Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

wget Connection reset by peer #162

Closed
cw-20021351 opened this issue Jan 9, 2023 · 17 comments
Closed

wget Connection reset by peer #162

cw-20021351 opened this issue Jan 9, 2023 · 17 comments

Comments

@cw-20021351
Copy link

When using version 1.36 in eks environment, wget request fails.

I attach busybox.yaml file and wget command.

It doesn't seem to be a problem with the eks environment because it works normally in versions below 1.35.

apiVersion: v1
kind: Pod
metadata:
  name: busybox
spec:
  containers:
  - name: busybox
    image: busybox
    command:
      - sleep
      - "3600"
    imagePullPolicy: IfNotPresent
  restartPolicy: Always

# wget https://dtdg.co/latest-java-tracer
# Connecting to dtdg.co (67.199.248.12:443)
# wget: note: TLS certificate validation not implemented
# wget: error getting response: Connection reset by peer

Is there any change to version 1.36 that I should consider?
@fatz
Copy link

fatz commented Jan 9, 2023

from https://busybox.net/

3 January 2023 -- BusyBox 1.36.0 (unstable)

there is no 1_36_0 release tag. Just the branch and according to the release notes its marked unstable.

Please rollback the latest tag change of the busybox so it points again on 1.35 as that just works fine

SStorm added a commit to crate/crate-operator that referenced this issue Jan 9, 2023
@SStorm
Downgrade busybox to previous version
7c35cc0 
Apparently 1.36 was erroneously marked as 'latest' whereas it is unstable -> docker-library/busybox#162
@SStorm SStorm mentioned this issue Jan 9, 2023
Merged
4 tasks
SStorm added a commit to crate/crate-operator that referenced this issue Jan 9, 2023
@SStorm
Downgrade busybox to previous version
f8dba31 
Apparently 1.36 was erroneously marked as 'latest' whereas it is unstable -> docker-library/busybox#162
@yosifkit
Copy link
Member

yosifkit commented Jan 9, 2023

I am unable to reproduce; the current latest (aka 1.36.0) works fine:

$ docker run -it --rm busybox
Unable to find image 'busybox:latest' locally
latest: Pulling from library/busybox
205dae5015e7: Pull complete 
Digest: sha256:7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c
Status: Downloaded newer image for busybox:latest
/ # 
/ # wget https://dtdg.co/latest-java-tracer
Connecting to dtdg.co (67.199.248.13:443)
wget: note: TLS certificate validation not implemented
Connecting to github.com (140.82.114.4:443)
Connecting to objects.githubusercontent.com (185.199.109.133:443)
saving to 'latest-java-tracer'
latest-java-tracer   100% |********************************| 19.4M  0:00:00 ETA
'latest-java-tracer' saved
/ # / # busybox --help
BusyBox v1.36.0 (2023-01-03 22:42:57 UTC) multi-call binary.
...

The version bump for latest was not accidental: #161. Both 1.35.0 and 1.36.0 are still marked as unstable on https://busybox.net/. The stable tag will still point to the most recent release that was specifically marked as stable by BusyBox (even if it is not within the last two releases).

@a-schild
Copy link

a-schild commented Jan 11, 2023
edited
Loading

I see the same behaviour in gks environment with the 1.36.0 release

With 1.34.1

BusyBox v1.34.1 (2022-12-21 18:28:04 UTC) multi-call binary.
wget --no-check-certificate https://my.nextcloud.com/cron.php
Connecting to my.nextcloud.com (xx.xx.xx.xx:443)
saving to 'cron.php'
cron.php             100% |************************************************************************|    20  0:00:00 ETA
'cron.php' saved

With 1.36.0

BusyBox v1.36.0 (2023-01-03 22:42:57 UTC) multi-call binary.
wget --no-check-certificate https://my.nextcloud.com
Connecting to my.nextcloud.com (xx.xx.xx.xx:443)
wget: error getting response: Connection reset by peer

Something to do with https/ssl handling?

@PylotLight
Copy link

PylotLight commented Jan 13, 2023
edited
Loading

@yosifkit
This issue appears to have cause us major production issues as :latest is still pulling 1.36.0 which when run on aks nodes results in failure to complete the wget call which is reproduceable.
Running this on docker desktop locally however runs fine, so not sure if it's also related to kernel configuration of some kind.
Any chance on getting :latest sent back to latest stable which is 1.34.1 as I noticed the :unstable and :latest tags are both on 1.36.0 currently?

