Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to enable SKIP DNAT rule #211

Closed
quietone1 opened this issue Nov 17, 2017 · 17 comments
Closed

Unable to enable SKIP DNAT rule #211

quietone1 opened this issue Nov 17, 2017 · 17 comments

Comments

@quietone1
Copy link

Using the docker-compose.yml without changes and can't bring up the Vanilla Drupal. I have disabled my firewall and stopped local apache.

Codebase

Built-in vanilla Drupal

Host OS

Debian Stretch

Docker info output

$ docker info
Containers: 5
 Running: 4
 Paused: 0
 Stopped: 1
Images: 8
Server Version: 17.09.0-ce
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 06b9cb35161009dcb7123345749fef02f7cea8e0
runc version: 3f2f8b84a77f73d38244dd690525642a72156c64
init version: 949e6fa
Security Options:
 seccomp
  Profile: default
Kernel Version: 4.9.0-4-amd64
Operating System: Debian GNU/Linux 9 (stretch)
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 15.6GiB
Name: ithilien
ID: ZXR4:MQLX:4HLZ:YQNH:EJJE:5S4Q:RXA2:V4OO:T7VF:MGMQ:2ISN:246V
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

WARNING: No swap limit support

Docker compose file

Unchanged Vanilla Drupal

Logs output

$ docker-compose --version
docker-compose version 1.17.1, build 6d101fb
vicki@ithilien [Z:1] {~/projects/d8dev1}$ docker-compose up
Creating d8dev1_mailhog_1 ... 
Creating d8dev1_php_1 ... 
Creating d8dev1_mariadb_1 ... 
Creating d8dev1_traefik_1 ... 
Creating d8dev1_portainer_1 ... 
Creating d8dev1_mailhog_1
Creating d8dev1_traefik_1
Creating d8dev1_mariadb_1
Creating d8dev1_php_1
Creating d8dev1_traefik_1 ... error

ERROR: for d8dev1_traefik_1  Cannot start service traefik: driver failed programming external connectivity on endpoint d8dev1_traefik_1 (12a3d445804deecbc9a5c7a915d8f7a04047eb1cefa8bd8b66af215888cd19e2):  (iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 8000 -j DNAT --to-destination 172.18.0.3:80 ! -i br-e6cfc0b238c6: iptables: No chain/target/match by that name.
Creating d8dev1_php_1 ... done
Creating d8dev1_nginx_1 ... 
Creating d8dev1_nginx_1 ... done

ERROR: for traefik  Cannot start service traefik: driver failed programming external connectivity on endpoint d8dev1_traefik_1 (12a3d445804deecbc9a5c7a915d8f7a04047eb1cefa8bd8b66af215888cd19e2):  (iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 8000 -j DNAT --to-destination 172.18.0.3:80 ! -i br-e6cfc0b238c6: iptables: No chain/target/match by that name.
 (exit status 1))
ERROR: Encountered errors while bringing up the project.
@quietone1
Copy link
Author

quietone1 commented Nov 19, 2017
edited

Found that I had missed some permission settings, https://docker4drupal.readthedocs.io/en/latest/permissions/. I have implemented that, removed all images (wanted to start from scratch) now it fails immediately.

$ docker-compose up -d
Creating network "d8dev1_default" with the default driver
ERROR: Failed to Setup IP tables: Unable to enable SKIP DNAT rule:  (iptables failed: iptables --wait -t nat -I DOCKER -i br-e50975111d95 -j RETURN: iptables: No chain/target/match by that name.
 (exit status 1))

@csandanov
Copy link
Member

moby/moby#16816 looks like your issue, try restarting docker

@andydempster
Copy link

@csandanov I am getting a slightly different message having just updated to the latest Docker for Windows:

ERROR: for traefik  Cannot start service traefik: driver failed programming external connectivity on endpoint withcode_traefik_1 (ade1a7b44fbf636d0fab1509871590731c6f6fbe871c3f0b930cd9279f04ba8d): Error starting userland proxy: mkdir /port/tcp:0.0.0.0:8080:tcp:172.18.0.8:8080: input/output error

Docker info

Containers: 40
 Running: 0
 Paused: 0
 Stopped: 40
Images: 22
Server Version: 17.09.1-ce
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host ipvlan macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 06b9cb35161009dcb7123345749fef02f7cea8e0
runc version: 3f2f8b84a77f73d38244dd690525642a72156c64
init version: 949e6fa
Security Options:
 seccomp
  Profile: default
Kernel Version: 4.9.49-moby
Operating System: Alpine Linux v3.5
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 3.837GiB
Name: moby
ID: MM3I:CMVG:SP3S:IZSN:HYZE:PFPR:F57C:WIIU:4COF:KRSI:2X4I:3XDR
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): true
 File Descriptors: 16
 Goroutines: 26
 System Time: 2017-12-20T11:40:07.2889526Z
 EventsListeners: 0
Registry: https://index.docker.io/v1/
Experimental: true
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

@quietone1
Copy link
Author

Any ideas how I can get this working? I have basic networking skills and debugging this is beyond my skills.

