0

I'm trying to build a docker image on my Mac, but it fails at installing some linux deps. I think it's all pretty standard, and it works for my colleagues, on CI/CD (details below)

Relevant part:

FROM node:22-slim

RUN corepack enable pnpm
RUN apt-get update && apt-get install -y \
    curl \
    python3 \
    python3-pip \
    build-essential \
    libcairo2-dev \
    libpango1.0-dev \
    libjpeg-dev \
    libgif-dev \
    librsvg2-dev \
    libpixman-1-dev \
    libffi-dev \
    libnss3 \
    libatk-bridge2.0-0 \
    libdrm2 \
    libgtk-3-0 \
    libgbm1 \
    && rm -rf /var/lib/apt/lists/*

WORKDIR /app

The failure occurs during apt-get install, with errors like:

E: Failed to fetch http://deb.debian.org/debian/pool/main/g/gcc-14/libasan8_14.2.0-19_arm64.deb  Hash Sum mismatch
E: Failed to fetch http://deb.debian.org/debian/pool/main/c/curl/curl_8.14.1-2_arm64.deb  File has unexpected size (...)

The specific packages that fail vary between builds.

What have I tried so far?

Networking and mirrors • Tried multiple mirrors (deb.debian.org, ftp.de.debian.org, ftp.hu.debian.org, mirrors.kernel.org, cloudfront.debian.net) • Added retries (Acquire::Retries), disabled caching, and tested both IPv4 and IPv6 • Tried different networks (home Wi-Fi and mobile hotspot) • Tested with VPN (NordVPN) — same issue • Tried on a Linux server using the same network — works fine • Switched to HTTPS (works reliably only after installing ca-certificates first)

Docker environment • Removed custom DNS and reset Docker Desktop • Tried Docker Desktop, Colima, and Docker-in-Docker — all fail the same way • Overrode DNS in daemon.json (1.1.1.1, 8.8.8.8) — no change

Host-level checks • Confirmed containers use the same external IP as the host (VPN applies) • Disabled firewall and network filtering software

Switching to https mirrors (the only thing that works)

So the only thing that works is switching to a https mirror (to avoid stale CDN hits), but I would rather not do that, since it requires modifying the docker image, I'm not fully in control of that.

If I modify the Dockerfile to install ca-certificates first and switch the Debian sources to HTTPS, the build succeeds consistently:

RUN apt-get update && apt-get install -y ca-certificates && \
    sed -i 's|http://deb.debian.org|https://deb.debian.org|g' /etc/apt/sources.list.d/debian.sources

It seems that something on my macOS host is corrupting or caching HTTP traffic for Debian mirrors. HTTPS avoids the issue, suggesting it’s related to transparent HTTP caching, Docker’s network proxy, or a macOS-level network extension, or DNS.

My environment:

  • macOS Tahoe 26.x (Apple Silicon M2)
  • Docker Desktop 4.x (also tested Colima)
  • Base image: node:22-slim (Debian Bookworm/Trixie)

What could be the problem, what should I look into next?

Note: I'm facing the same problem when trying to build another docker container, based on python:3.13-slim.

Improve this question
Related questions
3
Docker build fails on apt-get install with repeated “Hash Sum mismatch” errors (even after disabling cache)
472
docker build with --build-arg with multiple arguments
380
How to mount host volumes into docker containers in Dockerfile during build
Load 6 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.