[BUG] Stack deployment fails to authenticate to private Docker registry through socket-proxy

[upendedshark]

Description

Stack deployments fail when pulling images from a self-hosted Gitea container registry, with Docker unable to authenticate
despite registry credentials being configured in Komodo. Manual docker pull commands work successfully on the host, but
Komodo's deployments fail with connection errors.

Environment

• Komodo Version: 1.19.5
• Deployment Method: Docker Compose via socket-proxy (tecnativa/docker-socket-proxy v0.4.2)
• Registry: Self-hosted Gitea container registry
• Stack: Example stack with custom image from private registry

Steps to Reproduce

1. Configure private Docker registry account in Komodo (Settings → Providers → Registry Accounts)

   • Domain: git.example.com
   • Username: myuser
   • Token: [Gitea access token with repo:write and package:read permissions]

2. Create stack with image from private registry:

   image: git.example.com/myorg/custom-image:v1.0.0
   

3. Attempt to deploy stack via Komodo

Expected Behavior

Komodo should authenticate to the registry using the configured credentials and successfully pull the image.

Actual Behavior

Deployment fails with authentication error:

Error Head "https://git.example.com/v2/myorg/custom-image/manifests/v1.0.0": Get
"https://git.example.com/v2/token?account=myuser&scope=repository%3Amyorg%2Fcustom-image%3Apull&service=container_registry":
dial tcp 192.168.1.3:443: connect: connection refused

Additional Context

What works:

• Manual docker pull git.example.com/myorg/custom-image:latest succeeds on the host
• Git operations (repo cloning/pulling) work through Komodo successfully
• The registry is accessible (registry ping returns proper auth challenge)

Troubleshooting attempted:

• Added AUTH=1 and DISTRIBUTION=1 permissions to socket-proxy-komodo
• Verified registry credentials in Komodo UI
• Tested with both tokens and passwords
• Confirmed DNS resolves correctly: nslookup git.example.com returns correct registry IP

Socket-proxy configuration:
environment:
- POST=1
- CONTAINERS=1
- ALLOW_START=1
- ALLOW_STOP=1
- ALLOW_RESTARTS=1
- EXEC=1
- IMAGES=1
- INFO=1
- NETWORKS=1
- TASKS=1
- VOLUMES=1
- AUTH=1
- DISTRIBUTION=1

Hypothesis:
The issue appears to be DNS-related despite nslookup showing correct resolution. Docker is connecting to 192.168.1.3 (DNS
server) instead of 192.168.1.2 (registry host) when authentication is attempted through the socket-proxy, but works correctly
when Docker is accessed directly on the host.

Question

Is there additional socket-proxy configuration needed for registry authentication, or is this a known limitation when using
private registries through docker-socket-proxy?

[rramiachraf]

If you don't have a credential helper configured, attaching ~/.docker/config.json could solve this temporarely, but this certainly exposes a whole brand new attack vector.
Just try to scope registry credentials to read only.