search

docker-library / docker

Docker Official Image packaging for Docker
Apache License 2.0
1.09k stars 568 forks source link

docker:dind image fails with some NAT issue while starting the docker deamon #486

Open sujit-kulkarni opened 4 months ago

sujit-kulkarni commented 4 months ago

we are trying to use docker in docker for our usecase using the official docker:dind image. But when the dockerd-entrypoint.sh is executed to run the docker deamon inside the container created from dind it fails with the below error: failed to start daemon: Error initializing network controller: error obtaining controller instance: failed to register "bridge" driver: failed to create NAT chain DOCKER: iptables failed: iptables --wait -t nat -N DOCKER: iptables v1.8.10 (nf_tables): TABLE_ADD failed (Not supported): table nat (exit status 4)

could you please help me with the resolution.

Thanks,

tianon commented 4 months ago

This is likely a missing kernel module (or a kernel compiled without support for nat).

lknite commented 3 months ago

I think I may be running into this as well. I used to be able to load up the docker image via a Jenkins / kubernetes build on the fly, but its failing with a TLS error when attempting docker login, not able to resolve the TLS failed verification after probably 30 attempts to provide a ca-bundle, ... eventually I tried to disable by setting DOCKER_TLS_CERTDIR='', which I attempted after taking a look at the dockerd-entrypoint.sh .

The error I'm seeing is this:

# DOCKER_TLS_CERTDIR='' && /usr/local/bin/dockerd-entrypoint.sh 
cat: can't open '/proc/net/ip6_tables_names': No such file or directory
cat: can't open '/proc/net/arp_tables_names': No such file or directory
ip: can't find device 'nf_tables'
nf_tables             327680 3137 nft_chain_nat,nft_compat,nft_counter
nfnetlink              20480  4 ip_set,nf_conntrack_netlink,nft_compat,nf_tables
libcrc32c              16384  5 libceph,nf_nat,nf_conntrack,nf_tables,xfs
modprobe: can't change directory to '/lib/modules': No such file or directory
ip: can't find device 'ip_tables'
ip_tables              32768  2 iptable_nat,iptable_filter
modprobe: can't change directory to '/lib/modules': No such file or directory
iptables v1.8.10 (nf_tables)
mount: permission denied (are you root?)
Could not mount /sys/kernel/security.
AppArmor detection and --privileged mode might break.
mount: permission denied (are you root?)

Tried with docker:dind & docker:latest , not really sure which I need to be using.

          - name: docker
            image: docker:latest
            env:
            - name: DOCKER_TLS_CERTDIR
              value: ""
            tty: true
            securityContext:
              privileged: true
tianon commented 3 months ago

That sounds like it's not actually running with privileged mode enabled :thinking: