Docker Community Forums

Share and learn in the Docker community.

Docker Rootless mode is failing with Iptables Permission denied (you must be root)

I am trying to run the docker daemon as rootless. I followed the official instructions here: Run the Docker daemon as a non-root user (Rootless mode) | Docker Documentation

I am using 18.04.5 LTS on ARM cpu.

I see the following error

INFO[2021-02-21T20:17:44.789001232Z] Loading containers: start.
WARN[2021-02-21T20:17:44.802960101Z] Running iptables --wait -t nat -L -n failed with message: `iptables v1.6.1: can't initialize iptables table `nat': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.`, error: exit status 3
INFO[2021-02-21T20:17:44.926790626Z] stopping event stream following graceful shutdown  error="<nil>" module=libcontainerd namespace=moby
INFO[2021-02-21T20:17:44.928535421Z] stopping healthcheck following graceful shutdown  module=libcontainerd
INFO[2021-02-21T20:17:44.928604033Z] stopping event stream following graceful shutdown  error="context canceled" module=libcontainerd namespace=plugins.moby
failed to start daemon: Error initializing network controller: error obtaining controller instance: failed to create NAT chain DOCKER: iptables failed: iptables -t nat -N DOCKER: iptables v1.6.1: can't initialize iptables table `nat': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
 (exit status 3)

I am not sure how to fix this. How can rootless docker work if it requires to use iptables?
From what I have seen, iptables requires root user?

Maybe the rootlesskit somehow abstracts that away, but then my question is what do I need to do on my system for this to work?

Following the install process, it fails immediately because “docker.service” does not start.

So then I am invoking the " ./dockerd-rootless.sh" manually.

I have gotten it to work with: ./dockerd-rootless.sh --iptables=false

But something seems to be wrong here. and I would like to know what needs to be fixed to get it to work with iptables.

Any help would be appreciated.

I am on Docker version 20.10.3, build 48d30b5

1 Like

I am getting the same problem. And if I pass the --iptables=false, I am not able to login to my private repositories even though I have mentioned it in the insecure-registeries under daemon.json.

Ubuntu

No preparation is needed.

overlay2 storage driver is enabled by default (Ubuntu-specific kernel patch).

Known to work on Ubuntu 16.04, 18.04, and 20.04.

Debian GNU/Linux

Add kernel.unprivileged_userns_clone=1 to /etc/sysctl.conf (or /etc/sysctl.d) and run sudo sysctl --system.

To use the overlay2 storage driver (recommended), run sudo modprobe overlay permit_mounts_in_userns=1 (Debian-specific kernel patch, introduced in Debian 10). Add the configuration to /etc/modprobe.d for persistence.

Known to work on Debian 9 and 10. overlay2 is only supported since Debian 10 and needs modprobe configuration described above.

Arch Linux

Add kernel.unprivileged_userns_clone=1 to /etc/sysctl.conf (or /etc/sysctl.d) and run sudo sysctl --system
openSUSE

sudo modprobe ip_tables iptable_mangle iptable_nat iptable_filter is required. This might be required on other distros as well depending on the configuration.

Known to work on openSUSE 15.

Fedora 31 and later

Fedora 31 uses cgroup v2 by default, which is not yet supported by the containerd runtime. Run sudo grubby --update-kernel=ALL --args=“systemd.unified_cgroup_hierarchy=0” to use cgroup v1.

You might need sudo dnf install -y iptables.

CentOS 8

You might need sudo dnf install -y iptables.
CentOS 7

Add user.max_user_namespaces=28633 to /etc/sysctl.conf (or /etc/sysctl.d) and run sudo sysctl --system.

systemctl --user does not work by default. Run the daemon directly without systemd: dockerd-rootless.sh --experimental --storage-driver vfs

Known to work on CentOS 7.7. Older releases require additional configuration steps.

CentOS 7.6 and older releases require COPR package vbatts/shadow-utils-newxidmap to be installed.

CentOS 7.5 and older releases require running sudo grubby --update-kernel=ALL --args=“user_namespace.enable=1” and a reboot following this.

I am running Ubuntu 18.04 and seeing this error.