[Bug]: nf_tables not initialized - Docker daemon fails inside containers

[jmgilman]

I have done the following

• I have searched the existing issues
• If possible, I've reproduced the issue using the 'main' branch of this project

Steps to reproduce

# 1. Start a systemd-enabled container
container run -d --name dind-test --memory 8g jrei/systemd-ubuntu:22.04
sleep 15

# 2. Install Docker
container exec dind-test bash -c "
  apt-get update && apt-get install -y ca-certificates curl
  install -m 0755 -d /etc/apt/keyrings
  curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
  chmod a+r /etc/apt/keyrings/docker.asc
  echo 'deb [arch=arm64 signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu jammy stable' > /etc/apt/sources.list.d/docker.list
  apt-get update && apt-get install -y docker-ce docker-ce-cli containerd.io
"

# 3. Try to start Docker (fails)
container exec dind-test systemctl start docker
container exec dind-test journalctl -u docker --no-pager | tail -20

Current behavior

Docker fails with:

failed to create NAT chain DOCKER: iptables failed: iptables --wait -t nat -N DOCKER:
iptables v1.8.7 (nf_tables): Could not fetch rule set generation id: Invalid argument

Expected behavior

Docker daemon starts successfully.

Environment

- OS: 26.2 (Tahoe)
- Xcode: 26.2
- Container: 0.7.1

Relevant log output

N/A

Code of Conduct

• I agree to follow this project's Code of Conduct

[dcantah]

It's possible the kata kernel we use by default doesn't have the bits needed, let me see

[dcantah]

Doesn't seem so (just checking one):

# CONFIG_NF_TABLES is not set

Couple things you can do though. You can swap to the legacy backend iirc, or you can try another kernel with the --kernel flag to run/create. There's instructions on making a new kernel here (or you can use whatever you want, but this is usually easiest):

https://github.com/apple/containerization/tree/main/kernel and follow the README instructions. It seems our kernel config there should have what's needed turned on.

[jmgilman]

Yeah, I was thinking the custom kernel was the next step, but also wondering if there's a reason it's not turned on for the default kernel.

[jglogan]

@jmgilman It's simply that we don't embed a Linux kernel with container. The Kata kernel was what we chose as it's designed for use in lightweight VMs but as you found, it is missing features for some workloads, including Docker Engine.

[afbjorklund]

This was the workaround for docker/kubernetes that we did earlier:

update-alternatives --set iptables /usr/sbin/iptables-legacy

There were similar issues with the IPv6 support, so also needed disabling...

• run kubernetes #81 (comment)