Open AndyEWang opened 1 year ago
konjas
commented
1 year ago Same issue with RPM-based containers.
For example, fedora:36 docker image running on:
zandercodes
commented
1 year ago You can't use IpTable in qemu if you use a different architecture than the one from the host.
AndyEWang
commented
1 year ago @zandercodes Thanks for your reply. Does qemu-aarch64-static plan to support it?
zandercodes
commented
1 year ago @zandercodes Thanks for your reply. Does qemu-aarch64-static plan to support it?
You can try docker run --rm --privileged multiarch/qemu-user-static --reset -p yes and docker run --rm -it arm64v8/alpine:3.17.3 sh
root@ZanderCodes ~ # docker run --rm --cap-add=NET_ADMIN --cap-add=NET_RAW -it arm64v8/alpine:3.17.3 sh
WARNING: The requested image's platform (linux/arm64/v8) does not match the detected host platform (linux/amd64/v3) and no specific platform was requested
/ # apk add iptables
fetch https://dl-cdn.alpinelinux.org/alpine/v3.17/main/aarch64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.17/community/aarch64/APKINDEX.tar.gz
(1/3) Installing libmnl (1.0.5-r0)
(2/3) Installing libnftnl (1.2.4-r0)
(3/3) Installing iptables (1.8.8-r2)
Executing busybox-1.35.0-r29.trigger
OK: 15 MiB in 18 packages
/ # /sbin/iptables-nft -v
iptables: Failed to initialize nft: Protocol not supported
/ # /sbin/iptables -v
iptables v1.8.8 (legacy): no command specified
Try `iptables -h' or 'iptables --help' for more information.
/ #With emulation not working. Without works.
root@ZanderCodes ~ # docker run --rm --cap-add=NET_ADMIN --cap-add=NET_RAW -it alpine:3.17.3 sh
Unable to find image 'alpine:3.17.3' locally
3.17.3: Pulling from library/alpine
f56be85fc22e: Already exists
Digest: sha256:124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126
Status: Downloaded newer image for alpine:3.17.3
/ # apk add iptables
fetch https://dl-cdn.alpinelinux.org/alpine/v3.17/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.17/community/x86_64/APKINDEX.tar.gz
(1/3) Installing libmnl (1.0.5-r0)
(2/3) Installing libnftnl (1.2.4-r0)
(3/3) Installing iptables (1.8.8-r2)
Executing busybox-1.35.0-r29.trigger
OK: 9 MiB in 18 packages
/ # /sbin/iptables-nft -v
iptables v1.8.8 (nf_tables): no command specified
Try `iptables -h' or 'iptables --help' for more information.
/ #@zandercodes Actually, we wants your first case to work. So we cannot rely on qemu-aarch64-static to run arm64 alpine container on amd64 host, right? I mean qemu-aarch64-static cannot simulate iptables inside arm64 container on the amd64 host.
hasan4791
commented
1 year ago Same here on M1 mac with toolbox running x86 container on qemu-user-static-x86
[root@toolbox ~]# iptables-nft -L
iptables: Failed to initialize nft: Protocol not supported
⬢[root@toolbox ~]# Surprisingly everything works fine with rosetta.
Is this a bug report, feature (enhancement) request or question? (leave only one on its own line) /kind enhancement
Description: Running cmd iptables-nft shows "nft: Protocol not supported" in the container using arm64 alpine with qemu-aarch64-static.
Steps to reproduce the issue:
using CentOS Linux release 7.8.2003 (Core)
docker run --rm --privileged multiarch/qemu-user-static --reset
docker run --rm -it -v "/usr/bin/qemu-aarch64-static:/usr/bin/qemu-aarch64-static" alpine:3.17.3 sh
apk add iptables
/sbin/iptables-nft --version
Describe the results you received: / # /sbin/iptables-nft --version iptables: Failed to initialize nft: Protocol not supported
Describe the results you expected: Should be the same output as alpine linux/amd64. / # iptables-nft --version iptables v1.8.8 (nf_tables)
Environment: CentOS Linux release 7.8.2003 (Core)
Output of
docker version