OpenVZ Forum


Home » General » Support » Docker daemon fails to start on host but succeeds in VZ container (iptable 'nat' table missing on host but present in VZ container?)
Docker daemon fails to start on host but succeeds in VZ container [message #52677] Tue, 06 December 2016 17:03 Go to previous message
abufrejoval is currently offline  abufrejoval
Messages: 21
Registered: November 2016
Location: Frankfurt
Junior Member
Want to run docker images on host and inside an OpenVZ container (related to CUDA)

The docker daemon fails to start on the host after installation, it fails trying to set up routing via iptables.
Specifically it can't seem to find a 'nat' table

FATA[0001] Error starting daemon: Error initializing network controller: error obtaining controller instance: failed to create NAT chain: iptables failed: iptables --wait -t nat -N DOCKER: iptables v1.4.21: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.


And yes, 'cat /proc/net/ip_table_names' only lists raw, mangle and filter.

Following the hint on modprobe, I can only see that there is lots of *net* related modules loaded, but what's even more strange is: It works inside an OpenVZ container.

I used a Centos7 and a VZ7 template, set up an OpenVZ container with each, and installed Docker inside as per instructions (https://openvz.org/Docker_inside_CT).

Funny enough inside the OpenVZ containers /proc/net/ip_table_names *contains* also 'nat' and the Docker daemon has no issues setting up the network at all.

So I guess I can rule out any missing modules.

If I start the Docker daemon on the host with --iptable=false it will run, but Docker containers have no network access.

I can only guess some configuration is responsible for this odd behaviour on the host and I hope you can help me find it.

P.S.:
The issue seems independent of the Docker version or variant. I've tried 1.8.2 which comes with VZ7 and 1.12.3 from docker.com.
It's the 'iptables --wait -t nat -N DOCKER' command which fails for the missing 'nat' (or inaccessible?) table on the host.

The baseline CentOS 7 I run for comparison has nat,mangle,security,raw and filter tables in /proc/net/ip_table_names. Security seems disabled in the VZ .config file but that shouldn't be an issue.

[Updated on: Tue, 06 December 2016 17:09]

Report message to a moderator

[Message index]
 
Read Message
Read Message
Read Message icon14.gif
Read Message
Read Message
Previous Topic: OpenVZ docker version mismatch with CentOS and daemon fails to start
Next Topic: Ploop compact not working - Call FITRIM loop
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ] [ PDF ]

Current Time: Thu Oct 17 05:23:44 GMT 2024

Total time taken to generate the page: 0.05246 seconds
Powered by FUDforum Powered by Virtuozzo Containers