podman not running , because nf_tables not work.

[ghost]

Version

windows 11 latest

WSL Version

• WSL 2
• WSL 1

Kernel Version

5.10.81.1

Distro Version

ubuntu 22.04

Other Software

No response

Repro Steps

root@DESKTOP-7G94TC3:~# apt install podman
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
podman is already the newest version (3.2.1+ds1-2ubuntu3).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
root@DESKTOP-7G94TC3:~# podman run hello-world
Resolved "hello-world" as an alias (/etc/containers/registries.conf.d/shortnames.conf)
Trying to pull docker.io/library/hello-world:latest...
Getting image source signatures
Copying blob 2db29710123e done
Copying config feb5d9fea6 done
Writing manifest to image destination
Storing signatures
ERRO[0011] Error adding network: running [/usr/sbin/iptables -t nat -C CNI-c6500d9b0545f9b2bdd36cb1 -d 172.16.16.3/24 -j ACCEPT -m comment --comment name: "podman" id: "f0b196f127f9aded55b795dcb85ea9624e0c53941718547ab80e2e25f87914ce" --wait]: exit status 2: iptables v1.8.7 (nf_tables): Couldn't load match `comment':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
ERRO[0011] Error while adding pod to CNI network "podman": running [/usr/sbin/iptables -t nat -C CNI-c6500d9b0545f9b2bdd36cb1 -d 172.16.16.3/24 -j ACCEPT -m comment --comment name: "podman" id: "f0b196f127f9aded55b795dcb85ea9624e0c53941718547ab80e2e25f87914ce" --wait]: exit status 2: iptables v1.8.7 (nf_tables): Couldn't load match `comment':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
ERRO[0011] error loading cached network config: network "podman" not found in CNI cache
WARN[0011] falling back to loading from existing plugins on disk
ERRO[0011] Error tearing down partially created network namespace for container f0b196f127f9aded55b795dcb85ea9624e0c53941718547ab80e2e25f87914ce: Error while removing pod from CNI network "podman": running [/usr/sbin/iptables -t nat -D POSTROUTING -s 172.16.16.3 -j CNI-c6500d9b0545f9b2bdd36cb1 -m comment --comment name: "podman" id: "f0b196f127f9aded55b795dcb85ea9624e0c53941718547ab80e2e25f87914ce" --wait]: exit status 2: iptables v1.8.7 (nf_tables): Couldn't load match `comment':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
Error: error configuring network namespace for container f0b196f127f9aded55b795dcb85ea9624e0c53941718547ab80e2e25f87914ce: running [/usr/sbin/iptables -t nat -C CNI-c6500d9b0545f9b2bdd36cb1 -d 172.16.16.3/24 -j ACCEPT -m comment --comment name: "podman" id: "f0b196f127f9aded55b795dcb85ea9624e0c53941718547ab80e2e25f87914ce" --wait]: exit status 2: iptables v1.8.7 (nf_tables): Couldn't load match `comment':No such file or directory

Expected Behavior

container up and runing

Actual Behavior

root@DESKTOP-7G94TC3:~# apt install podman
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
podman is already the newest version (3.2.1+ds1-2ubuntu3).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
root@DESKTOP-7G94TC3:~# podman run hello-world
Resolved "hello-world" as an alias (/etc/containers/registries.conf.d/shortnames.conf)
Trying to pull docker.io/library/hello-world:latest...
Getting image source signatures
Copying blob 2db29710123e done
Copying config feb5d9fea6 done
Writing manifest to image destination
Storing signatures
ERRO[0011] Error adding network: running [/usr/sbin/iptables -t nat -C CNI-c6500d9b0545f9b2bdd36cb1 -d 172.16.16.3/24 -j ACCEPT -m comment --comment name: "podman" id: "f0b196f127f9aded55b795dcb85ea9624e0c53941718547ab80e2e25f87914ce" --wait]: exit status 2: iptables v1.8.7 (nf_tables): Couldn't load match `comment':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
ERRO[0011] Error while adding pod to CNI network "podman": running [/usr/sbin/iptables -t nat -C CNI-c6500d9b0545f9b2bdd36cb1 -d 172.16.16.3/24 -j ACCEPT -m comment --comment name: "podman" id: "f0b196f127f9aded55b795dcb85ea9624e0c53941718547ab80e2e25f87914ce" --wait]: exit status 2: iptables v1.8.7 (nf_tables): Couldn't load match `comment':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
ERRO[0011] error loading cached network config: network "podman" not found in CNI cache
WARN[0011] falling back to loading from existing plugins on disk
ERRO[0011] Error tearing down partially created network namespace for container f0b196f127f9aded55b795dcb85ea9624e0c53941718547ab80e2e25f87914ce: Error while removing pod from CNI network "podman": running [/usr/sbin/iptables -t nat -D POSTROUTING -s 172.16.16.3 -j CNI-c6500d9b0545f9b2bdd36cb1 -m comment --comment name: "podman" id: "f0b196f127f9aded55b795dcb85ea9624e0c53941718547ab80e2e25f87914ce" --wait]: exit status 2: iptables v1.8.7 (nf_tables): Couldn't load match `comment':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
Error: error configuring network namespace for container f0b196f127f9aded55b795dcb85ea9624e0c53941718547ab80e2e25f87914ce: running [/usr/sbin/iptables -t nat -C CNI-c6500d9b0545f9b2bdd36cb1 -d 172.16.16.3/24 -j ACCEPT -m comment --comment name: "podman" id: "f0b196f127f9aded55b795dcb85ea9624e0c53941718547ab80e2e25f87914ce" --wait]: exit status 2: iptables v1.8.7 (nf_tables): Couldn't load match `comment':No such file or directory

