profile
viewpoint

Ask questionsDocker 18.09.1 doesn't work with iptables v1.8.2

<!-- If you are reporting a new issue, make sure that we do not have any duplicates already open. You can ensure this by searching the issue list for this repository. If there is a duplicate, please close your issue and add a comment to the existing issue instead.

If you suspect your issue is a bug, please edit your issue description to include the BUG REPORT INFORMATION shown below. If you fail to provide this information within 7 days, we cannot debug your issue and will close it. We will, however, reopen it if you later provide the information.

For more information about reporting issues, see https://github.com/moby/moby/blob/master/CONTRIBUTING.md#reporting-other-issues


GENERAL SUPPORT INFORMATION

The GitHub issue tracker is for bug reports and feature requests. General support for docker can be found at the following locations:

  • Docker Support Forums - https://forums.docker.com
  • Slack - community.docker.com #general channel
  • Post a question on StackOverflow, using the Docker tag

General support for moby can be found at the following locations:

  • Moby Project Forums - https://forums.mobyproject.org
  • Slack - community.docker.com #moby-project channel
  • Post a question on StackOverflow, using the Moby tag

BUG REPORT INFORMATION

Use the commands below to provide key information from your environment: You do NOT have to include this information if this is a FEATURE REQUEST -->

Description

When I try to deploy a container and expose it on a port it failed with this error:

docker run --rm -it -p 80:80 alpine

docker: Error response from daemon: driver failed programming external connectivity on endpoint unruffled_goldwasser (c99e441c46a8317bb62c99bbea46f289fe7a317b54bbe3abe51e83c21d709323):  (iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 80 -j DNAT --to-destination 172.17.0.2:80 ! -i docker0: iptables v1.8.2 (legacy): unknown option "--to-destination"
Try `iptables -h' or 'iptables --help' for more information.
 (exit status 2)).

Steps to reproduce the issue:

  1. Run the above command with iptables 1.8.2

Describe the results you received:

docker run --rm -it -p 80:80 alpine

docker: Error response from daemon: driver failed programming external connectivity on endpoint unruffled_goldwasser (c99e441c46a8317bb62c99bbea46f289fe7a317b54bbe3abe51e83c21d709323):  (iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 80 -j DNAT --to-destination 172.17.0.2:80 ! -i docker0: iptables v1.8.2 (legacy): unknown option "--to-destination"
Try `iptables -h' or 'iptables --help' for more information.
 (exit status 2)).

Output of docker version:

Client:
 Version:           18.09.2-ce
 API version:       1.39
 Go version:        go1.11.5
 Git commit:        62479626f2
 Built:             Mon Feb 11 23:58:17 2019
 OS/Arch:           linux/amd64
 Experimental:      false

Server:
 Engine:
  Version:          18.09.1-ce
  API version:      1.39 (minimum version 1.12)
  Go version:       go1.11.4
  Git commit:       4c52b901c6
  Built:            Thu Jan 10 06:50:46 2019
  OS/Arch:          linux/amd64
  Experimental:     false

Output of docker info:

Containers: 2
 Running: 1
 Paused: 0
 Stopped: 1
Images: 32
Server Version: 18.09.1-ce
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 9f2e07b1fc1342d1c48fe4d7bbb94cb6d1bf278b.m
runc version: ccb5efd37fb7c86364786e9137e22948751de7ed-dirty
init version: fec3683
Security Options:
 seccomp
  Profile: default
Kernel Version: 4.19.20-1-MANJARO
Operating System: Arch Linux
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 15.49GiB
Name: cwr
ID: TU5A:APOO:S4OL:RAZH:ZCRD:ZKPP:5DCX:JU56:RZH2:QH4X:NMDY:X33X
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

Output of iptables -V:

iptables v1.8.2 (legacy)
moby/moby

Answer questions arkodg

hi @cwrau, looks like arch-linux (like Debian) has iptables-legacy as well https://github.com/docker/libnetwork/pull/2343 should make sure iptables rules pushed by libnetwork can coexist with rules pushed by other firewall managers

Related questions

start container failed with "failed to umount /var/lib/docker/containers/.../shm: no such file or directory" hot 122
start container failed with "failed to umount /var/lib/docker/containers/.../shm: no such file or directory" hot 76
upgrade docker-18.09.2-ce , shim.sock: bind: address already in use: unknown hot 56
runc regression - EPERM running containers from selinux hot 26
integration: "error reading the kernel parameter" errors during CI hot 26
Error response from daemon: rpc error: code = DeadlineExceeded desc = context deadline exceeded hot 24
Windows Server 2019 publish ports in swarm not working hot 24
Swarm restarts all containers hot 22
OCI runtime exec failed: exec failed: cannot exec a container that has stopped: unknown hot 18
"docker stack deploy">"rpc error: code = 3 desc = name must be valid as a DNS name component" hot 18
write unix /var/run/docker.sock->@: write: broken pipe hot 18
hcsshim::PrepareLayer failed in Win32: The parameter is incorrect hot 18
manifest invalid error when pushing image to quay.io hot 17
Can't set net.ipv4.tcp_tw_reuse in docker 1.10.3 hot 15
dockerd stopped responding to API requests; no installed keys could decrypt message hot 15
Github User Rank List