You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
docker compose publish to a localhost (insecure, plain-HTTP) registry fails on Docker Desktop because the publish client routes the registry request through Docker Desktop's transparent HTTP proxy (named pipe dockerHttpProxy) instead of connecting directly.
docker push / docker pull to the same registry work fine — the registry is correctly recognized as insecure (docker info lists 127.0.0.0/8 under Insecure Registries). Only docker compose publish is affected.
Current behavior — with --insecure-registry, publish switches to http:// but then fails:
failed to do request: Head "http://localhost:5000/v2/spike-app/blobs/sha256:...":
proxyconnect tcp: open ./pipe/dockerHttpProxy: The system cannot find the path specified.
Two things are wrong:
The proxy is not bypassed for localhost. The daemon proxy is http.docker.internal:3128 with No Proxy: hubproxy.docker.internal — localhost/127.0.0.1 are not excluded, and compose publish applies the proxy to the localhost target. It does not honor NO_PROXY/HTTP_PROXY env vars, nor Docker Desktop's proxy-exclude list (verified below).
The proxy named-pipe path is malformed. The error shows a relative ./pipe/dockerHttpProxy, not the real pipe \\.\pipe\dockerHTTPProxy, so the npipe:// proxy URL appears to be mis-parsed and dialed as a file path.
Expected behavior — docker compose publish connects directly to the localhost/insecure registry (as docker push does) and publishes the compose artifact, without going through the proxy.
Steps To Reproduce
Steps To Reproduce
Both shells below were run on the same Windows 11 + Docker Desktop host and produce identical results — so this is not shell- or WSL-specific. docker push succeeds; docker compose publish fails either way. (I have not tested on a native Linux/macOS host.)
Git Bash — MSYS2 / MINGW64, GNU bash 5.2.26
PowerShell — Windows PowerShell 5.1
In both, docker is the Windows Docker Desktop CLI (C:\Program Files\Docker\Docker\resources\bin\docker).
Git Bash (MSYS2 / MINGW64):
# 1. Plain-HTTP registry on localhost
docker run -d -p 5000:5000 --name registry registry:3
# 2. Seed an image (proves registry + insecure-HTTP path are fine)
docker pull alpine:3.20
docker tag alpine:3.20 localhost:5000/spike-alpine:1
docker push localhost:5000/spike-alpine:1 # ✅ succeeds# 3. Minimal compose file referencing that image
cat > compose.yaml <<'EOF'name: spikeservices: app: image: localhost:5000/spike-alpine:1 command: ["sleep", "3600"]EOF# 4. Publish the compose application to the same registry
docker compose -f compose.yaml publish localhost:5000/spike-app:1 --insecure-registry -y
# ❌ proxyconnect tcp: open ./pipe/dockerHttpProxy: The system cannot find the path specified.
PowerShell (Windows / Docker Desktop):
# 1. Plain-HTTP registry on localhost
docker run -d -p 5000:5000--name registry registry:3# 2. Seed an image (proves registry + insecure-HTTP path are fine)
docker pull alpine:3.20
docker tag alpine:3.20 localhost:5000/spike-alpine:1
docker push localhost:5000/spike-alpine:1# ✅ succeeds# 3. Minimal compose file referencing that image@'name: spikeservices: app: image: localhost:5000/spike-alpine:1 command: ["sleep", "3600"]'@|Set-Content-Encoding utf8 compose.yaml
# 4. Publish the compose application to the same registry
docker compose -f compose.yaml publish localhost:5000/spike-app:1--insecure-registry -y
# ❌ proxyconnect tcp: open ./pipe/dockerHttpProxy: The system cannot find the path specified.
What I observed across variants:
Command
Result
docker push localhost:5000/...
