-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
iptables failed - No chain/target/match by that name #16816
Comments
Hi! Please read this important information about creating issues. If you are reporting a new issue, make sure that we do not have any duplicates already open. You can ensure this by searching the issue list for this repository. If there is a duplicate, please close your issue and add a comment to the existing issue instead. If you suspect your issue is a bug, please edit your issue description to include the BUG REPORT INFORMATION shown below. If you fail to provide this information within 7 days, we cannot debug your issue and will close it. We will, however, reopen it if you later provide the information. This is an automated, informational response. Thank you. For more information about reporting issues, see https://github.com/docker/docker/blob/master/CONTRIBUTING.md#reporting-other-issues BUG REPORT INFORMATIONUse the commands below to provide key information from your environment:
Provide additional environment details (AWS, VirtualBox, physical, etc.): List the steps to reproduce the issue: Describe the results you received: Describe the results you expected: Provide additional info you think is important: ----------END REPORT --------- #ENEEDMOREINFO |
Please note the other open issues with this error: https://github.com/docker/docker/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+No+chain%2Ftarget%2Fmatch+by+that+name |
@mindscratch Have you tried turning off firewalld? |
@cpuguy83 we're not using firewalld just iptables |
@mindscratch in that issue, upgrading to 1.8.3 seems to resolve the problem; are you still able to reproduce this on 1.8.3 (or 1.9.0)? |
I'll have to look at our logs, we put in a cron job that attempts to find the issue and resolve it before it becomes a problem, shoo I haven't noticed. The cron job logs when if it has to fix iptables, so I'll check. I am now running 1.9.0. |
I have that same problem.
What information can I send to you? |
this issue occurs when I restart container after I stop the firewalld docker version: Docker version 1.9.1, build a34a1d5 Provide additional environment details (AWS, VirtualBox, physical, etc.): List the steps to reproduce the issue:
Describe the results you received:
Describe the results you expected: Provide additional info you think is important: ----------END REPORT --------- #ENEEDMOREINFO |
Overview ERROR: Cannot start container dcd5227651790c197835e3f2016f8c747bb748f86e95d6492c75f5e3f83ab47d: failed to create endpoint relaydocker_relay_1 on network bridge: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 33320 -j DNAT --to-destination 172.17.0.2:30903 ! -i docker0: (fork/exec /sbin/iptables: cannot allocate memory) Bug Report Info
Dockerfile
Docker-compose.yml
if I try to expose port 30000-31000 in docker-compose.yml, then running 'Docker-compose up -d' will give me the "iptables failed" error. _ERROR: Cannot start container dcd5227651790c197835e3f2016f8c747bb748f86e95d6492c75f5e3f83ab47d: failed to create endpoint relaydocker_relay_1 on network bridge: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 33320 -j DNAT --to-destination 172.17.0.2:30903 ! -i docker0: (fork/exec /sbin/iptables: cannot allocate memory)_ If I reduce the number of exposed ports to less than 20, then the container will start without issue. I have read that I can try restarting the docker daemon with --iptables=false. How can I do that with docker-compose? |
@vincentsiu your issue sounds more related to #11185 |
I have a similar problem using docker 1.9.1 and centos7 (1511) on a ESXi VM
If i start the registry v2 container with:
the port is closed and i am not able to connect
according to firewall-cmd, the port is open
iptables -L -v -n
if i stop firewalld
|
We also notice this behaviour. docker version:
docker info:
uname -a:
Provide additional environment details (AWS, VirtualBox, physical, etc.): List the steps to reproduce the issue:
Describe the results you received:
Describe the results you expected: |
This is happening to me too.