I rebooted, then removed any trace of anything setup for my LXC environments, devices, port forwarding and stopped the firewall.

With Vanilla

Creating network "d8vanilla_default" with the default driver
ERROR: cannot create network 9a0587103507331724cd364b85dec34268ac8539fac72749401a88bee3581ce7 (br-9a0587103507): conflicts with network 6c25bf895a9447476ecad026b05c1d8f0d4f34246ccb745c63828e18d78db25e (br-6c25bf895a94): networks have overlapping IPv4

With mounted codebase

$ docker-compose up -d
Creating network "drupal_default" with the default driver
ERROR: Failed to Setup IP tables: Unable to enable SKIP DNAT rule:  (iptables failed: iptables --wait -t nat -I DOCKER -i br-6c25bf895a94 -j RETURN: iptables: No chain/target/match by that name.
 (exit status 1))

@quietone1 quietone1 changed the title Cannot start service traefik Unable to enable SKIP DNAT rule Feb 17, 2018
@quietone1
Copy link
Author

changed the title in the hope of getting a response. I really want to be able to use this.

@quietone1
Copy link
Author

After further searching, stress, and much starting/stopping of processes I finally found the magical incantation to get this to work. The simplest way is to restart docker. Of course, I needed to modify the firewall config (I use firehol) to accommodate the interfaces this docker setup uses.

Today was the test. I booted, started my existing LXC containers and did some work. At a break, I decided to test docker4drupal. Running docker-compose up -d resulted in the same error about DNAT. I then did sudo systemcel restart docker, then ran docker-compose up -d and I was amazed that there were no errors. And even more amazed that I could access the site at port 8000 and my LXC containers are still working as expected.

Closing this issues.

@SebastianRoll
Copy link

SebastianRoll commented Jan 3, 2019
edited

For anyone who stumbles upon this closed issue:

sudo systemcel restart docker should be sudo systemctl restart docker

@sambapython
Copy link

i restarted docker three times but it's showing the same error: Internal Server Error ("Failed to Setup IP tables: Unable to enable SKIP DNAT rule: (iptables failed: iptables --wait -t nat -I DOCKER -i br-38e86077394a -j RETURN: iptables: No chain/target/match by that name.\n (exit status 1))")"

can any one please tell me the other way to solve this error.

@sambapython
Copy link

iptables -t filter -N DOCKER execute this command restart the docker solving an issue. This issue you may get if you stop the firewalld after installing docker. If you stop firewalld before installing docker, then you may not get this issue.

@devolity
Copy link

For anyone who stumbles upon this closed issue:

sudo systemcel restart docker should be sudo systemctl restart docker

Great do more step to fix it.

  • systemctl restart docker
  • docker-compose up -d
  • iptables --wait -t nat -I DOCKER -i br-f5bd2117dbd3 -j RETURN

This fix this permanently.

@far0ouk
Copy link

far0ouk commented Nov 24, 2021

sudo systemctl restart docker.socket

@luannbertaud
Copy link

Actually for me it turns out that this error disapear when I reactivate my firewall ...
sudo systemctl start firewalld.service

@Themroc Themroc mentioned this issue Jan 12, 2022
Closed
@jrCleber
Copy link 

$ sudo systemctl restart docker.socket

This command above worked for me.

@vimarshacooray
Copy link

i don't think this should be closed right now. no one got to the bottom of this. restarting docker is not a good fix.

the way i see it is some other service is interfering. a firewall i guess.

@yejuns
Copy link

yejuns commented Mar 15, 2023

i want to know the cause of this problem, maybe the docker file is written incorrectly

@Phobia-Cosmos
Copy link

Any one who can figure the source root out of this problem?

@Martiix
Copy link

Martiix commented Feb 15, 2024

We regularly hit this as we start and stop docker networks all the time, and restarting the docker daemon is only a temporary fix, trying to find out how to prevent it from happening in the first place, but if anyone has discovered something, keep me posted :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests