features icon indicating copy to clipboard operation
features copied to clipboard
verified publisher icon devcontainers

[docker-in-docker] Not working on fedora kernel > 6.11.7-300.fc41.x86_64

Open michalholis opened this issue 1 year ago • 7 comments

Feature https://github.com/devcontainers/features/tree/main/src/docker-in-docker for some reason doesn't work for us on Fedora 41 on kernel versions 6.11.7-300.fc41.x86_64. Kernel 6.11.7-300.fc41.x86_64 is the last one working without issues. On any newer kernel any docker command returns Cannot connect to the Docker daemon at unix:/var/run/docker.sock. Is the docker daemon running?.

Communication fails on any docker command and fails even on clean Fedora installation.

michalholis avatar Jan 03 '25 23:01 michalholis

Hello @michalholis ,

Thank you for reporting the issue. I will check and get back on this.

With Regards, Kaniska

Kaniska244 avatar Jan 13 '25 13:01 Kaniska244

Same issue here on Bluefin which is a distro based on Fedora

David-337 avatar Jan 13 '25 13:01 David-337

Any updates on this?

HerrNaN avatar Jan 24 '25 08:01 HerrNaN

Some information and workaround (debian bookworm docker image)

sudo dockerd --debug

failed to start daemon: Error initializing network controller: 
error obtaining controller instance: failed to register "bridge" driver: 
failed to create NAT chain DOCKER: iptables failed: iptables -t nat -N DOCKER: 
modprobe: FATAL: Module ip_tables not found in directory /lib/modules/6.12.11-200.fc41.x86_64
iptables v1.8.9 (legacy): can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
 (exit status 3)

Problem is that your host system do not load ip_tables kernel module. If lsmod | grep ip_tables is empty you need load ip_tables kernel module.

To load ip_tables kernel module you can run

sudo modprobe ip_tables

Pernament solution that survive reboots ( I am using Fedora silverblue ) /etc/modules-load.d/ip_tables.conf 

ip_tables

docker info finally working 🚀

matus-sabo avatar Feb 09 '25 11:02 matus-sabo

I suspect this might happen if you don't have the ip_tables module loaded, which is required for iptables-legacy to work. Most likely you only have nf_tables module, which should be fine, if you can use iptables-nft.

If I do this inside the container (using ubuntu as base):

sudo update-alternatives --set iptables /usr/sbin/iptables-nft
sudo dockerd

then it doesn't fail.

However, I can see that docker-in-docker install script first installs iptables package (which for me always provides both iptables-legacy and iptables-nft) and then links iptables command to iptables-legacy if iptables-legacy is present. Which results in iptables-legacy always being used and always failing if you don't have ip_tables module.

https://github.com/devcontainers/features/blob/5c67da03b794f207e45aa34e04fddcb2fa3e5aaa/src/docker-in-docker/install.sh#L218-L222

I am not fully sure about that, but maybe the installation script should not link to iptables-legacy, but instead keep iptables linked to whatever it is linked by default (which is iptables-nft is my case).

spietras avatar Feb 20 '25 21:02 spietras

@spietras Yes you are right load ip_tables kernel module resolve this issue 👍

matus-sabo avatar Feb 24 '25 06:02 matus-sabo

Based on spietras workaround, I included this in my postCreateCommand script:

if ! docker info > /dev/null 2>&1; then
    sudo update-alternatives --set iptables /usr/sbin/iptables-nft
fi

And now Docker will run correctly inside the container.

AndhikaWB avatar Oct 25 '25 12:10 AndhikaWB