nerdctl icon indicating copy to clipboard operation
nerdctl copied to clipboard

Published 20 hours ago verified publisher icon containerd

failed to call cni.Setup: plugin type=\"bridge\" in WSL 2 Ubuntu (`iptables v1.8.7 (nf_tables): Couldn't load match comment':No such file or directory`)

Open hypeitnow opened this issue 2 years ago • 3 comments

Description

I installed nerdctl in WSL2 Ubuntu accoirding to the manual written here: https://www.guide2wsl.com/nerdctl/ When I tried to execute a very simple container I get the following error:

nerdctl run --name dockertest --rm library/alpine:3.15.2 cat /etc/os-release FATA[0000] failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error running hook #0: error running hook: exit status 1, stdout: , stderr: time="2022-08-21T12:32:19+02:00" level=fatal msg="failed to call cni.Setup: plugin type="bridge" failed (add): running [/usr/sbin/iptables -t nat -C CNI-a3fb18da4949f1d67d725de8 -d 10.4.0.9/24 -j ACCEPT -m comment --comment name: "bridge" id: "default-99e8113b1d25442c4dad3cdfaa05d0800f3889e21da860010c15b359995072dd" --wait]: exit status 2: iptables v1.8.7 (nf_tables): Couldn't load match comment':No such file or directory\n\nTry iptables -h' or 'iptables --help' for more information.\n" Failed to write to log, write /var/lib/nerdctl/1935db59/containers/default/99e8113b1d25442c4dad3cdfaa05d0800f3889e21da860010c15b359995072dd/oci-hook.createRuntime.log: file already closed: unknown

ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: bond0: <BROADCAST,MULTICAST,MASTER> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 6a:cd:e1:dd:c1:3f brd ff:ff:ff:ff:ff:ff 3: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 4e:29:2c:e8:3c:d3 brd ff:ff:ff:ff:ff:ff 4: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:15:5d:81:75:77 brd ff:ff:ff:ff:ff:ff inet 172.28.236.57/20 brd 172.28.239.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::215:5dff:fe81:7577/64 scope link valid_lft forever preferred_lft forever 5: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000 link/ipip 0.0.0.0 brd 0.0.0.0 6: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000 link/sit 0.0.0.0 brd 0.0.0.0 10: nerdctl0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000 link/ether 36:8b:ce:8d:65:73 brd ff:ff:ff:ff:ff:ff inet 10.4.0.1/24 brd 10.4.0.255 scope global nerdctl0 valid_lft forever preferred_lft forever inet6 fe80::348b:ceff:fe8d:6573/64 scope link valid_lft forever preferred_lft forever 14: vxlan.calico: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default link/ether 66:90:8c:69:1a:0a brd ff:ff:ff:ff:ff:ff inet 10.1.248.0/32 scope global vxlan.calico valid_lft forever preferred_lft forever inet6 fe80::6490:8cff:fe69:1a0a/64 scope link valid_lft forever preferred_lft forever 15: cali62cb22bc9d0@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netns cni-a7477ab4-656c-c1ea-61d6-cdf319005308 inet6 fe80::ecee:eeff:feee:eeee/64 scope link valid_lft forever preferred_lft forever 16: calib4a67d3158c@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netns cni-d466572b-61fc-38bb-4a40-b9c6541dac98 inet6 fe80::ecee:eeff:feee:eeee/64 scope link valid_lft forever preferred_lft forever 17: cali6305936823c@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netns cni-fbbd5937-4a36-362f-ac42-1be5113e05d5 inet6 fe80::ecee:eeff:feee:eeee/64 scope link valid_lft forever preferred_lft forever 18: cali1e1ce0347b8@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netns cni-02b1ea0a-6676-dcf7-6803-d77de3ff7bfc inet6 fe80::ecee:eeff:feee:eeee/64 scope link valid_lft forever preferred_lft forever 19: cali18e167d9790@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netns cni-e5d32f22-8aeb-a9fd-253b-a0b08579258c inet6 fe80::ecee:eeff:feee:eeee/64 scope link valid_lft forever preferred_lft forever 20: calib6079fd9e90@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netns cni-d23b3b9d-1ec3-974a-b0a0-a607e5423660 inet6 fe80::ecee:eeff:feee:eeee/64 scope link valid_lft forever preferred_lft forever 21: cali5e33b8766de@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netns cni-272d6aa6-962b-9d15-4c8d-d9e474e12bee inet6 fe80::ecee:eeff:feee:eeee/64 scope link valid_lft forever preferred_lft forever

