search

geerlingguy / ansible-role-docker_arm

Ansible Role - Docker for ARM and Pi
MIT License
98 stars 28 forks source link

Installing in recent Raspberry Pi OS (2022-01-28) fails due to nftables #34

Closed jonasc closed 2 years ago

jonasc commented 2 years ago

Just installed the most recent Raspberry Pi OS (2022-01-28, Debian 11.2) on a Raspberry Pi 4 and wanted to install docker_arm as basically the first thing.

hosts: arm
  become: yes
  vars:
    pip_package: python3-pip
  roles:
    - geerlingguy.pip
    - geerlingguy.docker_arm

The installation failed due to docker not starting due to the following error (formatting for better readability is mine):

Running modprobe bridge br_netfilter failed with message:
    modprobe: WARNING: Module bridge not found in directory /lib/modules/5.10.92-v8+
    modprobe: WARNING: Module br_netfilter not found in directory /lib/modules/5.10.92-v8+
  error: exit status 1
Running iptables --wait -t nat -L -n failed with message:
    `iptables/1.8.7 Failed to initialize nft: Protocol not supported`
  error: exit status 1
…
failed to start daemon:
  Error initializing network controller:
    error obtaining controller instance:
      failed to create NAT chain DOCKER:
        iptables failed: iptables -t nat -N DOCKER:
          iptables/1.8.7 Failed to initialize nft: Protocol not supported

So apparently this seems to be due to debian using nftables which docker is not able to. Investigating how to solve this was basically people saying "either write nft rules yourself or configure Debian to use legacy iptables". I did the latter yia

update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy

and it works fine after a reboot. Somehow nftables was mentioned in #14 but there was no further information to find.

I don't know whether reconfiguring in the above way would be sensible for this role (probably not?) but since it was mentioned explicitly somewhere that this role is mainly for Raspberry Pi OS it might be sensible to have some notice somewhere to make people aware?

I'm slightly confused that this problem hasn't come up yet as Debian (and hence Raspberry Pi OS) is using nftables for some time now. Or am I missing something?

geerlingguy commented 2 years ago

It might be a relatively recent change in the version of Docker that's installed, actually. I need to boot up a fresh Pi and retest on it, as it's hard to account for all the version differences via CI on GitHub (since it's not running those tests on real Pis running Raspberry Pi OS).

jonasc commented 2 years ago

Okay, this is weird. I just did a fresh install (fresh Raspberry Pi OS) and now it works. I did not check any version in the previous run but now the docker-ce is 5:20.10.13~3-0~debian-bullseye. So i'll just close this issue as it has resolved itself and is not reproducible.