iptables issues issue running concourse on M1

dixie-flatline-rom commented 3 years ago

[ x ] I have tried with the latest version of Docker Desktop
[ x ] I have tried disabling enabled experimental features
[ x ] I have uploaded Diagnostics
Diagnostics ID: 197E41B1-0FC7-4708-9B1C-EBE0A1065899/20210406091529

Expected behavior

working properly

Actual behavior

docker networking issue (?)

Information

Is it reproducible? YES
Is the problem new? YES
Did the problem appear with an update? YES
macOS Version: 11.3 beta 6
Docker Desktop Version: 3.3.0 (62632)

Steps to reproduce the behavior

deploy concourse

# wget https://concourse-ci.org/docker-compose.yml
# docker-compose up -d
# fly -t tutorial login -c http://localhost:8080 -u test -p test

I can access Concourse on http://localhost:8080 fine.

deploy test pipeline

# fly -t tutorial set-pipeline -p hello-world -c simple.yml 
# fly -t tutorial unpause-pipeline -p hello-world
# fly -t tutorial trigger-job -j hello-world/job   
# fly -t tutorial watch -j hello-world/job                         
initializing
create resource config: base resource type not found: registry-image
create resource config: base resource type not found: registry-image
errored

error within concourse container, it's unable to talk

concourse_1 | {"timestamp":"2021-04-07T20:15:40.527314631Z","level":"error","source":"worker","message":"worker.beacon-runner.beacon.forward-conn.failed-to-dial","data":{"addr":"127.0.0.1:7777","error":"dial tcp 127.0.0.1:7777: connect: connection refused","network":"tcp","session":"4.1.5"}}

And when I log onto concourse container:

# iptables -L -n
iptables v1.6.1: can't initialize iptables table `filter'

djs55 commented 3 years ago

@dixie-flatline-rom thanks for the report. Regarding iptables: can't initialise table 'filter' -- do you know in which context this is failing? If I run a privileged container, iptables seems to work, for example:

 % docker run -it --privileged --pid=host justincormack/nsenter1

/ # iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DOCKER-USER  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER-ISOLATION-STAGE-1  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOCKER (2 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            172.18.0.3           tcp dpt:8080

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0           
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

dixie-flatline-rom commented 3 years ago

Thanks @djs55, I'm sorry I just realised that concourse container already runs privileged as per its manifest, my bad.

However, the error is still there, and I'm at loss why this is, please see below.

concourse_1 | {"timestamp":"2021-04-07T19:52:26.323187222Z","level":"info","source":"atc","message":"atc.scanner.tick.end","data":{"session":"20.21"}}

concourse_1 | {"timestamp":"2021-04-07T19:52:27.311390416Z","level":"info","source":"worker","message":"worker.beacon-runner.beacon.forward-conn.retrying","data":{"addr":"127.0.0.1:7777","network":"tcp","session":"4.1.4"}}

concourse_1 | {"timestamp":"2021-04-07T19:52:27.312107666Z","level":"error","source":"worker","message":"worker.beacon-runner.beacon.forward-conn.failed-to-dial","data":{"addr":"127.0.0.1:7777","error":"dial tcp 127.0.0.1:7777: connect: connection refused","network":"tcp","session":"4.1.4"}}

On x86_64 arch (intel MacBook) it works perfectly fine, but on aarch64 (M1) it's throwing the above.

dixie-flatline-rom commented 3 years ago

The reason iptables is failing, because concourse/concourse is x86_64 image, not aarch64.

I tried rdclda/concourse container, which is aarch64 build and iptables works as expected in there.

Closing issue.

djs55 commented 3 years ago

Thanks very much for letting me know. I didn't realise running the containers under emulation would affect iptables!

On Wed, 7 Apr 2021, 22:42 dixie-flatline-rom, @.***> wrote:

Closed #5547 https://github.com/docker/for-mac/issues/5547.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/docker/for-mac/issues/5547#event-4565141361, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABQPOUSCX7JEANJNZSOOODTHTGVBANCNFSM42OLKA2Q .

docker-robott commented 3 years ago

Closed issues are locked after 30 days of inactivity. This helps our team focus on active issues.

If you have found a problem that seems similar to this, please open a new issue.

Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows. /lifecycle locked

docker / for-mac