After recently running pacman -Syu, then installing some unrelated packages, on a computer running Arch Linux, exposing ports of a new container using --publish produces a strange error.
Here's an example of the error produced:
docker: Error response from daemon: driver failed programming external connectivity on endpoint bsp-devkit (7a47f30eaa0e104d6b9a7b75003a768e734182e20e057e51d33cca23da7dbf02): (iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 10809 -j DNAT --to-destination 172.17.0.2:10809 ! -i docker0: iptables v1.8.2 (legacy): unknown option "--dport"
Try `iptables -h' or 'iptables --help' for more information.
(exit status 2)).
Here's a Docker run command that's failing in this way:
docker run \
--publish=2223:22 \
--publish=8000:8000 \
--publish=69:69/udp --publish=10809:10809 \
--detach=true --privileged \
--hostname=bsp-devkit --name=bsp-devkit \
-v /sys/fs/cgroup:/sys/fs/cgroup:ro \
-v $MIRRORDIR:/home/devel/mirror \
-it $IMAGE
This is very weird to me, because it seems like a regression caused by a newer version of iptables, but the iptables version has "legacy" written after it (so why would that version be updated with a breaking change?) and I also haven't found anyone else online asking about this specific error so I must have messed something up really badly.
The packages I installed included the hex editor Bless, but I don't remember if I installed anything else.
Additional Notes
– I have never configured a firewall on this system
– This computer is on a VPN, but this hasn't been an issue before
Updates:
- Updating Docker does not fix the issue
- Downgrading the iptables package to
v1.8.0from the pacman cache doesn't fix it… iptables daemon doesn't seem to be running; logs say /etc/iptables/iptables.rules is missing- The problem persists after creating iptables.rules and starting the daemon
Best Answer
I've managed to fix this so far by downgrading iptables and restarting the system (restarting the Docker daemon is not enough)
In my case the old version of iptables was in the pacman cache, so I could downgrade with the following:
I still would like to know why this happened and why I haven't seen the error anywhere else, so if anybody comments some information here I'll update my answer.