Docker Rootless mode is failing with Iptables Permission denied (you must be root)

I am trying to run the docker daemon as rootless. I followed the official instructions here: Run the Docker daemon as a non-root user (Rootless mode) | Docker Documentation

I am using 18.04.5 LTS on ARM cpu.

I see the following error

INFO[2021-02-21T20:17:44.789001232Z] Loading containers: start.
WARN[2021-02-21T20:17:44.802960101Z] Running iptables --wait -t nat -L -n failed with message: `iptables v1.6.1: can't initialize iptables table `nat': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.`, error: exit status 3
INFO[2021-02-21T20:17:44.926790626Z] stopping event stream following graceful shutdown  error="<nil>" module=libcontainerd namespace=moby
INFO[2021-02-21T20:17:44.928535421Z] stopping healthcheck following graceful shutdown  module=libcontainerd
INFO[2021-02-21T20:17:44.928604033Z] stopping event stream following graceful shutdown  error="context canceled" module=libcontainerd namespace=plugins.moby
failed to start daemon: Error initializing network controller: error obtaining controller instance: failed to create NAT chain DOCKER: iptables failed: iptables -t nat -N DOCKER: iptables v1.6.1: can't initialize iptables table `nat': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
 (exit status 3)

I am not sure how to fix this. How can rootless docker work if it requires to use iptables?
From what I have seen, iptables requires root user?

Maybe the rootlesskit somehow abstracts that away, but then my question is what do I need to do on my system for this to work?

Following the install process, it fails immediately because “docker.service” does not start.

So then I am invoking the " ./dockerd-rootless.sh" manually.

I have gotten it to work with: ./dockerd-rootless.sh --iptables=false

But something seems to be wrong here. and I would like to know what needs to be fixed to get it to work with iptables.

Any help would be appreciated.

I am on Docker version 20.10.3, build 48d30b5

1 Like

I am getting the same problem. And if I pass the --iptables=false, I am not able to login to my private repositories even though I have mentioned it in the insecure-registeries under daemon.json.

Hey,

Did you resolve this issue?

Please update if you have resolved this.

Thanks