Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hard Dependency on iptables, Unable To Start on Fedora 38 Host #527

Closed
origintopleft opened this issue Dec 21, 2023 · 3 comments
Closed

Comments

@origintopleft
Copy link

Describe the bug

Fedora 38, instead of using iptables, uses a solution called firewalld to manage network access rules. This causes Concourse to fail with no recovery plan with the following error message:

containerd-garden-backend exited with error: setup host network failed: create chain or flush if exists failed: running [/usr/sbin/iptables -t filter -N CONCOURSE-OPERATOR --wait]: exit status 3: iptables v1.8.7 (legacy): can't initialize iptables table `filter': Table does not exist (do you need to insmod?)

Searching suggests the problem might be related to running on bizarre processor architectures like recent Mac models...except this is in Linux, on tried-and-true x86_64, and there isn't an Apple product anywhere involved.

Reproduction steps

  1. Download the official docker-compose.yml file, as suggested in the quickstart guide.
  2. Change CONCOURSE_CLIENT_SECRET, CONCOURSE_TSA_CLIENT_SECRET and CONCOURSE_EXTERNAL_URL. Unlikely to be related, but it is technically a change so I figure I should document it.
  3. docker compose up -d

Expected behavior

Concourse comes up

Additional context

I would very strongly prefer a solution that involves disabling the automatic firewall modification over one that simply "fixes" it to work with firewalld instead, as I'm not comfortable with anything other than myself modifying my firewall settings to begin with. I also intend to reverse proxy concourse behind nginx, on its own subdomain, and don't particularly need the container's port opened anyway.

@taylorsilva
Copy link
Member

I came across this on my fedora39 machine! The actual change that happened is that fedora is using nftables which replaces iptables. firewalld is a frontend for nftables (source)

You can work around this on your host by running sudo modprobe iptable_filter.

Long-term, concourse should update the networkign code to use nftables instead of iptables if it detects nftables is enabled.

@taylorsilva taylorsilva removed the bug label Apr 5, 2024
@analytically
Copy link

On AL2023, users should run dnf install iptables-nft

@taylorsilva
Copy link
Member

Closing this issue as it's not really a docs issue. We need to update Concourse to use nftables if they're available on the host system.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants