Search the Community

Hi everyone, I'm trying to use docker on the Tinker System 3N, but it's not work properly. If possible, could you please provide any solutions you might have? [What I'd like to do] To use latest verion of docker on the Tinker System 3N [Systems Information] System: Tinker System 3N Tinker OS: Tinker System 3N/Tinker Board 3N Debian 11 (Kernel 5.10) V1.0.31 docker-ce: v28.4.0 iptables: v1.8.7 [Problems Encountered] Problem 1: When the docker daemon is started, the following error is recorded, and docker daemon does not work properly. failed to start daemon: Error initializing network controller: error obtaining controller instance: failed to register "bridge" driver: failed to add jump rules to ipv4 NAT table: failed to append jump rules to nat-PREROUTING: (iptables failed: iptables --wait -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER: iptables v1.8.7 (nf_tables): Couldn't load match 'addrtype':No such file or directory Try 'iptables -h' or 'iptables --help' for more information (exit status 2)) Assumed Cause: The mach 'addrtype' is not loaded on kernel/iptables(nftables). Problem 2: When I tried to run docker container, the following error is recorded, and docker container does not work properly. docker: Error response from daemon: failed to set up container networking: failed to create endpoint nifty_wilbur on network bridge: unableto enable DIRECT ACCESS FILTERING - DROP rule: (iptables failed: iptables --wait -t raw -A PREROUTING -d 172.17.0.2 ! -i docker0 -j DROP: iptables v1.8.7 (legacy): can't initialize iptables table 'raw': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. (exit status 3)) Assumed Cause: CONFIG_IP_NF_RAW seems to be required for docker v28.0.0 or later, but CONFIG_IP_NF_RAW is not provided by the kernel. Ref: https://docs.docker.com/engine/release-notes/28/ [Possible Solutions] Solution A: 1. Use iptables-legacy: $ sudo update-alternatives --set iptables /usr/sbin/iptables-legacy $ sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy 2. Disable CONFIG_IP_NF_RAW: $ sudo systemctl edit docker.service And add following configration: [Service] Environment="DOCKER_INSECURE_NO_IPTABLES_RAW=1" Result: docker will work. --------------------------------- Solution B: 1. Use iptables-legacy: $ sudo update-alternatives --set iptables /usr/sbin/iptables-legacy $ sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy 2. Downgrade docker to v27.5.1: $ sudo apt-get install docker-ce=5:27.5.1-1~debian.11~bullseye docker-ce-cli=5:27.5.1-1~debian.11~bullseye Result: docker will work. --------------------------------- Solution C: 1. Disalbe the use of iptables in docker: $ sudo vim /etc/docker/daemon.json And add following configration: { "iptables": false } Result: docker will work. [Conclusion] Each possible solution resolves the issue; however, there are still security concerns. Does anyone have any other solutions?

#docker engine installation on tinker board r2.0 #OS: Debian 10 v.3.0.11 (kernel 4.4) #docker engine version: server 23.0.1 (updated/ easier way to install) sudo apt-get update sudo apt-get upgrade sudo apt-get remove -y docker docker-engine docker.io containerd runc sudo apt-get install ca-certificates curl sudo echo insecure >> $HOME/.curlrc curl -fsSL https://get.docker.com -o get-docker.sh && sh get-docker.sh sudo apt-get install docker-ce docker-ce-cli containerd.io docker-compose-plugin sudo update-alternatives --set iptables /usr/sbin/iptables-legacy sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy #reboot the board so the new iptables/ ip6tables come effective sudo reboot now sudo usermod -aG docker $USER sudo docker run hello-world (a slightly outdate way to install) sudo apt-get update sudo apt-get upgrade sudo apt-get install ca-certificates curl gnupg lsb-release sudo mkdir -m 0755 -p /etc/apt/keyrings sudo echo insecure >> $HOME/.curlrc sudo echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://downlaod.docker.com/linux/debian stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null | printf "%s\n" "deb [arch=amd64] https://download.docker.com/linux/debian buster stable" | sudo tee /etc/apt/sources.list.d/docker.list curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - sudo modprobe ip_tables sudo su echo ip_tables >> /etc/modules sudo update-alternatives --set iptables /usr/sbin/iptables-legacy sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin ##result sudo docker run hello-world Unable to find image 'hello-world:latest' locally latest: Pulling from library/hello-world 04341b189be6: Pull complete Digest: sha256: Status: Downloaded newer image for hello-world:latest Hello from Docker! This message shows that your installation appears to be working correctly. To generate this message, Docker took the following steps: 1. The Docker client contacted the Docker daemon. 2. The Docker daemon pulled the "hello-world" image from the Docker Hub. (arm32v7) 3. The Docker daemon created a new container from that image which runs the executable that produces the output you are currently reading. 4. The Docker daemon streamed that output to the Docker client, which sent it to your terminal. To try something more ambitious, you can run an Ubuntu container with: $ docker run -it ubuntu bash Share images, automate workflows, and more with a free Docker ID: https://hub.docker.com/ For more examples and ideas, visit: https://docs.docker.com/get-started/ sudo docker info Client: Context: default Debug Mode: false Plugins: buildx: Docker Buildx (Docker Inc.) Version: v0.10.2 Path: /usr/libexec/docker/cli-plugins/docker-buildx compose: Docker Compose (Docker Inc.) Version: v2.16.0 Path: /usr/libexec/docker/cli-plugins/docker-compose Server: Containers: 1 Running: 0 Paused: 0 Stopped: 1 Images: 1 Server Version: 23.0.1 Storage Driver: overlay2 Backing Filesystem: extfs Supports d_type: true Using metacopy: false Native Overlay Diff: true userxattr: false Logging Driver: json-file Cgroup Driver: cgroupfs Cgroup Version: 1 Plugins: Volume: local Network: bridge host ipvlan macvlan null overlay Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog Swarm: inactive Runtimes: io.containerd.runc.v2 runc Default Runtime: runc Init Binary: docker-init containerd version: runc version: v1.1.4-0-g5fd4c4d init version: de40ad0 Security Options: seccomp Profile: builtin Kernel Version: 4.4.194 Operating System: Debian GNU/Linux 10 (buster) OSType: linux Architecture: armv7l CPUs: 4 Total Memory: 1.944GiB Name: linaro-alip ID: Docker Root Dir: /var/lib/docker Debug Mode: false Registry: https://index.docker.io/v1/ Experimental: false Insecure Registries: 127.0.0.0/8 Live Restore Enabled: false ##if you're not able to execute sudo apt-get update afterwards, please do the following: sudo rm /var/cache/apt/archives/lock sudo rm /var/lib/dpkg/lock