Diagnostic Logs

No response

[sirredbeard]

This is an issue with how podman is configured in Ubuntu.

Ubuntu 21.10 Impish is the only version of Ubuntu that has podman packaged from the main repository.

I am able to reproduce this on Ubuntu 21.10 Impish.

I am unable to reproduce this on openSUSE Tumbleweed.

This does not appear to be an issue with WSL and should be reported to Ubuntu via Launchpad.

Able to reproduce on Ubuntu 21.10 Impish:

root@T730:~# cat /etc/os-release
PRETTY_NAME="Ubuntu 21.10"
NAME="Ubuntu"
VERSION_ID="21.10"
VERSION="21.10 (Impish Indri)"
VERSION_CODENAME=impish
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=impish
root@T730:~# apt install podman
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
podman is already the newest version (3.2.1+ds1-2ubuntu3).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
root@T730:~# podman run hello-world
Resolved "hello-world" as an alias (/etc/containers/registries.conf.d/shortnames.conf)
Trying to pull docker.io/library/hello-world:latest...
Getting image source signatures
Copying blob 2db29710123e done
Copying config feb5d9fea6 done
Writing manifest to image destination
Storing signatures
ERRO[0014] Error adding network: running [/usr/sbin/iptables -t nat -C CNI-56d825da612bb9159cfef6e6 -d 172.16.16.2/24 -j ACCEPT -m comment --comment name: "podman" id: "efe4f5ffa0471434e5cbae22159ecf40a6ebe3d800e64dda5f3b8a5ef04b0035" --wait]: exit status 2: iptables v1.8.7 (nf_tables): Couldn't load match `comment':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
ERRO[0014] Error while adding pod to CNI network "podman": running [/usr/sbin/iptables -t nat -C CNI-56d825da612bb9159cfef6e6 -d 172.16.16.2/24 -j ACCEPT -m comment --comment name: "podman" id: "efe4f5ffa0471434e5cbae22159ecf40a6ebe3d800e64dda5f3b8a5ef04b0035" --wait]: exit status 2: iptables v1.8.7 (nf_tables): Couldn't load match `comment':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
ERRO[0014] error loading cached network config: network "podman" not found in CNI cache
WARN[0014] falling back to loading from existing plugins on disk
ERRO[0014] Error tearing down partially created network namespace for container efe4f5ffa0471434e5cbae22159ecf40a6ebe3d800e64dda5f3b8a5ef04b0035: Error while removing pod from CNI network "podman": running [/usr/sbin/iptables -t nat -D POSTROUTING -s 172.16.16.2 -j CNI-56d825da612bb9159cfef6e6 -m comment --comment name: "podman" id: "efe4f5ffa0471434e5cbae22159ecf40a6ebe3d800e64dda5f3b8a5ef04b0035" --wait]: exit status 2: iptables v1.8.7 (nf_tables): Couldn't load match `comment':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
Error: error configuring network namespace for container efe4f5ffa0471434e5cbae22159ecf40a6ebe3d800e64dda5f3b8a5ef04b0035: running [/usr/sbin/iptables -t nat -C CNI-56d825da612bb9159cfef6e6 -d 172.16.16.2/24 -j ACCEPT -m comment --comment name: "podman" id: "efe4f5ffa0471434e5cbae22159ecf40a6ebe3d800e64dda5f3b8a5ef04b0035" --wait]: exit status 2: iptables v1.8.7 (nf_tables): Couldn't load match `comment':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

root@T730:~#

Unable to reproduce on openSUSE Tumbleweed:

hayden@T730:/> sudo zypper install podman
[sudo] password for root:
Loading repository data...
Reading installed packages...
Resolving package dependencies...

The following 17 NEW packages are going to be installed:
  catatonit cni cni-plugins conmon fuse-overlayfs iptables libcontainers-common libfuse3-3 libip6tc2
  libnetfilter_conntrack3 libnfnetlink0 libnftnl11 libslirp0 podman runc slirp4netns xtables-plugins

17 new packages to install.
Overall download size: 43.4 MiB. Already cached: 0 B. After the operation, additional 144.1 MiB will be used.
Continue? [y/n/v/...? shows all options] (y): y
Retrieving package catatonit-0.1.6-2.2.x86_64                                     (1/17), 303.2 KiB (827.4 KiB unpacked)
Retrieving: catatonit-0.1.6-2.2.x86_64.rpm .......................................................................[done]
Retrieving package cni-0.8.1-1.4.x86_64                                           (2/17),   1.2 MiB (  5.8 MiB unpacked)
Retrieving: cni-0.8.1-1.4.x86_64.rpm .................................................................[done (2.4 KiB/s)]
Retrieving package conmon-2.0.30-1.2.x86_64                                       (3/17),  47.9 KiB (153.4 KiB unpacked)
Retrieving: conmon-2.0.30-1.2.x86_64.rpm .........................................................................[done]
Retrieving package libcontainers-common-20210626-6.2.noarch                       (4/17), 118.1 KiB (124.1 KiB unpacked)
Retrieving: libcontainers-common-20210626-6.2.noarch.rpm .........................................................[done]
Retrieving package libfuse3-3-3.10.5-1.3.x86_64                                   (5/17),  82.5 KiB (252.1 KiB unpacked)
Retrieving: libfuse3-3-3.10.5-1.3.x86_64.rpm .....................................................................[done]
Retrieving package libip6tc2-1.8.7-4.1.x86_64                                     (6/17),  46.0 KiB ( 34.9 KiB unpacked)
Retrieving: libip6tc2-1.8.7-4.1.x86_64.rpm ...........................................................[done (9.5 KiB/s)]
Retrieving package libnfnetlink0-1.0.1-12.6.x86_64                                (7/17),  28.8 KiB ( 53.0 KiB unpacked)
Retrieving: libnfnetlink0-1.0.1-12.6.x86_64.rpm ..................................................................[done]
Retrieving package libnftnl11-1.2.1-1.2.x86_64                                    (8/17),  72.9 KiB (200.0 KiB unpacked)
Retrieving: libnftnl11-1.2.1-1.2.x86_64.rpm ......................................................................[done]
Retrieving package libslirp0-4.6.1+7-1.3.x86_64                                   (9/17),  70.6 KiB (135.7 KiB unpacked)
Retrieving: libslirp0-4.6.1+7-1.3.x86_64.rpm .....................................................................[done]
Retrieving package runc-1.1.0~rc1-1.3.x86_64                                     (10/17),   2.9 MiB ( 10.4 MiB unpacked)
Retrieving: runc-1.1.0~rc1-1.3.x86_64.rpm ............................................................[done (4.4 MiB/s)]
Retrieving package cni-plugins-0.9.1-1.5.x86_64                                  (11/17),  23.6 MiB ( 64.2 MiB unpacked)
Retrieving: cni-plugins-0.9.1-1.5.x86_64.rpm .........................................................[done (6.7 MiB/s)]
Retrieving package fuse-overlayfs-1.7.1-1.2.x86_64                               (12/17),  66.2 KiB (137.7 KiB unpacked)
Retrieving: fuse-overlayfs-1.7.1-1.2.x86_64.rpm ..................................................................[done]
Retrieving package libnetfilter_conntrack3-1.0.8-2.7.x86_64                      (13/17),  49.6 KiB (122.8 KiB unpacked)
Retrieving: libnetfilter_conntrack3-1.0.8-2.7.x86_64.rpm ............................................[done (12.5 KiB/s)]
Retrieving package slirp4netns-1.1.11-1.3.x86_64                                 (14/17),  44.4 KiB ( 83.0 KiB unpacked)
Retrieving: slirp4netns-1.1.11-1.3.x86_64.rpm ....................................................................[done]
Retrieving package xtables-plugins-1.8.7-4.1.x86_64                              (15/17), 269.9 KiB (  1.9 MiB unpacked)
Retrieving: xtables-plugins-1.8.7-4.1.x86_64.rpm .................................................................[done]
Retrieving package iptables-1.8.7-4.1.x86_64                                     (16/17), 226.8 KiB (505.3 KiB unpacked)
Retrieving: iptables-1.8.7-4.1.x86_64.rpm ........................................................................[done]
Retrieving package podman-3.4.4-2.1.x86_64                                       (17/17),  14.4 MiB ( 59.2 MiB unpacked)
Retrieving: podman-3.4.4-2.1.x86_64.rpm ..............................................................[done (4.9 MiB/s)]

Checking for file conflicts: .....................................................................................[done]
( 1/17) Installing: catatonit-0.1.6-2.2.x86_64 ...................................................................[done]
( 2/17) Installing: cni-0.8.1-1.4.x86_64 .........................................................................[done]
( 3/17) Installing: conmon-2.0.30-1.2.x86_64 .....................................................................[done]
( 4/17) Installing: libcontainers-common-20210626-6.2.noarch .....................................................[done]
( 5/17) Installing: libfuse3-3-3.10.5-1.3.x86_64 .................................................................[done]
Additional rpm output:
/sbin/ldconfig: /usr/lib/wsl/lib/libcuda.so.1 is not a symbolic link
( 6/17) Installing: libip6tc2-1.8.7-4.1.x86_64 ...................................................................[done]
Additional rpm output:
/sbin/ldconfig: /usr/lib/wsl/lib/libcuda.so.1 is not a symbolic link
( 7/17) Installing: libnfnetlink0-1.0.1-12.6.x86_64 ..............................................................[done]
Additional rpm output:
/sbin/ldconfig: /usr/lib/wsl/lib/libcuda.so.1 is not a symbolic link
( 8/17) Installing: libnftnl11-1.2.1-1.2.x86_64 ..................................................................[done]
Additional rpm output:
/sbin/ldconfig: /usr/lib/wsl/lib/libcuda.so.1 is not a symbolic link
( 9/17) Installing: libslirp0-4.6.1+7-1.3.x86_64 .................................................................[done]
Additional rpm output:
/sbin/ldconfig: /usr/lib/wsl/lib/libcuda.so.1 is not a symbolic link
(10/17) Installing: runc-1.1.0~rc1-1.3.x86_64 ....................................................................[done]
(11/17) Installing: cni-plugins-0.9.1-1.5.x86_64 .................................................................[done]
(12/17) Installing: fuse-overlayfs-1.7.1-1.2.x86_64 ..............................................................[done]
(13/17) Installing: libnetfilter_conntrack3-1.0.8-2.7.x86_64 .....................................................[done]
Additional rpm output:
/sbin/ldconfig: /usr/lib/wsl/lib/libcuda.so.1 is not a symbolic link
(14/17) Installing: slirp4netns-1.1.11-1.3.x86_64 ................................................................[done]
(15/17) Installing: xtables-plugins-1.8.7-4.1.x86_64 .............................................................[done]
(16/17) Installing: iptables-1.8.7-4.1.x86_64 ....................................................................[done]
(17/17) Installing: podman-3.4.4-2.1.x86_64 ......................................................................[done]
Executing %posttrans scripts .....................................................................................[done]
hayden@T730:/> podman run hello-world
WARN[0000] "/" is not a shared mount, this could cause issues or missing mounts with rootless containers
✔ docker.io/library/hello-world:latest
Trying to pull docker.io/library/hello-world:latest...
Getting image source signatures
Copying blob 2db29710123e done
Copying config feb5d9fea6 done
Writing manifest to image destination
Storing signatures

Hello from Docker!
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
 1. The Docker client contacted the Docker daemon.
 2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
    (amd64)
 3. The Docker daemon created a new container from that image which runs the
    executable that produces the output you are currently reading.
 4. The Docker daemon streamed that output to the Docker client, which sent it
    to your terminal.

To try something more ambitious, you can run an Ubuntu container with:
 $ docker run -it ubuntu bash

Share images, automate workflows, and more with a free Docker ID:
 https://hub.docker.com/

For more examples and ideas, visit:
 https://docs.docker.com/get-started/

hayden@T730:/>

[ghost]

Thank you @sirredbeard , openSuse god like.

[ghost]

For any one want to use OpenSuse Tumbleweed, if you were in china, you should choice using tuna mirror

openSUSE Tumbleweed 使用方法
禁用官方软件源

sudo zypper mr -da
添加 TUNA 镜像源

sudo zypper ar -cfg 'https://mirrors.tuna.tsinghua.edu.cn/opensuse/tumbleweed/repo/oss/' tuna-oss
sudo zypper ar -cfg 'https://mirrors.tuna.tsinghua.edu.cn/opensuse/tumbleweed/repo/non-oss/' tuna-non-oss
刷新软件源

sudo zypper ref

[ghost]

I also tested with debian, still got error.

root@DESKTOP-E9OC92M:~# podman run hello-world
ERRO[0000] unable to write pod event: "write unixgram @0000d->/run/systemd/journal/socket: sendmsg: no such file or directory"
ERRO[0000] Error adding network: running [/usr/sbin/iptables -t nat -C CNI-0d148e94f377c39f9619939f -d 172.16.16.2/24 -j ACCEPT -m comment --comment name: "podman" id: "808fff2058e21aa9d0f9e3e2a6a5e1ad853cc1d0afc3e4bf2a3c1c832affe809" --wait]: exit status 2: iptables v1.8.7 (nf_tables): Couldn't load match `comment':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
ERRO[0000] Error while adding pod to CNI network "podman": running [/usr/sbin/iptables -t nat -C CNI-0d148e94f377c39f9619939f -d 172.16.16.2/24 -j ACCEPT -m comment --comment name: "podman" id: "808fff2058e21aa9d0f9e3e2a6a5e1ad853cc1d0afc3e4bf2a3c1c832affe809" --wait]: exit status 2: iptables v1.8.7 (nf_tables): Couldn't load match `comment':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
Error: error configuring network namespace for container 808fff2058e21aa9d0f9e3e2a6a5e1ad853cc1d0afc3e4bf2a3c1c832affe809: running [/usr/sbin/iptables -t nat -C CNI-0d148e94f377c39f9619939f -d 172.16.16.2/24 -j ACCEPT -m comment --comment name: "podman" id: "808fff2058e21aa9d0f9e3e2a6a5e1ad853cc1d0afc3e4bf2a3c1c832affe809" --wait]: exit status 2: iptables v1.8.7 (nf_tables): Couldn't load match `comment':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

[ghost]

My new question is :
is it a debian problem ? because ubuntu is base on debian ...

If i want to submit bug report, which is the right place.

Or anyone can take a look at this question?

[sirredbeard]

You can report WSL-specific bugs in Ubuntu on WSL here: https://bugs.launchpad.net/ubuntuwsl

You could then report and cross-reference the bug on the podman package itself in Ubuntu and Debian.

On Ubuntu search for the package and follow the link on the right to report it: https://packages.ubuntu.com/impish/podman

You can do the same on Debian: https://packages.debian.org/bookworm/podman and file the bug here: https://bugs.debian.org/podman

[davdr]

Based on my experience with Debian Sid, I suspect that:

• running podman rootless (i.e. as non-root user) won't give you this issue
• if you insist on running podman rootfull (i.e. as root user) you need to configure iptables-legacy to avoid this issue:

update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy

[awidjaja]

I would like to check if anyone working on this issue?

Not sure if @davdr suggestion will work but If you have to update something to use the legacy on the os, I would think that the issue is with Podman implementation.
I reported the issue in Podman but was just simply redirected to here. Now, it is again redirected to Ubuntu. Like a ping pong game.

Should we just give up and conclude that Podman can not replace docker yet as it is missing essential feature of running priviledge container which is required by podman itself to be able to run podman inside a podman container?

[davdr]

FWIW, Docker CE has exactly the same problem under WSL2: https://dev.to/lemosluan/comment/1nmi7
Looks like the WSL2 kernel is not compiled with the necessary flags for nftables to work.

[dinurp]

sudo update-alternatives --set iptables /usr/sbin/iptables-legacy

fixed the issue for me. I had podman 3.4.4 on ubuntu 22.04.
It appears that it's better to migrate to nftables. Perhaps fix is available in podman for a later release. A later release of podman is not available for ubuntu 22.04 yet.

[adminroot0000]

sudo update-alternatives --set iptables /usr/sbin/iptables-legacy

fixed the issue for me. I had podman 3.4.4 on ubuntu 22.04. It appears that it's better to migrate to nftables. Perhaps fix is available in podman for a later release. A later release of podman is not available for ubuntu 22.04 yet.

Works for me!

[microsoft-github-policy-service]

This issue has been automatically closed since it has not had any activity for the past year. If you're still experiencing this issue please re-file this as a new issue or feature request.

Thank you!