on the node for any
  pod, so the EOF is not specific to okteto up. okteto up is now shown
  only as where the example error surfaces.
- Generalize the cause to any registry that redirects layer downloads
  to a separate CDN/storage host, with Docker Hub kept as the concrete
  example rather than the sole scope.

Title was already updated to "Pulling an image fails with an EOF error".

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: Cody Landstrom <cody@okteto.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants