Failing to start dockerd: failed to create NAT chain DOCKER

temrix · July 18, 2019, 4:40pm

OS Version: Debian buster
Docker version 18.09.8, build 0dd43dd

Kernel info:

info: reading kernel config from /boot/config-4.19.57-custom ...

Generally Necessary:
- cgroup hierarchy: properly mounted [/sys/fs/cgroup]
- CONFIG_NAMESPACES: enabled
- CONFIG_NET_NS: enabled
- CONFIG_PID_NS: enabled
- CONFIG_IPC_NS: enabled
- CONFIG_UTS_NS: enabled
- CONFIG_CGROUPS: enabled
- CONFIG_CGROUP_CPUACCT: enabled
- CONFIG_CGROUP_DEVICE: enabled
- CONFIG_CGROUP_FREEZER: enabled
- CONFIG_CGROUP_SCHED: enabled
- CONFIG_CPUSETS: enabled
- CONFIG_MEMCG: enabled
- CONFIG_KEYS: enabled
- CONFIG_VETH: enabled (as module)
- CONFIG_BRIDGE: enabled (as module)
- CONFIG_BRIDGE_NETFILTER: enabled (as module)
- CONFIG_NF_NAT_IPV4: enabled (as module)
- CONFIG_IP_NF_FILTER: enabled (as module)
- CONFIG_IP_NF_TARGET_MASQUERADE: enabled (as module)
- CONFIG_NETFILTER_XT_MATCH_ADDRTYPE: enabled (as module)
- CONFIG_NETFILTER_XT_MATCH_CONNTRACK: enabled (as module)
- CONFIG_NETFILTER_XT_MATCH_IPVS: enabled (as module)
- CONFIG_IP_NF_NAT: enabled (as module)
- CONFIG_NF_NAT: enabled (as module)
- CONFIG_NF_NAT_NEEDED: enabled
- CONFIG_POSIX_MQUEUE: enabled

Optional Features:
- CONFIG_USER_NS: enabled
- CONFIG_SECCOMP: enabled
- CONFIG_CGROUP_PIDS: enabled
- CONFIG_MEMCG_SWAP: enabled
- CONFIG_MEMCG_SWAP_ENABLED: enabled
    (cgroup swap accounting is currently enabled)
- CONFIG_LEGACY_VSYSCALL_EMULATE: enabled
- CONFIG_BLK_CGROUP: enabled
- CONFIG_BLK_DEV_THROTTLING: enabled
- CONFIG_IOSCHED_CFQ: enabled (as module)
- CONFIG_CFQ_GROUP_IOSCHED: enabled
- CONFIG_CGROUP_PERF: enabled
- CONFIG_CGROUP_HUGETLB: enabled
- CONFIG_NET_CLS_CGROUP: enabled (as module)
- CONFIG_CGROUP_NET_PRIO: enabled
- CONFIG_CFS_BANDWIDTH: enabled
- CONFIG_FAIR_GROUP_SCHED: enabled
- CONFIG_RT_GROUP_SCHED: enabled
- CONFIG_IP_NF_TARGET_REDIRECT: enabled (as module)
- CONFIG_IP_VS: enabled (as module)
- CONFIG_IP_VS_NFCT: enabled
- CONFIG_IP_VS_PROTO_TCP: enabled
- CONFIG_IP_VS_PROTO_UDP: enabled
- CONFIG_IP_VS_RR: enabled (as module)
- CONFIG_EXT4_FS: enabled
- CONFIG_EXT4_FS_POSIX_ACL: enabled
- CONFIG_EXT4_FS_SECURITY: enabled
- Network Drivers:
  - "overlay":
    - CONFIG_VXLAN: enabled (as module)
    - CONFIG_BRIDGE_VLAN_FILTERING: enabled
      Optional (for encrypted networks):
      - CONFIG_CRYPTO: enabled
      - CONFIG_CRYPTO_AEAD: enabled
      - CONFIG_CRYPTO_GCM: enabled (as module)
      - CONFIG_CRYPTO_SEQIV: enabled
      - CONFIG_CRYPTO_GHASH: enabled (as module)
      - CONFIG_XFRM: enabled
      - CONFIG_XFRM_USER: enabled (as module)
      - CONFIG_XFRM_ALGO: enabled (as module)
      - CONFIG_INET_ESP: enabled (as module)
      - CONFIG_INET_XFRM_MODE_TRANSPORT: enabled (as module)
  - "ipvlan":
    - CONFIG_IPVLAN: enabled (as module)
  - "macvlan":
    - CONFIG_MACVLAN: enabled (as module)
    - CONFIG_DUMMY: enabled (as module)
  - "ftp,tftp client in container":
    - CONFIG_NF_NAT_FTP: enabled (as module)
    - CONFIG_NF_CONNTRACK_FTP: enabled (as module)
    - CONFIG_NF_NAT_TFTP: enabled (as module)
    - CONFIG_NF_CONNTRACK_TFTP: enabled (as module)
- Storage Drivers:
  - "aufs":
    - CONFIG_AUFS_FS: missing
  - "btrfs":
    - CONFIG_BTRFS_FS: enabled (as module)
    - CONFIG_BTRFS_FS_POSIX_ACL: enabled
  - "devicemapper":
    - CONFIG_BLK_DEV_DM: enabled (as module)
    - CONFIG_DM_THIN_PROVISIONING: missing
  - "overlay":
    - CONFIG_OVERLAY_FS: enabled (as module)
  - "zfs":
    - /dev/zfs: missing
    - zfs command: missing
    - zpool command: missing

