[pkg-netfilter-team] Bug#914129: not iptables related, it's docker that needs updating
Andrea Lusuardi
uovobw at gmail.com
Tue Nov 27 12:10:13 GMT 2018
Greetings,
i have reached this bug by googling the reason docker was refusing to
start on my debian sid, it was erroring out with the following:
Nov 27 13:01:14 baol dockerd[15079]: time="2018-11-27T13:01:14.131445616+01:00" level=info msg="libcontainerd: new containerd process, pid: 15091"
Nov 27 13:01:15 baol dockerd[15079]: time="2018-11-27T13:01:15.133232104+01:00" level=warning msg="failed to rename /var/lib/docker/tmp for background deletion: %!s(<nil>). Deleting synchronously"
Nov 27 13:01:15 baol dockerd[15079]: time="2018-11-27T13:01:15.227253801+01:00" level=warning msg="devmapper: Usage of loopback devices is strongly discouraged for production use. Please use `--storage-opt dm.thinpooldev` or use `man docker` to refer to dm.thinpooldev section."
Nov 27 13:01:15 baol dockerd[15079]: time="2018-11-27T13:01:15.252706875+01:00" level=warning msg="devmapper: Base device already exists and has filesystem xfs on it. User specified filesystem will be ignored."
Nov 27 13:01:15 baol dockerd[15079]: time="2018-11-27T13:01:15.308337832+01:00" level=info msg="[graphdriver] using prior storage driver: devicemapper"
Nov 27 13:01:15 baol dockerd[15079]: time="2018-11-27T13:01:15.335226999+01:00" level=info msg="Graph migration to content-addressability took 0.00 seconds"
Nov 27 13:01:15 baol dockerd[15079]: time="2018-11-27T13:01:15.335414930+01:00" level=warning msg="Your kernel does not support cgroup rt period"
Nov 27 13:01:15 baol dockerd[15079]: time="2018-11-27T13:01:15.335427499+01:00" level=warning msg="Your kernel does not support cgroup rt runtime"
Nov 27 13:01:15 baol dockerd[15079]: time="2018-11-27T13:01:15.335691372+01:00" level=info msg="Loading containers: start."
Nov 27 13:01:16 baol dockerd[15079]: time="2018-11-27T13:01:16.368680386+01:00" level=warning msg="could not create bridge network for id < bridge name docker0 while booting up from persistent state: Failed to program NAT chain: Failed to inject docker in PREROUTING chain: iptables failed: iptables --wait -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER: iptables v1.8.2 (nf_tables): RULE_APPEND failed (Invalid argument): rule in chain PREROUTING\n (exit status 4)"
Nov 27 13:01:16 baol dockerd[15079]: time="2018-11-27T13:01:16.383664622+01:00" level=info msg="Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. Daemon option --bip can be used to set a preferred IP address"
Nov 27 13:01:16 baol dockerd[15079]: Error starting daemon: Error initializing network controller: Error creating default "bridge" network: Failed to program NAT chain: Failed to inject docker in PREROUTING chain: iptables failed: iptables --wait -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER: iptables v1.8.2 (nf_tables): RULE_APPEND failed (Invalid argument): rule in chain PREROUTING
Nov 27 13:01:16 baol dockerd[15079]: (exit status 4)
as this is due to docker generating an erroneous iptables command line for the new iptables that came in during the last update cycle.
The problem is solved by running update-alternatives and selecting iptables-legacy as the default iptables binary.
I think this bug can be transferred to upstream docker as this is something they need to fix on their side.
Hope this helps,
saludos
--
Andrea Lusuardi - uovobw
GPG ID: 1845639D313C1073
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-netfilter-team/attachments/20181127/35405b0d/attachment.sig>
More information about the pkg-netfilter-team
mailing list