I’m running Docker version 20.10.9, build 79ea9d3 from Docker repo, inside Docker (WSL) and I’m unable to start dockerd daemon. I got the following errors when launched from command line (as root)

ERRO[2021-10-11T06:53:02.865759663Z] failed to mount overlay: operation not permitted storage-driver=overlay2
ERRO[2021-10-11T06:53:02.865835969Z] exec: “fuse-overlayfs”: executable file not found in $PATH storage-driver=fuse-overlayfs
ERRO[2021-10-11T06:53:02.865938274Z] AUFS was not found in /proc/filesystems storage-driver=aufs
ERRO[2021-10-11T06:53:02.866535093Z] failed to mount overlay: operation not permitted storage-driver=overlay
WARN[2021-10-11T06:53:02.866907298Z] Unable to setup quota: operation not permitted
WARN[2021-10-11T06:53:02.888580701Z] Your kernel does not support cgroup blkio weight
WARN[2021-10-11T06:53:02.888616103Z] Your kernel does not support cgroup blkio weight_device
WARN[2021-10-11T06:53:02.888620036Z] Your kernel does not support cgroup blkio throttle.read_bps_device
WARN[2021-10-11T06:53:02.888622476Z] Your kernel does not support cgroup blkio throttle.write_bps_device
WARN[2021-10-11T06:53:02.888637393Z] Your kernel does not support cgroup blkio throttle.read_iops_device
WARN[2021-10-11T06:53:02.888640981Z] Your kernel does not support cgroup blkio throttle.write_iops_device
INFO[2021-10-11T06:53:02.888805587Z] Loading containers: start.
WARN[2021-10-11T06:53:02.890174917Z] Running iptables --wait -t nat -L -n failed with message: iptables v1.6.1: can't initialize iptables table nat’: Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded., error: exit status 3 INFO[2021-10-11T06:53:02.904314243Z] stopping event stream following graceful shutdown error="<nil>" module=libcontainerd namespace=moby INFO[2021-10-11T06:53:02.904602848Z] stopping event stream following graceful shutdown error="context canceled" module=libcontainerd namespace=plugins.moby INFO[2021-10-11T06:53:02.904631476Z] stopping healthcheck following graceful shutdown module=libcontainerd WARN[2021-10-11T06:53:03.905958287Z] grpc: addrConn.createTransport failed to connect to {unix:///var/run/docker/containerd/containerd.sock <nil> 0 <nil>}. Err :connection error: desc = "transport: Error while dialing dial unix:///var/run/docker/containerd/containerd.sock: timeout". Reconnecting... module=grpc failed to start daemon: Error initializing network controller: error obtaining controller instance: failed to create NAT chain DOCKER: iptables failed: iptables -t nat -N DOCKER: iptables v1.6.1: can't initialize iptables table nat’: Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
(exit status 3)

I am facing the same issue but on Ubuntu 20.04.3 LTS with Docker version 20.10.10, build e2f740d after following the instructions. The Ubuntu instance is hosted inside a docker container running on docker for macOS

running dockerd (as root) results in the above error. Is there any word on how to resolve it?

I can only think that this WSL is WSL 1 and not WSL 2. WSL 1 cannot run docker daemon.

I installed Docker on WSL 2 many times without any issue following the documentation. In WSL 1, you cannot change the network rules with iptables.

Docker In Docker is another issue. You need to run the container in pivileged mode. Maybe there is another way like adding capabilities with --cap-add but the documentation does not mention that.

When you are in a container it does not matter if you are root or not, you don’t have full controll over the kernel. privileged mode can increase your chance to make it work if you take the risk since an untrusted container can harm your system.

Awesome thank you. I had a hunch that it must have been related to the DinD situation. Unfortunately --privileged is not an option as the container will need to run in a CI pipeline that specifically doesn’t allow this. Currently looking at sysbox, but again, I cannot control the CI pipeline host so it’s not helping either and my last resort is trying with docker run -v /var/run/docker.sock:/var/run/docker.sock but not sure how my CI system and minikube are going to digest the hack

Has your problem solved? I have the same question as yours but i still doesn’t have a clue…