@tianon
Copy link
Member

tianon commented Jan 13, 2023

I'd suggest pinning to busybox:1.35 (or busybox:1.34 or busybox:stable) explicitly if the latest release isn't working for your use case.

@PylotLight
Copy link

PylotLight commented Jan 14, 2023 via email
edited
Loading

@endriu0
Copy link

endriu0 commented Jan 24, 2023

Just to add to that and narrow it down just a little. I just run into this and noticed that the issue only appears on the latest but also only on amd64 version , same image but arm64 version works fine.

amd64:

wget -O /tmp/newrelic.jar https://download.newrelic.com/newrelic/java-agent/newrelic-agent/7.10.0/newrelic-agent-7.10.0.jar
Connecting to download.newrelic.com (151.101.2.137:443)
wget: error getting response: Connection reset by peer

arm64:

wget -O /tmp/newrelic.jar https://download.newrelic.com/newrelic/java-agent/newrelic-agent/7.9.0/newrelic-agent-7.9.0.jar
Connecting to download.newrelic.com (151.101.2.137:443)
wget: note: TLS certificate validation not implemented
saving to '/tmp/newrelic.jar'
new-relic.jar         20% |*********************************************

@xshipeng xshipeng mentioned this issue Feb 10, 2023
Merged
@modelbitjason
Copy link

This is still broken in the musl version although the glibc version seems fixed.
Any chance of getting the musl-latest-1 build pushed back as busybox:musl?

The error only happens for some domains -- github.com works but amazon.com does not (Nor does any S3 URL).

This is from a fresh build off master

# musl
$ docker run --rm busybox:latest-musl-test wget https://amazon.com
Connecting to amazon.com (52.94.236.248:443)
wget: note: TLS certificate validation not implemented
wget: TLS error from peer (alert code 40): handshake failure
wget: error getting response: Connection reset by peer

# glibc
$ docker run --rm busybox:latest-glibc-test wget https://amazon.com
Connecting to amazon.com (52.94.236.248:443)
wget: note: TLS certificate validation not implemented
Connecting to www.amazon.com (104.78.177.85:443)
wget: server returned error: HTTP/1.1 503 Service Unavailable

# previous musl
$ docker run --rm busybox:latest-1-musl-test wget https://amazon.com
Connecting to amazon.com (52.94.236.248:443)
wget: note: TLS certificate validation not implemented
Connecting to www.amazon.com (13.224.247.127:443)
wget: server returned error: HTTP/1.1 503 Service Unavailable

# musl, works with github.com
$ docker run --rm busybox:latest-musl-test wget https://github.com                   
Connecting to github.com (140.82.114.4:443)
wget: note: TLS certificate validation not implemented
saving to 'index.html'
index.html           100% |********************************|  220k  0:00:00 ETA

@modelbitjason modelbitjason mentioned this issue Mar 31, 2023
Open
gaurav added a commit to helxplatform/translator-devops that referenced this issue Jul 1, 2023
@gaurav
busybox 1.36 has some kind of bug in wget; pinning to 1.35.
62fed96 
Bug report at docker-library/busybox#162
gaurav added a commit to helxplatform/translator-devops that referenced this issue Jul 17, 2023
@gaurav
busybox 1.36 has some kind of bug in wget; pinning to 1.35.
2b85c33 
Bug report at docker-library/busybox#162
@kassane kassane mentioned this issue Oct 21, 2023
Open
@kassane
Copy link

kassane commented Oct 21, 2023

Tested from version 1.34 to the latest.

x86_64/amd64: ✅
aarch64/arm64: ❌
riscv64: ❌
powerpc64le: ❌

0.221 wget: error getting response: Connection reset by peer

@mingmxu mingmxu mentioned this issue Feb 2, 2024
Merged
24 tasks
@sbp
Copy link

sbp commented Feb 20, 2024

Bug 15679 ("wget with amazon.com fails with TLS handshake failure on Debian 12") appears to be upstream's own tracking of this issue. Filed 4 July 2023, with no contributors to date other than the original submitter.

