Installation of docker on Debian Bullseye ARM64, fails to install docker-ce?

General Discussions
1

Installation of docker on Debian Bullseye ARM64, fails to install, or correctly configure docker-ce?

Setting up docker-ce (5:24.0.2-1~debian.11~bullseye) ...
Created symlink /etc/systemd/system/multi-user.target.wants/docker.service → /lib/systemd/system/docker.service.
Created symlink /etc/systemd/system/sockets.target.wants/docker.socket → /lib/systemd/system/docker.socket.
Job for docker.service failed because the control process exited with error code.
See "systemctl status docker.service" and "journalctl -xe" for details.
invoke-rc.d: initscript docker, action "start" failed.
● docker.service - Docker Application Container Engine
     Loaded: loaded (/lib/systemd/system/docker.service; enabled; vendor preset: enabled)
     Active: activating (auto-restart) (Result: exit-code) since Tue 2023-06-20 20:08:44 EDT; 29ms ago
TriggeredBy: ● docker.socket
       Docs: https://docs.docker.com
    Process: 2314 ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock (code=exited, status=1/FAILURE)
   Main PID: 2314 (code=exited, status=1/FAILURE)
        CPU: 221ms

Jun 20 20:08:44 droid.dachshund-digital.org systemd[1]: docker.service: Main process exited, code=exited, status=1/FAILURE
Jun 20 20:08:44 droid.dachshund-digital.org systemd[1]: docker.service: Failed with result 'exit-code'.
Jun 20 20:08:44 droid.dachshund-digital.org systemd[1]: Failed to start Docker Application Container Engine.
dpkg: error processing package docker-ce (--configure):
 installed docker-ce package post-installation script subprocess returned error exit status 1
Processing triggers for man-db (2.9.4-2) ...
Processing triggers for libc-bin (2.31-13+deb11u6) ...
Errors were encountered while processing:
 docker-ce
E: Sub-process /usr/bin/dpkg returned an error code (1)

I am following the official directions, and I know that ARM64 is supported…
Install Docker Engine on Debian | Docker Documentation

The above documentation states the following command, which fails as illustrated above:

$ sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

There is not reference to this issue on the official documentation site for docker that I can find as yet.

Here is the OS information…

# cat /etc/os-release
PRETTY_NAME=“Debian GNU/Linux 11 (bullseye)”
NAME=“Debian GNU/Linux”
VERSION_ID=“11”
VERSION=“11 (bullseye)”
VERSION_CODENAME=bullseye
ID=debian
HOME_URL=“https://www.debian.org/
SUPPORT_URL=“Debian -- User Support
BUG_REPORT_URL=“https://bugs.debian.org/

# uname -a
Linux droid 5.10.110+ #1 SMP PREEMPT Wed Apr 26 14:00:14 CEST 2023 aarch64 GNU/Linux

Any suggestions or help would greatly be appreciated!

2

A bit more information…

Jun 20 20:25:33 droid dockerd[3623]: time="2023-06-20T20:25:33.345838739-04:00" level=info msg="[graphdriver] using prior storage driver: overlay2"
Jun 20 20:25:33 droid dockerd[3623]: time="2023-06-20T20:25:33.346572566-04:00" level=info msg="Loading containers: start."
Jun 20 20:25:33 droid dockerd[3623]: time="2023-06-20T20:25:33.358878173-04:00" level=info msg="unable to detect if iptables supports xlock: 'iptables --wait -L -n': `iptables v>
Jun 20 20:25:33 droid dockerd[3623]: time="2023-06-20T20:25:33.477078911-04:00" level=info msg="stopping event stream following graceful shutdown" error="<nil>" module=libcontai>
Jun 20 20:25:33 droid dockerd[3623]: failed to start daemon: Error initializing network controller: error obtaining controller instance: failed to create NAT chain DOCKER: iptab>
Jun 20 20:25:33 droid dockerd[3623]:  (exit status 4)
Jun 20 20:25:33 droid systemd[1]: docker.service: Main process exited, code=exited, status=1/FAILURE
3

Have you tried to install an older version of Docker Engine just to check if that works? I installed Docker Engine on Arm, but not 24.0 yet, only 23.0 and I used an Ubuntu VM, not Debian.

Searching for the error messag about iptables I found these

Do you have any security software on Debian? Firewalld and AppArmor are mentioned on the net as well, and someone just updated the APT packages on the OS which fixed the issue. I found this in the release info of Docker 24.0.0

  • Remove workarounds for obsolete versions of apparmor_parser from the AppArmor profiles. moby/moby#45500

I don’t know if it is related, I really just did a quick search and shared the links.

4

I found references to the fact that Debian moving on to ‘nft’ over iptables, is at the core of the issue. In fact, by forcing use if iptables (legacy) configuration then re-installing docker-ce worked, i.e. finished configuration at install.

I then tried to re-enable nft use, converting the iptables rule set to nft compatible, but nft does not show any configured rules after export from iptables and import to nft. Which is really odd.

Root issue is docker-ce package can’t handle the NAT chain via nft but requires iptables, which Debian has abandoned for nft.

The following steps worked to get past the initial issue:

update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy

Here are the steps that failed to configure the same working rules above under nft:

https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables

But as I noted, the last step, the actual import to nft seems to not actually generate any nft rules, i.e. chains.

5

I realized I had a test virtual machine with Debian 11 and Docker in it (24.0.2) which workes. I installed Docker when it was just 20.10. I guess the configuration you needed was done automtically for me. Is everything working now on your machine?

6

Once I forced back to iptables legacy support, docker worked. So the bottom line is the current docker ce package can’t install correctly and start service correctly with tptables 1.8.7 or using nft rules.

7

The solution jibunnokage posted no longer works.

Running update-alternatives --set iptables /usr/sbin/iptables-legacy

Gets you this error: update-alternatives: error: no alternatives for iptables