sudo cat /etc/cni/net.d/nerdctl-bridge.conflist [sudo] password for hypeit: { "cniVersion": "1.0.0", "name": "bridge", "nerdctlID": "17f29b073143d8cd97b5bbe492bdeffec1c5fee55cc1fe2112c8b9335f8b6121", "nerdctlLabels": {}, "plugins": [ { "type": "bridge", "bridge": "nerdctl0", "isGateway": true, "ipMasq": true, "hairpinMode": true, "ipam": { "ranges": [ [ { "gateway": "10.4.0.1", "subnet": "10.4.0.0/24" } ] ], "routes": [ { "dst": "0.0.0.0/0" } ], "type": "host-local" } }, { "type": "portmap", "capabilities": { "portMappings": true } }, { "type": "firewall", "backend": "iptables", "ingressPolicy": "same-bridge" }, { "type": "tuning" } ] }

Steps to reproduce the issue

  1. wget -q "https://github.com/containerd/nerdctl/releases/download/v0.22.0/nerdctl-full-0.22.0-linux-${archType}.tar.gz" -O /tmp/nerdctl.tar.gz && tar -C ~/.local -xzf /tmp/nerdctl.tar.gz libexec
  2. sudo containerd &
  3. export CNI_PATH=~/.local/libexec/cni
  4. nerdctl run --name dockertest --rm library/alpine:3.15.2 cat /etc/os-release

Describe the results you received and expected

NAME="Alpine Linux" ID=alpine VERSION_ID=3.15.2 PRETTY_NAME="Alpine Linux v3.15" HOME_URL="https://alpinelinux.org/" BUG_REPORT_URL="https://bugs.alpinelinux.org/"

What version of nerdctl are you using?

0.22.0

Are you using a variant of nerdctl? (e.g., Rancher Desktop)

No response

Host information

❯ nerdctl info Client: Namespace: default Debug Mode: false

Server: Server Version: 1.6.4-0ubuntu1 Storage Driver: overlayfs Logging Driver: json-file Cgroup Driver: systemd Cgroup Version: 2 Plugins: Log: fluentd journald json-file Storage: native overlayfs Security Options: seccomp Profile: default cgroupns Kernel Version: 5.10.102.1-microsoft-standard-WSL2 Operating System: Ubuntu Kinetic Kudu (development branch) OSType: linux Architecture: x86_64 CPUs: 16 Total Memory: 11.69GiB Name: A6328343 ID: 0b87a3ef-ab69-4f8d-9af9-05f5a5ecc1f6

WARNING: No swap limit support

hypeitnow avatar Aug 21 '22 11:08 hypeitnow

Is CONFIG_NETFILTER_XT_MATCH_COMMENT set on your kernel? You might need to load xt_comment.ko

AkihiroSuda avatar Aug 21 '22 14:08 AkihiroSuda

Right now it should be enabled since I use a standard WSL2 kernel which actually contains that: https://github.com/microsoft/WSL2-Linux-Kernel/blob/linux-msft-wsl-5.15.y/Microsoft/config-wsl Line 1125 I will mention that other tools using iptables work just fine, I was thinking about update-alternatives --set iptables /usr/sbin/iptables-legacy Is there any chance it would help?

hypeitnow avatar Aug 26 '22 08:08 hypeitnow

For what it's worth, I ran into this same issue when running the nerdctl container in a GKE environment this morning. After setting iptables to legacy mode, I was able to run all commands without error.

ccureau avatar Sep 08 '22 13:09 ccureau