debian下安装docker报错iptables failed: iptables --wait -t nat -N DOCKER: iptables v1.6.0: initialize iptables table nat: Table does not exist

本文地址:http://www.04007.cn/article/691.html

    最近在不熟悉的debian下执行docker安装启动的时候遇到一个棘手的问题，apt-get install安装后启动显示报错：subprocess installed post-installation script returned error exit status 1，对此问题进行了多种查找尝试未找到解决办法。docker可通过执行dockerd命令来启动同时详细显示错误信息，执行dockerd后显示了更进一步的详细报错：Error starting daemon: Error initializing network controller: error obtaining controller instance: failed to create NAT chain DOCKER: iptables failed: iptables --wait -t nat -N DOCKER: iptables v1.6.0: can't initialize iptables table `nat': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded。本文地址:http://www.04007.cn/article/691.html,未经许可,不得转载.

    这个报错基本能将错误锁定在iptables上，但是经过百度google了很多内容，也未找到切实可行的解决办法。有一些文章中包括评论里不少人提到自己通过重启服务器，然后它就Ok了，但依然没有找到具体问题的根源。也有不少国内外文章提到需要对linux内核进行升级处理，重新编译安装内核，例如:https://resowolf.com/centos%E4%B8%8Adocker%E6%97%A0%E6%B3%95%E5%90%AF%E5%8A%A8 基本重新编译安装内核都解决了。但因为我这是公司的机器，这样操作有些风险也不一定会认可，这个方法我也没有尝试。另外技术的问题我相信总会有办法的，即便不升级内核。本文地址:http://www.04007.cn/article/691.html,未经许可,不得转载.

报错及解决办法如下：本文地址:http://www.04007.cn/article/691.html,未经许可,不得转载.

#安装docker-ce报错内容如下
root@n139:~# apt install docker-ce
Reading package lists... Done
Building dependency tree
......
Job for docker.service failed because the control process exited with error code.
See "systemctl status docker.service" and "journalctl -xe" for details.
invoke-rc.d: initscript docker, action "start" failed.
● docker.service - Docker Application Container Engine
   Loaded: loaded (/lib/systemd/system/docker.service; enabled; vendor preset: enabled)
   Active: activating (auto-restart) (Result: exit-code) since Tue 2019-11-05 13:44:25 CST; 5ms ago
     Docs: https://docs.docker.com
  Process: 137865 ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock (code=exited, status=1/FAILURE)
 Main PID: 137865 (code=exited, status=1/FAILURE)
      CPU: 120ms

Nov 05 13:44:25 n147-026-139 systemd[1]: docker.service: Unit entered failed state.
Nov 05 13:44:25 n147-026-139 systemd[1]: docker.service: Failed with result 'exit-code'.
dpkg: error processing package docker-ce (--configure):
 subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
 docker-ce
E: Sub-process /usr/bin/dpkg returned an error code (1)
#执行dockerd查看启动时的详细报错信息
root@n139:~# dockerd
......
INFO[2019-11-05T13:43:29.067390732+08:00] Loading containers: start.
Error starting daemon: Error initializing network controller: error obtaining controller instance: failed to create NAT chain DOCKER: iptables failed: iptables --wait -t nat -N DOCKER: iptables v1.6.0: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
 (exit status 3)
#通过对iptable的加载模块进行排查
root@n139:~# modinfo iptable_nat
filename:       /lib/modules/4.14.81.bm.12-amd64/kernel/net/ipv4/netfilter/iptable_nat.ko
license:        GPL
depends:        ip_tables,nf_nat_ipv4
intree:         Y
name:           iptable_nat
vermagic:       4.14.81.bm.12-amd64 SMP mod_unload modversions
root@n139:~# modinfo nf_nat_ipv4
filename:       /lib/modules/4.14.81.bm.12-amd64/kernel/net/ipv4/netfilter/nf_nat_ipv4.ko
alias:          nf-nat-2
license:        GPL
depends:        nf_conntrack,nf_nat
intree:         Y
name:           nf_nat_ipv4
vermagic:       4.14.81.bm.12-amd64 SMP mod_unload modversions
root@n139:~# insmode /lib/modules/4.14.81.bm.12-amd64/kernel/net/ipv4/netfilter/nf_nat_ipv4.ko
-bash: insmode: command not found
#下面这个命令就被阻塞了，一直没有结果
root@n139:~# insmod /lib/modules/4.14.81.bm.12-amd64/kernel/net/ipv4/netfilter/nf_nat_ipv4.ko
#如果模块正常，执行这个命令就应该返回模块已经存在的错误
root@n139:~# insmod /lib/modules/4.14.81.bm.12-amd64/kernel/net/ipv4/netfilter/nf_nat_ipv4.ko
insmod: ERROR: could not insert module /lib/modules/4.14.81.bm.12-amd64/kernel/net/ipv4/netfilter/nf_nat_ipv4.ko: File exists
#查看一下排除内核模块的配置，发现这里真有这么些相关的东西被加入blacklist了
root@n139:~# cat /etc/modprobe.d/nf-blacklist.conf
alias iptable_nat none

blacklist iptable_nat
blacklist nf_nat
blacklist nf_conntrack_ipv4
blacklist nf_defrag_ipv4
blacklist nf_conntrack
root@n139:~#

将/etc/modprobe.d/nf-blacklist.conf文件里的这些模块注释掉或者将此文件更换个名字，就可以了。
docker安装的官方文档：https://docs.docker.com/v17.12/install/linux/docker-ce/debian/#install-docker-ce-1本文地址:http://www.04007.cn/article/691.html,未经许可,不得转载.

本文地址:http://www.04007.cn/article/691.html 未经许可,不得转载. 手机访问本页请扫描右下方二维码.

手机扫码直接打开本页面