iptables: No chain/target/match by that name (docker0)

[irvingpop]

@zuazo thank you for the awesome work on this and the kitchen-in-travis project!

Trying this out, I get the following error:

>>>>>> ------Exception-------
>>>>>> Class: Kitchen::ActionFailed
>>>>>> Message: Failed to complete #create action: [Expected process to exit with [0], but received '1'
---- Begin output of sudo -E docker -H unix:///var/run/docker.sock run -d -p 22 --privileged 257aa6d29777 /sbin/init ----
STDOUT: 47a26ff83cdc15c4ff86566072465fc2235951245ab0533ff127171a67dfd99d
STDERR: Error response from daemon: Cannot start container 47a26ff83cdc15c4ff86566072465fc2235951245ab0533ff127171a67dfd99d: iptables failed: iptables --wait -t filter -A DOCKER ! -i docker0 -o docker0 -p tcp -d 172.17.0.17 --dport 22 -j ACCEPT: iptables: No chain/target/match by that name.
 (exit status 1)
---- End output of sudo -E docker -H unix:///var/run/docker.sock run -d -p 22 --privileged 257aa6d29777 /sbin/init ----
Ran sudo -E docker -H unix:///var/run/docker.sock run -d -p 22 --privileged 257aa6d29777 /sbin/init returned 1]
>>>>>> ----------------------

Have you seen this by any chance?
(ref: https://travis-ci.org/chef-cookbooks/supermarket-omnibus-cookbook/jobs/81497586#L475 )

[irvingpop]

FWIW looks like this repo is having the same issue: https://travis-ci.org/zuazo/kitchen-in-travis-native/jobs/79999390

[zuazo]

@irvingpop thanks for the issue.

I pushed a commit that should fix this error (82f57d5). Please, let me know if the solution works for you.

More information here: travis-ci/travis-ci#4778

[irvingpop]

Yes! thank you, I'm working now. A couple of things I had to fix:

1. To make the docker iptables fix idempotent:

before_script:
  # https://github.com/zuazo/kitchen-in-travis-native/issues/1#issuecomment-142230889
  - sudo iptables -L DOCKER || ( echo "DOCKER iptables chain missing" ; sudo iptables -N DOCKER )

1. For my use case I had weird failures (that I couldn't reproduce locally) until I set privileged: true in my .kitchen.docker.yml:

driver:
  name: docker
  privileged: true

Here's my working PoC: chef-cookbooks/supermarket-omnibus-cookbook#20

[zuazo]

OK @irvingpop, thanks for your feedback. I updated this cookbook example accordingly.

I will try to investigate what you say about privileges.

Would you mind if I add your cookbook as an example in the README?

[irvingpop]

Of course!

I'm not 100% clear about why docker privileged mode affected my use case.

Because I'm testing an Omnibus package that needs to interact with the init system, I'm guessing my situation was different from most.

In the case of centos:7 I couldn't boot it at all using run_command: /usr/lib/systemd/systemd. In privileged mode this now works fine now, because they're shipping a systemd-container package that sufficiently emulates systemd.

In the case of ubuntu-upstart the container boots fine in non-privileged mode, but I was unable to launch services via runit (Omnibus adds a runit supervisor on top of the default init system).

I'll say that overall it was much more picky than running Docker locally, but the workarounds I implemented in my project's .kitchen.docker.yml file got me going. Still no luck with RHEL6 (I'll try to figure that out next)

[zuazo]

@irvingpop thanks for your detailed explanation.

After some tests, I highly recommend enabling privileged mode for all the containers. I noticed many weird errors both when starting services and when running some Serverspec tests:

• Tests without privileged mode: all failed due to various reasons.
• Same tests with privileged mode: all pass.

I updated the README accordingly.

I have also noticed the problems with runit. I still do not know how to fix them.