@JoonaHa
Copy link

JoonaHa commented Apr 4, 2024
edited
Loading

Tested latest stable 1.36.1 based on https://busybox.net/ on amd64. Still reproducible:

$ docker run --rm -it busybox:stable
wget https://dtdg.co/latest-java-tracer
Connecting to dtdg.co (67.199.248.13:443)
wget: note: TLS certificate validation not implemented
wget: TLS error from peer (alert code 40): handshake failure
wget: error getting response: Connection reset by peer

With previous stable 1.34.1 wget produces different errors based on the address:

$ docker run --rm -it busybox:1.34.1
wget https://download.geonames.org/export/dump/FI.zip
Connecting to download.geonames.org (5.9.152.54:443)
wget: note: TLS certificate validation not implemented
wget: TLS error from peer (alert code 40): handshake failure
wget: error getting response: Connection reset by peer

wget https://dtdg.co/latest-java-tracer
Connecting to dtdg.co (67.199.248.13:443)
wget: note: TLS certificate validation not implemented
Connecting to github.com (140.82.121.4:443)
wget: TLS error from peer (alert code 80): 80
wget: error getting response: Connection reset by peer

On 1.29.1 https://download.geonames.org/export/dump/FI.zip works without issues but https://dtdg.co/latest-java-tracer does not.

$ docker run --rm -it busybox:1.29.1
wget https://download.geonames.org/export/dump/FI.zip
Connecting to download.geonames.org (5.9.152.54:443)
wget: note: TLS certificate validation not implemented
FI.zip               100% |***********************************************************************| 4542k  0:00:00 ETA

wget https://dtdg.co/latest-java-tracer
Connecting to dtdg.co (67.199.248.13:443)
wget: note: TLS certificate validation not implemented
Connecting to github.com (140.82.121.4:443)
wget: note: TLS certificate validation not implemented
wget: TLS error from peer (alert code 80): 80
wget: error getting response: Connection reset by peer

@discapes
Copy link

discapes commented Apr 16, 2024
edited
Loading

Also seeing this on an embedded system with just busybox 1.36.1, with musl 1.2.5.
I cannot connect to any domain, even https://github.com or https://google.com.
Sometimes the output is just

/ # wget -o- https://github.com
Connecting to github.com (140.82.121.4:443)
#

Sometimes it's

Connecting to github.com (140.82.121.4:443)
wget: error getting response: Connection reset by peer

@tianon tianon mentioned this issue May 15, 2024
Closed
@jblom
Copy link

jblom commented Aug 12, 2024

Got the same (using the stable version of this moment) as @discapes (when connecting to a path within github.com):

Connecting to github.com (140.82.121.3:443)
wget: note: TLS certificate validation not implemented
Connecting to github.com (140.82.121.3:443)
wget: got bad TLS record (len:0) while expecting switch to encrypted traffic
wget: error getting response: Connection reset by peer

Apparently it does not always occur, so it might have been just a couple of hiccups when connecting to github.com (and it has nothing to do with busybox after all...)

@tianon
Copy link
Member

tianon commented Aug 12, 2024

GitHub did apparently have a bunch of hiccups over the weekend (as evidenced by the pile of CI failure emails I've got from this weekend 😄)

@geloescht geloescht mentioned this issue Jan 14, 2025
Open
@mirobertod
Copy link

Any update on this?

It looks like even with busybox 1.37.0 the issue persist.

amd64

/tmp # wget -O install.sh https://get.pnpm.io/install.sh
Connecting to get.pnpm.io (66.33.60.193:443)
/tmp #

arm64

/tmp # wget -O install.sh https://get.pnpm.io/install.sh
Connecting to get.pnpm.io (66.33.60.193:443)
wget: note: TLS certificate validation not implemented
saving to 'install.sh'
install.sh           100% |********************************************************************************************|  2785  0:00:00 ETA
'install.sh' saved
/tmp #

@tianon
Copy link
Member

tianon commented Feb 3, 2025

Similar state to #162 (comment) although amusingly 1.37 ("latest") works fine for me, but 1.36 fails with handshake errors (but with a more verbose error than you appear to be getting):

$ ( set -Eeuo pipefail; for version in 1.37 1.36; do for libc in glibc uclibc musl; do img="busybox:$version-$libc"; docker pull -q "$img" > /dev/null; ( PS4='\n$ '; set -x; docker run -it --rm --pull=always "$img" wget -O install.sh https://get.pnpm.io/install.sh ) || :; done; done )

$ docker run -it --rm --pull=always busybox:1.37-glibc wget -O install.sh https://get.pnpm.io/install.sh
1.37-glibc: Pulling from library/busybox
Digest: sha256:04c3917ae1ad16d8be9702176a1e1ecd3cfe6b374a274bd52382c001b4ecd088
Status: Image is up to date for busybox:1.37-glibc
Connecting to get.pnpm.io (66.33.60.66:443)
wget: note: TLS certificate validation not implemented
saving to 'install.sh'
install.sh           100% |***************************************************************************|  2785  0:00:00 ETA
'install.sh' saved

$ docker run -it --rm --pull=always busybox:1.37-uclibc wget -O install.sh https://get.pnpm.io/install.sh
1.37-uclibc: Pulling from library/busybox
Digest: sha256:f1a295688a1cad4f66e7f45484a882a8b45fbdea28fa0a889ac17146775ad1a2
Status: Image is up to date for busybox:1.37-uclibc
Connecting to get.pnpm.io (76.76.21.61:443)
wget: note: TLS certificate validation not implemented
saving to 'install.sh'
install.sh           100% |***************************************************************************|  2785  0:00:00 ETA
'install.sh' saved

$ docker run -it --rm --pull=always busybox:1.37-musl wget -O install.sh https://get.pnpm.io/install.sh
1.37-musl: Pulling from library/busybox
Digest: sha256:37ccc05112d0a7162b605c375f5c0f5cfbc6e6c4fc8030ead6ae26a18c28a542
Status: Image is up to date for busybox:1.37-musl
Connecting to get.pnpm.io (76.76.21.98:443)
wget: note: TLS certificate validation not implemented
saving to 'install.sh'
install.sh           100% |***************************************************************************|  2785  0:00:00 ETA
'install.sh' saved

$ docker run -it --rm --pull=always busybox:1.36-glibc wget -O install.sh https://get.pnpm.io/install.sh
1.36-glibc: Pulling from library/busybox
Digest: sha256:870b2cfd9e8f465247c14a96680388426e2f28a8494b798e7aa1714683163eb0
Status: Image is up to date for busybox:1.36-glibc
Connecting to get.pnpm.io (76.76.21.93:443)
wget: note: TLS certificate validation not implemented
wget: TLS error from peer (alert code 40): handshake failure
wget: error getting response: Connection reset by peer

$ docker run -it --rm --pull=always busybox:1.36-uclibc wget -O install.sh https://get.pnpm.io/install.sh
1.36-uclibc: Pulling from library/busybox
Digest: sha256:2922236718b1d0f8b961bf246305aee5ddd665a4877d7a88c0a4661f5c3fe318
Status: Image is up to date for busybox:1.36-uclibc
Connecting to get.pnpm.io (76.76.21.98:443)
wget: note: TLS certificate validation not implemented
wget: TLS error from peer (alert code 40): handshake failure
wget: error getting response: Connection reset by peer

$ docker run -it --rm --pull=always busybox:1.36-musl wget -O install.sh https://get.pnpm.io/install.sh
1.36-musl: Pulling from library/busybox
Digest: sha256:7fe2d84eca21fa921a1006acaa68da15ed0acb7e1d21e5f3149bb6923af38498
Status: Image is up to date for busybox:1.36-musl
Connecting to get.pnpm.io (76.76.21.93:443)
wget: note: TLS certificate validation not implemented
wget: TLS error from peer (alert code 40): handshake failure
wget: error getting response: Connection reset by peer

This is definitely an upstream issue though, and not something we're likely to be able to fix in the image unless it's somehow related to the build-time configuration of BusyBox (which is unlikely, especially as it works fine in the newer 1.37 and 1.36 is extremely unlikely to get backported fixes, let alone a new release).

