[SOLVED] error in docker build - Err:1 http://deb.debian.org/debian stretch/main amd64 unzip amd64 6.0-21+deb9u1 404 Not Found

Issue

I am doing a docker build on my MacBook Pro and it always keeps failing with following error:

Reading package lists...
Building dependency tree...
Reading state information...
Suggested packages:
  zip
The following NEW packages will be installed:
  unzip
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 170 kB of archives.
After this operation, 547 kB of additional disk space will be used.
Err:1 http://deb.debian.org/debian stretch/main amd64 unzip amd64 6.0-21+deb9u1
  404  Not Found
E: Failed to fetch http://deb.debian.org/debian/pool/main/u/unzip/unzip_6.0-21+deb9u1_amd64.deb  404  Not Found
E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?
The command '/bin/sh -c apt-get install unzip' returned a non-zero code: 100

docker version: Docker version 19.03.8, build afacb8b

MacOS: Mojave 10.14.6

Dockerfile snippet:

FROM debian:latest
RUN apt-get update
RUN apt-get install -y ca-certificates
RUN apt-get install unzip

The build works fine in our travis CI which is using docker-ce=17.09.0~ce-0~ubuntu

Any suggestions on how to debug it further? Initially we thought it may be a temporary issue on debian side but the problem has persisted so likely an issue with my environment.

Solution

Combine the three RUN lines you show into a single command:

FROM debian:latest
RUN apt-get update \
 && apt-get install -y \
      ca-certificates \
      unzip

There's a combination of two things that leads to that 404 error. On the one hand, Docker will cache individual Dockerfile steps: it sees that, starting from debian:latest, it's already RUN apt-get update, so it uses the version of that command from yesterday. On the other hand, Debian updates their repositories fairly frequently with very minor updates (see the +deb9u1 part of that version number) and when they do they delete the previous version from their repositories. This combination means you can be in a sequence where you're using a cached version of the apt-get update index, but the package version it mentions doesn't exist any more.

Combining these lines together like this means Docker will always run both apt-get update and apt-get install together; if you add a package to the list it will re-run the update step before trying to download things. That avoids this problem, at the cost of a little extra download time when the package list changes.

Answered By - David Maze

Answer Checked By - Marilyn (WPSolving Volunteer)