✅ succeeds (direct, insecure-HTTP auto-trusted)
docker compose publish ... (no flag)
❌ tries https://localhost:5000 (publish defaults to HTTPS)
docker compose publish ... --insecure-registry
❌ switches to http://, then proxyconnect ... open ./pipe/dockerHttpProxy
same + HTTP_PROXY= / NO_PROXY=localhost,127.0.0.1
❌ identical error — env ignored
same + bogus HTTP_PROXY=http://127.0.0.1:9
❌ still uses ./pipe/dockerHttpProxy — confirms env not consulted
after Docker Desktop → Proxies → exclude localhost,127.0.0.1 + restart
❌ unchanged; docker info still shows No Proxy: hubproxy.docker.internal
Compose Version
$ docker compose version
Docker Compose version v5.1.4
$ docker-compose version
Docker Compose version v5.1.4
The named pipe actually exists as \\.\pipe\dockerHTTPProxy, but the dialer reports the relative path ./pipe/dockerHttpProxy — so this looks like an npipe:// proxy-URL parsing/dialing bug in the publish transport, in addition to the missing localhost bypass.
Related: Add support for "insecure" registries #13352 (insecure-registry support for publish) added --insecure-registry / __TEST__INSECURE__REGISTRY__. That part works (it switches the scheme to HTTP); this issue is the remaining proxy bypass / named-pipe behavior on top of it.
No env-var or flag workaround found. docker push is a working alternative; only docker compose publish hits the proxy.
Please let me know if this is a https://github.com/docker/for-win issue and should be reported there, or elsewhere altogether, instead.
Description
docker compose publishto a localhost (insecure, plain-HTTP) registry fails on Docker Desktop because the publish client routes the registry request through Docker Desktop's transparent HTTP proxy (named pipedockerHttpProxy) instead of connecting directly.docker push/docker pullto the same registry work fine — the registry is correctly recognized as insecure (docker infolists127.0.0.0/8under Insecure Registries). Onlydocker compose publishis affected.Current behavior — with
--insecure-registry, publish switches tohttp://but then fails:Two things are wrong:
http.docker.internal:3128withNo Proxy: hubproxy.docker.internal— localhost/127.0.0.1are not excluded, andcompose publishapplies the proxy to the localhost target. It does not honorNO_PROXY/HTTP_PROXYenv vars, nor Docker Desktop's proxy-exclude list (verified below)../pipe/dockerHttpProxy, not the real pipe\\.\pipe\dockerHTTPProxy, so thenpipe://proxy URL appears to be mis-parsed and dialed as a file path.Expected behavior —
docker compose publishconnects directly to the localhost/insecure registry (asdocker pushdoes) and publishes the compose artifact, without going through the proxy.Steps To Reproduce
Steps To Reproduce
Both shells below were run on the same Windows 11 + Docker Desktop host and produce identical results — so this is not shell- or WSL-specific.
docker pushsucceeds;docker compose publishfails either way. (I have not tested on a native Linux/macOS host.)In both,
dockeris the Windows Docker Desktop CLI (C:\Program Files\Docker\Docker\resources\bin\docker).Git Bash (MSYS2 / MINGW64):
PowerShell (Windows / Docker Desktop):
What I observed across variants:
docker push localhost:5000/...docker compose publish ...(no flag)https://localhost:5000(publish defaults to HTTPS)docker compose publish ... --insecure-registryhttp://, thenproxyconnect ... open ./pipe/dockerHttpProxyHTTP_PROXY=/NO_PROXY=localhost,127.0.0.1HTTP_PROXY=http://127.0.0.1:9./pipe/dockerHttpProxy— confirms env not consultedlocalhost,127.0.0.1+ restartdocker infostill showsNo Proxy: hubproxy.docker.internalCompose Version
Docker Environment
Anything else?
\\.\pipe\dockerHTTPProxy, but the dialer reports the relative path./pipe/dockerHttpProxy— so this looks like annpipe://proxy-URL parsing/dialing bug in the publish transport, in addition to the missing localhost bypass.publish) added--insecure-registry/__TEST__INSECURE__REGISTRY__. That part works (it switches the scheme to HTTP); this issue is the remaining proxy bypass / named-pipe behavior on top of it.docker pushis a working alternative; onlydocker compose publishhits the proxy.Please let me know if this is a https://github.com/docker/for-win issue and should be reported there, or elsewhere altogether, instead.