@tianon
Copy link
Member

tianon commented Feb 3, 2025

And again with the original URL from the OP, which succeeds across both "supported" versions (and all supported libc variants):

$ ( set -Eeuo pipefail; for version in 1.37 1.36; do for libc in glibc uclibc musl; do img="busybox:$version-$libc"; docker pull -q "$img" > /dev/null; ( PS4='\n$ '; set -x; docker run -it --rm --pull=always "$img" wget https://dtdg.co/latest-java-tracer ) || :; done; done )

$ docker run -it --rm --pull=always busybox:1.37-glibc wget https://dtdg.co/latest-java-tracer
1.37-glibc: Pulling from library/busybox
Digest: sha256:04c3917ae1ad16d8be9702176a1e1ecd3cfe6b374a274bd52382c001b4ecd088
Status: Image is up to date for busybox:1.37-glibc
Connecting to dtdg.co (67.199.248.13:443)
wget: note: TLS certificate validation not implemented
Connecting to github.com (140.82.116.4:443)
Connecting to objects.githubusercontent.com (185.199.109.133:443)
saving to 'latest-java-tracer'
latest-java-tracer   100% |********************************| 29.8M  0:00:00 ETA
'latest-java-tracer' saved

$ docker run -it --rm --pull=always busybox:1.37-uclibc wget https://dtdg.co/latest-java-tracer
1.37-uclibc: Pulling from library/busybox
Digest: sha256:f1a295688a1cad4f66e7f45484a882a8b45fbdea28fa0a889ac17146775ad1a2
Status: Image is up to date for busybox:1.37-uclibc
Connecting to dtdg.co (67.199.248.12:443)
wget: note: TLS certificate validation not implemented
Connecting to github.com (140.82.116.4:443)
Connecting to objects.githubusercontent.com (185.199.108.133:443)
saving to 'latest-java-tracer'
latest-java-tracer   100% |********************************| 29.8M  0:00:00 ETA
'latest-java-tracer' saved

$ docker run -it --rm --pull=always busybox:1.37-musl wget https://dtdg.co/latest-java-tracer
1.37-musl: Pulling from library/busybox
Digest: sha256:37ccc05112d0a7162b605c375f5c0f5cfbc6e6c4fc8030ead6ae26a18c28a542
Status: Image is up to date for busybox:1.37-musl
Connecting to dtdg.co (67.199.248.12:443)
wget: note: TLS certificate validation not implemented
Connecting to github.com (140.82.116.4:443)
Connecting to objects.githubusercontent.com (185.199.108.133:443)
saving to 'latest-java-tracer'
latest-java-tracer   100% |******************************************************************************************************************| 29.8M  0:00:00 ETA
'latest-java-tracer' saved

$ docker run -it --rm --pull=always busybox:1.36-glibc wget https://dtdg.co/latest-java-tracer
1.36-glibc: Pulling from library/busybox
Digest: sha256:870b2cfd9e8f465247c14a96680388426e2f28a8494b798e7aa1714683163eb0
Status: Image is up to date for busybox:1.36-glibc
Connecting to dtdg.co (67.199.248.12:443)
wget: note: TLS certificate validation not implemented
Connecting to github.com (140.82.116.4:443)
Connecting to objects.githubusercontent.com (185.199.110.133:443)
saving to 'latest-java-tracer'
latest-java-tracer   100% |******************************************************************************************************************| 29.8M  0:00:00 ETA
'latest-java-tracer' saved

$ docker run -it --rm --pull=always busybox:1.36-uclibc wget https://dtdg.co/latest-java-tracer
1.36-uclibc: Pulling from library/busybox
Digest: sha256:2922236718b1d0f8b961bf246305aee5ddd665a4877d7a88c0a4661f5c3fe318
Status: Image is up to date for busybox:1.36-uclibc
Connecting to dtdg.co (67.199.248.12:443)
wget: note: TLS certificate validation not implemented
Connecting to github.com (140.82.116.3:443)
Connecting to objects.githubusercontent.com (185.199.111.133:443)
saving to 'latest-java-tracer'
latest-java-tracer   100% |******************************************************************************************************************| 29.8M  0:00:00 ETA
'latest-java-tracer' saved

$ docker run -it --rm --pull=always busybox:1.36-musl wget https://dtdg.co/latest-java-tracer
1.36-musl: Pulling from library/busybox
Digest: sha256:7fe2d84eca21fa921a1006acaa68da15ed0acb7e1d21e5f3149bb6923af38498
Status: Image is up to date for busybox:1.36-musl
Connecting to dtdg.co (67.199.248.13:443)
wget: note: TLS certificate validation not implemented
Connecting to github.com (140.82.116.4:443)
Connecting to objects.githubusercontent.com (185.199.109.133:443)
saving to 'latest-java-tracer'
latest-java-tracer   100% |******************************************************************************************************************| 29.8M  0:00:00 ETA
'latest-java-tracer' saved

@tianon tianon closed this as completed Feb 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests