Hard Dependency on iptables, Unable To Start on Fedora 38 Host
origintopleft opened this issue · 1 comments
Describe the bug
Fedora 38, instead of using iptables, uses a solution called firewalld to manage network access rules. This causes Concourse to fail with no recovery plan with the following error message:
containerd-garden-backend exited with error: setup host network failed: create chain or flush if exists failed: running [/usr/sbin/iptables -t filter -N CONCOURSE-OPERATOR --wait]: exit status 3: iptables v1.8.7 (legacy): can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Searching suggests the problem might be related to running on bizarre processor architectures like recent Mac models...except this is in Linux, on tried-and-true x86_64, and there isn't an Apple product anywhere involved.
Reproduction steps
- Download the official docker-compose.yml file, as suggested in the quickstart guide.
- Change
CONCOURSE_CLIENT_SECRET
,CONCOURSE_TSA_CLIENT_SECRET
andCONCOURSE_EXTERNAL_URL
. Unlikely to be related, but it is technically a change so I figure I should document it. docker compose up -d
Expected behavior
Concourse comes up
Additional context
I would very strongly prefer a solution that involves disabling the automatic firewall modification over one that simply "fixes" it to work with firewalld instead, as I'm not comfortable with anything other than myself modifying my firewall settings to begin with. I also intend to reverse proxy concourse behind nginx, on its own subdomain, and don't particularly need the container's port opened anyway.
I came across this on my fedora39 machine! The actual change that happened is that fedora is using nftables
which replaces iptables
. firewalld
is a frontend for nftables
(source)
You can work around this on your host by running sudo modprobe iptable_filter
.
Long-term, concourse should update the networkign code to use nftables
instead of iptables
if it detects nftables
is enabled.