Unable to run container with bridge network in Alpine Linux ("iptables v1.8.10 (nf_tables): table `nat' is incompatible, use 'nft' tool.")

[hronro]

Description

I believe this bug has existed since Alpine Linux switched to using nft as the default iptables backend starting with version 3.19.0. Currently, this bug affects Alpine versions 3.19.x, 3.20.x, and 3.21.x.

Steps to reproduce the issue

1. Install nerdctl from the Alpine package manager: apk add nerdctl.
2. Start containerd service: rc-service containerd start.
3. Run a container and publish a port: nerdctl run --rm -it -p 3000:3000 alpine

Describe the results you received and expected

Got an error:

FATA[0001] failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error running createRuntime hook #0: exit status 1, stdout: , stderr: time="2024-12-23T16:58:56+08:00" level=fatal msg="failed to call cni.Setup: plugin type=\"bridge\" failed (add): failed to list chains: running [/usr/sbin/iptables -t nat -S --wait]: exit status 1: iptables v1.8.10 (nf_tables): table `nat' is incompatible, use 'nft' tool.\n"

No errors when I use the host network: nerdctl run --rm --network host -it alpine

What version of nerdctl are you using?

WARN[0000] unable to determine buildctl version: exec: "buildctl": executable file not found in $PATH
Client:
Version:
OS/Arch: linux/arm64
Git commit:
buildctl:
Version:

Server:
containerd:
Version: v2.0.0
GitCommit: 207ad711eabd375a01713109a8a197d197ff6542
runc:
Version: 1.2.2
GitCommit: 7cb363254b69e10320360b63fb73e0ffb5da7bf2

Are you using a variant of nerdctl? (e.g., Rancher Desktop)

None

Host information

No response

[AkihiroSuda]

Please report to:

• https://github.com/containernetworking/plugins/issues

[hronro]

@AkihiroSuda I believe there is already an issue in the containernetworking/plugins repository:

containernetworking/plugins#461

The issue reporter ended up implementing his own CNI plugin for nft, which appears to be designed specifically for Podman. I'm unsure if it works with nerdctl. As a nerdctl end user, should I install the plugin manually, or should I wait for nerdctl to integrate it?

[AkihiroSuda]

Let's try to see if the upstream plugins can support nft

containernetworking/plugins#461 (comment)

[AkihiroSuda]

BTW the port forwarding just works for me (Alpine 3.20, aarch64; tried 3.21 too)

alpine-release-3.20.3-r0
cni-plugins-1.4.1-r3
containerd-1.7.17-r2
iptables-1.8.10-r3
nerdctl-1.7.7-r0

# ls -l /sbin/iptables
lrwxrwxrwx 1 root root 17 Dec 24 18:51 /sbin/iptables -> xtables-nft-multi

[hronro]

@AkihiroSuda I have tested both virtual and physical machines, and I encountered the same error on all of them.

Could you please share how you installed Alpine Linux? Was it a fresh installation, or did you make any modifications? Did you use the official ISO from https://www.alpinelinux.org/downloads, or did you opt for pre-made VM images that might include modifications? Does it include a cloud-init process?

[AkihiroSuda]

limactl start template://alpine with Lima v1.0.2 on macOS 15.2 (ARM).
This version uses nocloud_alpine-3.20.3-aarch64-uefi-cloudinit-r0.qcow2.

https://github.com/lima-vm/lima/blob/v1.0.2/templates/alpine.yaml

[AkihiroSuda]

This might be related https://github.com/lima-vm/lima/blob/v1.0.2/pkg/cidata/cidata.TEMPLATE.d/boot/00-modprobe.sh

set -eu
for f in \
	fuse \
	tun tap \
	bridge veth \
	ip_tables ip6_tables iptable_nat ip6table_nat iptable_filter ip6table_filter \
	nf_tables \
	x_tables xt_MASQUERADE xt_addrtype xt_comment xt_conntrack xt_mark xt_multiport xt_nat xt_tcpudp \
	overlay; do
	echo "Loading kernel module \"$f\""
	if ! modprobe "$f"; then
		echo >&2 "Failed to load \"$f\" (negligible if it is built-in the kernel)"
	fi
done