worker with latest docker image - iptables: create-instance-chains: iptables: No chain/target/match by that name
avoidik opened this issue · 8 comments
hi,
could you please guide me how can I fix worker node issue inside the docker container? I'm always getting the following error
iptables: create-instance-chains: iptables: No chain/target/match by that name.
My configuration is here:
https://github.com/avoidik/compose_concourse/blob/master/docker-compose.yml
it has failed on
{
"timestamp": "1541758414.146682024",
"source": "guardian",
"message": "guardian.iptables-runner.command.failed",
"log_level": 2,
"data": {
"argv": [
"/worker-state/4.2.1/assets/iptables/sbin/iptables",
"--wait",
"--table",
"nat",
"-A",
"w--prerouting",
"--jump",
"w--instance-pbd2incpuj9",
"-m",
"comment",
"--comment",
"cdc24ff9-ad25-4fc8-6443-5c5ae9317b35"
],
"error": "exit status 1",
"exit-status": 1,
"session": "1.2",
"stderr": "iptables: No chain/target/match by that name.\n",
"stdout": "",
"took": "2.687238ms"
}
}solved with docker downgrade
It's not really a fix though. I have the same issue, and I don't plan on downgrading my Docker install.
I agree, given the CVE-2019-5736 downgrade is not an option
Had the same problem and after some debugging I could fix it for me by building the netfilter comment match module on the host system.
Activating the following kernel option and compile the module
CONFIG_NETFILTER_XT_MATCH_COMMENT=m
So my problem was the -m comment. Hopefully it can help someone in the future
I had this issue with Concourse on Kubernetes installed with Helm chart. I was using Arch on the host with kernel 5.4.94-1-lts.
After some experimenting I found that changing worker runtime to containerd solves the issue. Here's excerpt from values.yaml I used:
concourse:
worker:
runtime: containerd