Limits:
- /proc/sys/kernel/keys/root_maxkeys: 1000000

When trying to run dockerd, I get the following error (see line ‘Error starting daemon’):

INFO[2019-07-18T18:33:10.197537317+02:00] parsed scheme: "unix"                         module=grpc
INFO[2019-07-18T18:33:10.197576572+02:00] scheme "unix" not registered, fallback to default scheme  module=grpc
INFO[2019-07-18T18:33:10.197612240+02:00] parsed scheme: "unix"                         module=grpc
INFO[2019-07-18T18:33:10.197623638+02:00] scheme "unix" not registered, fallback to default scheme  module=grpc
INFO[2019-07-18T18:33:10.197667784+02:00] ccResolverWrapper: sending new addresses to cc: [{unix:///run/containerd/containerd.sock 0  <nil>}]  module=grpc
INFO[2019-07-18T18:33:10.197674102+02:00] ccResolverWrapper: sending new addresses to cc: [{unix:///run/containerd/containerd.sock 0  <nil>}]  module=grpc
INFO[2019-07-18T18:33:10.197699688+02:00] ClientConn switching balancer to "pick_first"  module=grpc
INFO[2019-07-18T18:33:10.197704373+02:00] ClientConn switching balancer to "pick_first"  module=grpc
INFO[2019-07-18T18:33:10.197734321+02:00] pickfirstBalancer: HandleSubConnStateChange: 0xc4201b7570, CONNECTING  module=grpc
INFO[2019-07-18T18:33:10.197748570+02:00] pickfirstBalancer: HandleSubConnStateChange: 0xc4209aa120, CONNECTING  module=grpc
INFO[2019-07-18T18:33:10.197854584+02:00] pickfirstBalancer: HandleSubConnStateChange: 0xc4201b7570, READY  module=grpc
INFO[2019-07-18T18:33:10.197866220+02:00] pickfirstBalancer: HandleSubConnStateChange: 0xc4209aa120, READY  module=grpc
INFO[2019-07-18T18:33:10.199208498+02:00] [graphdriver] using prior storage driver: overlay2 
INFO[2019-07-18T18:33:10.215168664+02:00] Graph migration to content-addressability took 0.00 seconds 
WARN[2019-07-18T18:33:10.215725104+02:00] Your kernel does not support cgroup blkio weight 
WARN[2019-07-18T18:33:10.215760611+02:00] Your kernel does not support cgroup blkio weight_device 
INFO[2019-07-18T18:33:10.216626678+02:00] Loading containers: start.                   
INFO[2019-07-18T18:33:10.451838313+02:00] stopping event stream following graceful shutdown  error="<nil>" module=libcontainerd namespace=moby
Error starting daemon: Error initializing network controller: error obtaining controller instance: failed to create NAT chain DOCKER: iptables failed: iptables -t nat -N DOCKER: iptables v1.8.2 (nf_tables):  CHAIN_ADD failed (No such file or directory): chain PREROUTING
 (exit status 4)

When trying to execute sudo iptables -t nat -N DOCKER manually, I get this:

iptables v1.8.2 (nf_tables):  CHAIN_ADD failed (No such file or directory): chain PREROUTING

Have I installed everything correctly or is something missing, maybe in the kernel?

Topic		Replies	Views
Missing generally necessary components General	2	2427	May 26, 2020
Docker fails to install on new Kernel General	0	2686	April 18, 2017
Docker Fails Debian 10 ARM General	1	2470	March 10, 2020
Error starting daemon: Devices cgroup isn't mounted General docker	3	7377	November 28, 2019
Issues with sudo systemctl status docker General	2	10116	September 6, 2021

Failing to start dockerd: failed to create NAT chain DOCKER

Related Topics