Raspbian: Couldn't load target `DOCKER':No such file or directory
ginkel opened this issue · comments
Hi there,
I have been successfully running ipv6nat on Ubuntu 18.04 for a while now and wanted to also enable it on my Raspberry Pis running Debian/Raspbian 10. I am running the ipv6nat Docker container with the following settings (which work on Ubuntu):
image: robbertkl/ipv6nat
name: ipv6nat
cap_drop:
- ALL
capabilities:
- NET_RAW
- NET_ADMIN
- SYS_MODULE
memory: 64MB
network_mode: host
read_only: yes
tmpfs:
- /run
volumes:
- /lib/modules:/lib/modules:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
Unfortunately, on Raspbian the container terminates with the following error:
ln: /sbin/iptables: File exists
ln: /sbin/iptables-save: File exists
ln: /sbin/iptables-restore: File exists
ln: /sbin/ip6tables: File exists
ln: /sbin/ip6tables-save: File exists
ln: /sbin/ip6tables-restore: File exists
2020/03/25 21:56:44 running [/sbin/iptables -t nat -C OUTPUT -m addrtype --dst-type LOCAL -j DOCKER --wait]: exit status 2: iptables v1.8.3 (legacy): Couldn't load target `DOCKER':No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
Any ideas?
Thanks,
Thilo
# docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
[...]
robbertkl/ipv6nat latest c096474d0f3c 3 months ago 16.9MB
# cat /etc/docker/daemon.json
{
"dns": ["x.x.x.x"],
"experimental": true,
"fixed-cidr-v6": "fd00:dead:beef::/48",
"ipv6": true,
"live-restore": true,
"log-driver": "json-file",
"log-opts": {
"max-file": "2",
"max-size": "256m"
},
"metrics-addr": "x.x.x.x:9323",
"storage-driver": "overlay2",
"userland-proxy": false
}
# docker --version
Docker version 19.03.8, build afacb8b
ip6tables-save
# Generated by xtables-save v1.8.2 on Wed Mar 25 22:05:59 2020
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [795:49300]
:OUTPUT ACCEPT [61:5636]
:ufw6-before-logging-input - [0:0]
:ufw6-before-logging-output - [0:0]
:ufw6-before-logging-forward - [0:0]
:ufw6-before-input - [0:0]
:ufw6-before-output - [0:0]
:ufw6-before-forward - [0:0]
:ufw6-after-input - [0:0]
:ufw6-after-output - [0:0]
:ufw6-after-forward - [0:0]
:ufw6-after-logging-input - [0:0]
:ufw6-after-logging-output - [0:0]
:ufw6-after-logging-forward - [0:0]
:ufw6-reject-input - [0:0]
:ufw6-reject-output - [0:0]
:ufw6-reject-forward - [0:0]
:ufw6-track-input - [0:0]
:ufw6-track-output - [0:0]
:ufw6-track-forward - [0:0]
:ufw6-logging-deny - [0:0]
:ufw6-logging-allow - [0:0]
:ufw6-skip-to-policy-input - [0:0]
:ufw6-skip-to-policy-output - [0:0]
:ufw6-skip-to-policy-forward - [0:0]
:ufw6-user-input - [0:0]
:ufw6-user-output - [0:0]
:ufw6-user-forward - [0:0]
:ufw6-user-logging-input - [0:0]
:ufw6-user-logging-output - [0:0]
:ufw6-user-logging-forward - [0:0]
:ufw6-user-limit - [0:0]
:ufw6-user-limit-accept - [0:0]
-A INPUT -j ufw6-before-logging-input
-A INPUT -j ufw6-before-input
-A INPUT -j ufw6-after-input
-A INPUT -j ufw6-after-logging-input
-A INPUT -j ufw6-reject-input
-A INPUT -j ufw6-track-input
-A FORWARD -j ufw6-before-logging-forward
-A FORWARD -j ufw6-before-forward
-A FORWARD -j ufw6-after-forward
-A FORWARD -j ufw6-after-logging-forward
-A FORWARD -j ufw6-reject-forward
-A FORWARD -j ufw6-track-forward
-A OUTPUT -j ufw6-before-logging-output
-A OUTPUT -j ufw6-before-output
-A OUTPUT -j ufw6-after-output
-A OUTPUT -j ufw6-after-logging-output
-A OUTPUT -j ufw6-reject-output
-A OUTPUT -j ufw6-track-output
-A ufw6-before-input -i lo -j ACCEPT
-A ufw6-before-input -m rt --rt-type 0 -j DROP
-A ufw6-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT
-A ufw6-before-input -m conntrack --ctstate INVALID -j ufw6-logging-deny
-A ufw6-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m hl --hl-eq 255 -j ACCEPT
-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m hl --hl-eq 255 -j ACCEPT
-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT
-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT
-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 141 -m hl --hl-eq 255 -j ACCEPT
-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 142 -m hl --hl-eq 255 -j ACCEPT
-A ufw6-before-input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j ACCEPT
-A ufw6-before-input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131 -j ACCEPT
-A ufw6-before-input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132 -j ACCEPT
-A ufw6-before-input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143 -j ACCEPT
-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 148 -m hl --hl-eq 255 -j ACCEPT
-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 149 -m hl --hl-eq 255 -j ACCEPT
-A ufw6-before-input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 151 -m hl --hl-eq 1 -j ACCEPT
-A ufw6-before-input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 152 -m hl --hl-eq 1 -j ACCEPT
-A ufw6-before-input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 153 -m hl --hl-eq 1 -j ACCEPT
-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 144 -j ACCEPT
-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 145 -j ACCEPT
-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 146 -j ACCEPT
-A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 147 -j ACCEPT
-A ufw6-before-input -s fe80::/10 -d fe80::/10 -p udp -m udp --sport 547 --dport 546 -j ACCEPT
-A ufw6-before-input -d ff02::fb/128 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw6-before-input -d ff02::f/128 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw6-before-input -j ufw6-user-input
-A ufw6-before-output -o lo -j ACCEPT
-A ufw6-before-output -m rt --rt-type 0 -j DROP
-A ufw6-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
-A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
-A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
-A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
-A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT
-A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m hl --hl-eq 255 -j ACCEPT
-A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT
-A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT
-A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m hl --hl-eq 255 -j ACCEPT
-A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 141 -m hl --hl-eq 255 -j ACCEPT
-A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 142 -m hl --hl-eq 255 -j ACCEPT
-A ufw6-before-output -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j ACCEPT
-A ufw6-before-output -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131 -j ACCEPT
-A ufw6-before-output -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132 -j ACCEPT
-A ufw6-before-output -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143 -j ACCEPT
-A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 148 -m hl --hl-eq 255 -j ACCEPT
-A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 149 -m hl --hl-eq 255 -j ACCEPT
-A ufw6-before-output -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 151 -m hl --hl-eq 1 -j ACCEPT
-A ufw6-before-output -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 152 -m hl --hl-eq 1 -j ACCEPT
-A ufw6-before-output -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 153 -m hl --hl-eq 1 -j ACCEPT
-A ufw6-before-output -j ufw6-user-output
-A ufw6-before-forward -m rt --rt-type 0 -j DROP
-A ufw6-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw6-before-forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A ufw6-before-forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
-A ufw6-before-forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
-A ufw6-before-forward -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
-A ufw6-before-forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
-A ufw6-before-forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT
-A ufw6-before-forward -j ufw6-user-forward
-A ufw6-after-input -p udp -m udp --dport 137 -j ufw6-skip-to-policy-input
-A ufw6-after-input -p udp -m udp --dport 138 -j ufw6-skip-to-policy-input
-A ufw6-after-input -p tcp -m tcp --dport 139 -j ufw6-skip-to-policy-input
-A ufw6-after-input -p tcp -m tcp --dport 445 -j ufw6-skip-to-policy-input
-A ufw6-after-input -p udp -m udp --dport 546 -j ufw6-skip-to-policy-input
-A ufw6-after-input -p udp -m udp --dport 547 -j ufw6-skip-to-policy-input
-A ufw6-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw6-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw6-track-forward -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw6-track-forward -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw6-skip-to-policy-input -j DROP
-A ufw6-skip-to-policy-output -j ACCEPT
-A ufw6-skip-to-policy-forward -j ACCEPT
-A ufw6-user-input -p tcp -m tcp --dport 22 -j ACCEPT
-A ufw6-user-input -p udp -m multiport --dports 60000:61000 -j ACCEPT
-A ufw6-user-input -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A ufw6-user-input -i eth0.2 -p tcp -m tcp --dport 53 -j ACCEPT
-A ufw6-user-input -i eth0.3 -p tcp -m tcp --dport 53 -j ACCEPT
-A ufw6-user-input -i eth0.4 -p tcp -m tcp --dport 53 -j ACCEPT
-A ufw6-user-input -i eth0.5 -p tcp -m tcp --dport 53 -j ACCEPT
-A ufw6-user-input -i eth0.6 -p tcp -m tcp --dport 53 -j ACCEPT
-A ufw6-user-input -i eth0.7 -p tcp -m tcp --dport 53 -j ACCEPT
-A ufw6-user-input -i eth0.8 -p tcp -m tcp --dport 53 -j ACCEPT
-A ufw6-user-input -i eth0.10 -p tcp -m tcp --dport 53 -j ACCEPT
-A ufw6-user-input -i eth0.180 -p tcp -m tcp --dport 53 -j ACCEPT
-A ufw6-user-input -i docker0 -p tcp -m tcp --dport 53 -j ACCEPT
-A ufw6-user-input -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A ufw6-user-input -i eth0.2 -p udp -m udp --dport 53 -j ACCEPT
-A ufw6-user-input -i eth0.3 -p udp -m udp --dport 53 -j ACCEPT
-A ufw6-user-input -i eth0.4 -p udp -m udp --dport 53 -j ACCEPT
-A ufw6-user-input -i eth0.5 -p udp -m udp --dport 53 -j ACCEPT
-A ufw6-user-input -i eth0.6 -p udp -m udp --dport 53 -j ACCEPT
-A ufw6-user-input -i eth0.7 -p udp -m udp --dport 53 -j ACCEPT
-A ufw6-user-input -i eth0.8 -p udp -m udp --dport 53 -j ACCEPT
-A ufw6-user-input -i eth0.10 -p udp -m udp --dport 53 -j ACCEPT
-A ufw6-user-input -i eth0.180 -p udp -m udp --dport 53 -j ACCEPT
-A ufw6-user-input -i docker0 -p udp -m udp --dport 53 -j ACCEPT
-A ufw6-user-input -i eth0 -p udp -m udp --dport 67 -j ACCEPT
-A ufw6-user-input -i eth0.2 -p udp -m udp --dport 67 -j ACCEPT
-A ufw6-user-input -i eth0.3 -p udp -m udp --dport 67 -j ACCEPT
-A ufw6-user-input -i eth0.4 -p udp -m udp --dport 67 -j ACCEPT
-A ufw6-user-input -i eth0.5 -p udp -m udp --dport 67 -j ACCEPT
-A ufw6-user-input -i eth0.6 -p udp -m udp --dport 67 -j ACCEPT
-A ufw6-user-input -i eth0.7 -p udp -m udp --dport 67 -j ACCEPT
-A ufw6-user-input -i eth0.8 -p udp -m udp --dport 67 -j ACCEPT
-A ufw6-user-input -i eth0.10 -p udp -m udp --dport 67 -j ACCEPT
-A ufw6-user-input -i eth0.180 -p udp -m udp --dport 67 -j ACCEPT
-A ufw6-user-input -i docker0 -p udp -m udp --dport 67 -j ACCEPT
-A ufw6-user-input -i eth0 -p udp -m udp --dport 69 -j ACCEPT
-A ufw6-user-input -i eth0.7 -p udp -m udp --dport 69 -j ACCEPT
-A ufw6-user-input -i eth0.8 -p udp -m udp --dport 69 -j ACCEPT
-A ufw6-user-input -i eth0.10 -p udp -m udp --dport 69 -j ACCEPT
-A ufw6-user-input -i eth0 -p udp -m udp --dport 123 -j ACCEPT
-A ufw6-user-input -i eth0.2 -p udp -m udp --dport 123 -j ACCEPT
-A ufw6-user-input -i eth0.3 -p udp -m udp --dport 123 -j ACCEPT
-A ufw6-user-input -i eth0.4 -p udp -m udp --dport 123 -j ACCEPT
-A ufw6-user-input -i eth0.5 -p udp -m udp --dport 123 -j ACCEPT
-A ufw6-user-input -i eth0.6 -p udp -m udp --dport 123 -j ACCEPT
-A ufw6-user-input -i eth0.7 -p udp -m udp --dport 123 -j ACCEPT
-A ufw6-user-input -i eth0.8 -p udp -m udp --dport 123 -j ACCEPT
-A ufw6-user-input -i eth0.10 -p udp -m udp --dport 123 -j ACCEPT
-A ufw6-user-input -i eth0.180 -p udp -m udp --dport 123 -j ACCEPT
-A ufw6-user-input -i eth0 -p tcp -j ACCEPT
-A ufw6-user-input -i docker0 -p tcp -j ACCEPT
-A ufw6-user-logging-input -j RETURN
-A ufw6-user-logging-output -j RETURN
-A ufw6-user-logging-forward -j RETURN
-A ufw6-user-limit -j REJECT --reject-with icmp6-port-unreachable
-A ufw6-user-limit-accept -j ACCEPT
COMMIT
# Completed on Wed Mar 25 22:05:59 2020
Well, a little trial and error later this seems to be caused by running the container read-only (which works on Ubuntu).
Hi @ginkel, thanks for reaching out!
Have never tested with read-only mode myself, it surprises me this even works (on Ubuntu at least).
The files mentioned above in /sbin are overwritten by docker-ipv6nat-compat. This should never work in read-only mode and is the reason it fails on your (Raspbian) setup.
The reason it does work on Ubuntu, can be because of a number of things:
- Perhaps you're running an older version of docker-ipv6nat, from before I added the compat script
- Perhaps you're setting the entry point yourself, having it run without the compat script
- Perhaps because of your firewall setup (iptables vs. nftables) on Ubuntu, the symlinks already point to the correct binary, so the
ln -nfscommands from the compat script won't actually have to change anything, therefore not triggering the read-only restriction.
In any way, running the container without read-only shouldn't be a problem and would resolve the issue, as you've discovered already. I'm just going to close the issue, but feel free to comment or reopen if you have further questions / issues.
That makes sense (I have disabled auto-update for ipv6nat and the Ubuntu deployment has been some time ago), so I was comparing apples and oranges.
Thanks for the speedy reply, problem solved! :-)