FS#74835 - [iptables-nft] after upgrade to v1.8.8, docker is failing to start
Attached to Project:
Arch Linux
Opened by Daniel (8472) - Monday, 23 May 2022, 15:37 GMT
Last edited by Toolybird (Toolybird) - Sunday, 31 July 2022, 00:08 GMT
Opened by Daniel (8472) - Monday, 23 May 2022, 15:37 GMT
Last edited by Toolybird (Toolybird) - Sunday, 31 July 2022, 00:08 GMT
|
Details
Description:
After upgrade of iptables-nft to v1.8.8 and restarting OS/docker.service, the docker will fail to start. Additional info: * package version(s): - iptables-nft 1:1.8.8-1 - kernel: 5.15.41-1-lts - OS fully updated - nftables enabled (if I do "nft flush ruleset", then the docker.service starts even with this reported v1.8.8) - no problem otherwise with docker.service or nftables if iptables-nft is of previous v1.8.7 Steps to reproduce: - upgrade iptables-nft to latest 1.8.8-1 - restart docker.service - will fail, with errors in dockerd logs (full log attached), events like: -- "Error initializing network controller" -- "Error creating default "bridge" network" -- "Failed to Setup IP tables: Unable to allow intercontainer communication" -- "iptables failed: iptables -I FORWARD -i docker0 -o docker0 -j ACCEPT: iptables v1.8.8 (nf_tables): CHAIN_ADD failed (File exists): chain FORWARD" -- "could not create bridge network for id" Workaround: - downgrade iptables-nft to previous, e.g. 1.8.7-1 - restart docker.service |
This task depends upon
No, have not reported it upstream.
Tried non-LTS, it's the same.
You're probably right, it looks like specific setup problem.
Until now I used following workaround "mark set 1" https://wiki.archlinux.org/index.php?title=Nftables&oldid=636859#Working_with_Docker (article history).
This worked fine with iptables-nft v1.8.7.
As of iptables-nft v1.8.8 something must've changed.
When I tested through my nftables rules, I managed to trace the problem to "table ip filter" => "chain FORWARD".
Disabling single or all chain's internal rules doesn't help, but disabling the whole "chain FORWARD" helped and started the docker properly.
"Newer" nftables article workaround https://wiki.archlinux.org/title/Nftables#Working_with_Docker could be also be a solution.
It seems to work, but, I need the docker container to reach LAN resources.
LAN = "192.168.*".
Article's workaround IP addresses are "10.0.0.*".
In this constellation, I cannot reach LAN "192.168.*" resources from the "10.0.0.*" namespace's container.
Have tried using my own IP addresses for the namespace, but no success.
However, I'm not skilled with the "ip namespace", so I have to find how it works, or disable the "chain FORWARD".
I guess you can close this, and thank you anyway.