moby: Docker 18.09.1 doesn't work with iptables v1.8.2
Description
When I try to deploy a container and expose it on a port it failed with this error:
docker run --rm -it -p 80:80 alpine
docker: Error response from daemon: driver failed programming external connectivity on endpoint unruffled_goldwasser (c99e441c46a8317bb62c99bbea46f289fe7a317b54bbe3abe51e83c21d709323): (iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 80 -j DNAT --to-destination 172.17.0.2:80 ! -i docker0: iptables v1.8.2 (legacy): unknown option "--to-destination"
Try `iptables -h' or 'iptables --help' for more information.
(exit status 2)).
Steps to reproduce the issue:
- Run the above command with iptables 1.8.2
Describe the results you received:
docker run --rm -it -p 80:80 alpine
docker: Error response from daemon: driver failed programming external connectivity on endpoint unruffled_goldwasser (c99e441c46a8317bb62c99bbea46f289fe7a317b54bbe3abe51e83c21d709323): (iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 80 -j DNAT --to-destination 172.17.0.2:80 ! -i docker0: iptables v1.8.2 (legacy): unknown option "--to-destination"
Try `iptables -h' or 'iptables --help' for more information.
(exit status 2)).
Output of docker version:
Client:
Version: 18.09.2-ce
API version: 1.39
Go version: go1.11.5
Git commit: 62479626f2
Built: Mon Feb 11 23:58:17 2019
OS/Arch: linux/amd64
Experimental: false
Server:
Engine:
Version: 18.09.1-ce
API version: 1.39 (minimum version 1.12)
Go version: go1.11.4
Git commit: 4c52b901c6
Built: Thu Jan 10 06:50:46 2019
OS/Arch: linux/amd64
Experimental: false
Output of docker info:
Containers: 2
Running: 1
Paused: 0
Stopped: 1
Images: 32
Server Version: 18.09.1-ce
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 9f2e07b1fc1342d1c48fe4d7bbb94cb6d1bf278b.m
runc version: ccb5efd37fb7c86364786e9137e22948751de7ed-dirty
init version: fec3683
Security Options:
seccomp
Profile: default
Kernel Version: 4.19.20-1-MANJARO
Operating System: Arch Linux
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 15.49GiB
Name: cwr
ID: TU5A:APOO:S4OL:RAZH:ZCRD:ZKPP:5DCX:JU56:RZH2:QH4X:NMDY:X33X
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Output of iptables -V:
iptables v1.8.2 (legacy)
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Reactions: 2
- Comments: 18 (3 by maintainers)
For anyone else stumbling upon this issue, this happened to me on Arch Linux after an upgrade and was resolved by a restart—no symlink required.
Here’s a workaround for arch users:
See Arch Linux Forums for more details.
Surprised this is closed. On latest docker latest PhotonOS with
iptables v1.8.0 (legacy), it’s broken and I see no workaround above or am I missing something?Is there any solution?
This is because
iptablesis failing to load the DNAT module (because of the-j DNATflag). Make sure you canmodprobe xt_nat.@CollinChaffin I had the same problem as you, so I upgraded iptables to 1.8.2, with that version of iptables the symlink hack:
Appears to work.
I see a similar error on Arch, complaining
unknown option "--dport". Note that Arch uses iptables with legacy interface for bothiptablesandiptables-legacy.Docker details
Output of
docker version:Output of
docker info:Try both
iptables-nftandiptables-legacyif you’re not sure which one works on your system. In my case I have to linkiptables-legacyasiptablesto fix it. Hope it helps.