And if I run:
FYI: Just to have in mind, I'm running docker-compose with the root user, and I didn't saw anyone in this post running commands with sudo or su. Although restarting the docker service restores the heath of the system for a while at least, it is a horrible workaround.... Any other alternatives or ETA for when this will be fixed? |
I have met a similar problem and it was solved by running this command: |
It happened to us as well, but in our case
After restarting docker daemon everything worked fine and we could see DOCKER chain came back to nat table:
If someone has a clue for why the chain disappear I'll be more than happy to hear about it. |
Exactly the same issue here as @shayts7 is describing. Workaround for now is to restart the daemon:
|
@fredrikaverpil Great! It worked! |
Hello everyone, I'm using coreos and have this problem too but only on my master. Running |
Was having this issue. For us it turned out docker was starting before our firewall persistence (iptables-persistent) and its rules were getting overwritten. I resolved by removing the package as we were using it for only 1 rule. There are ways to keep it working side by side by either ensuring docker starts after iptables-persistent(https://groups.google.com/forum/#!topic/docker-dev/4SfOwCOmw-E) or by adding whatever rules the docker service adds into the persistent iptables configuration(didn't test this). This is not a docker bug but maybe it should be addressed in docs or something |
@vlad-vintila-hs Thanks for the tip |
Same issue here Ubuntu 14.04 with docker 1.11.1 and docker-compose 1.7.1 no workaround solved the problem. Solved with a machine reboot, a poor solution by the way. |
This seems to only happen on CentOS 7 for me. This is what I did stop firewalld sudo systemctl stop firewalld
sudo systemctl disable firewalld Restart your machine sudo reboot As long as you've put --restart=always to your docker instance. When your machine is reboot, the docker instance should be running, and the port should be binded. I believe this issue is specificly to CentOS7 family who uses firewalld instead of iptables. |
In centos7.1 and docker 1.10.3-46, I restart docker service then solve the problem. |
I can consistently replicate the problem using the following steps: Ob CentOS Linux release 7.3.1611 (Core)
I get the following error:
One fix is to disable the firewall integration (?) described here: #1871 (comment) |
handy scripts to have it around docker_rm_all () {
for c in `docker ps -a | awk '{ print $1 }'`; do
if [[ "$c" == "CONTAINER" ]];then
echo "Removing all in 2 seconds. Last chance to cancel.";
sleep 2;
else
docker rm -f $c;
fi
done
}
docker_kill_all () {
for c in `docker ps | awk '{ print $1 }'`; do
if [[ "$c" == "CONTAINER" ]];then
echo "Removing all in 2 seconds. Last chance to cancel.";
sleep 2;
else
docker kill $c;
fi
done
}
docker_bash () {
docker exec -ti $1 bash;
}
docker_service_restart ()
{
if [[ "$1" == "" ]]; then
echo "please set HTTP_ENV before restart"
exit 1
fi
sudo https_proxy="$1" \
http_proxy="$1" \
HTTP_PROXY="$1" \
HTTPS_PROXY="$1" \
service docker restart
}
set_proxy () {
export HTTP_PROXY=http://$1
export HTTPS_PROXY=https://$1
export http_proxy=http://$1
export https_proxy=https://$1
}
unset_proxy () {
unset HTTP_PROXY
unset HTTPS_PROXY
unset http_proxy
unset https_proxy
} just add it to your bashrc |
journalctl:
|
hi guys, I'm having an error with iptables.
cat /etc/centos-release
iptables --version
docker info
|
@vagnerfonseca CentOS 6 and kernel 2.6.x hasn't been supported for a long time (last version of docker supporting that was Docker 1.7, which was released three years ago, and has reached end of life a long time ago. If you want to run Docker, make sure to update to a currently supported release of CentOS 7 |
In my case (Manjaro Linux) this was cause by iptables simply not running at all. I had to add docker daemon option --iptables=false to disable any interaction with it. |
I ran into this when my default firewalld zone was somehow changed from 'home' to 'public'. I resolved it by changing the default back to home, restarting firewalld, then flushing iptables:
|
Adding my +1. Running Arch Linux.
I have
Only work around so far is to use |
iptables was causing me grief (on Manjaro, so ultimately I stopped it and following your example set iptables: false. This worked for me. (Had it failed I would next have tried net=host, or resorted to putting Docker into a virtual machine) |
i meet this warning
|
Try creating the chain in iptables by running and if that doesn't work, try upgrading docker and iptables |
I have solved the issue by typing |
Hi There.
Docker Version:
So, Im working arround a almost 1 week to solve this issue!
I already have executed this commands :
Then restart Docker Service using below comamnd
I have tried to make some this commands, and deinstalled docker to remove dockers configs... It is sad that this is happening! I have some work to do in a production environment |
|
It might help others: |
I don't see any recent activity on this issue. I will close it as stale. |
Bug Report Info
docker version
:Client version: 1.7.1
Client API version: 1.19
Go version (client): go1.4.2
Git commit (Client): 786b29d
OS/Arch (client): linux/amd64
Server version: 1.7.1
Server API verson: 1.19
Go version (server): go1.4.2
Git commit (server): 786b29d
OS/Arch (server): linux/amd64
docker info
:Containers: 41
Images: 172
Storage Driver: devicemapper
Pool Name: docker-253:2-4026535945-pool
Pool Blocksize: 65.54 kB
Backing Filesystem: xfs
Data file: /dev/loop0
Metadata file: /dev/loop1
Data Space Used: 7.748 GB
Data Space Total: 107.4 GB
Data Space Available: 99.63 GB
Metadata Space Used: 12.55 MB
Metadata Space Total: 2.147 GB
Metadata Space Available: 2.135 GB
Udev Sync Supported: true
Deferred Removal Enabled: true
Data loop file: /var/lib/docker/devicemapper/devicemapper/data
Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata
Library Version: 1.02.93-RHEL7 (2015-01-28)
Execution Driver: native-0.2
Logging Driver: json-file
Kernel Version: 3.10.0-123.el7.x86_64
Operating SYstem: CentOS Linux 7 (Core)
CPUs: 24
Total Memory: 125.6 GiB
Name:
ID:
uname -a
:Linux 3.10.0-123.el7.x86_64 #1 SMP Mon Jun 30 12:09:22 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
Environment details (AWS, VirtualBox, physical, etc.):
Physical
iptables version 1.4.21
How reproducible:
Random
Steps to Reproduce:
Actual Results:
Expected Results:
Container starts without a problem.
Additional info:
I'll also mention these containers are being launched via Apache Mesos (0.23.0) using Marathon. Appears similar to #13914.
The text was updated successfully, but these errors were encountered: