WSL2 Kernel do not support nftables and causing docker failed to start up in Ubuntu 20.10+

[patrick330602]

Environment

Windows build number: 21327
Your Distribution version: Ubuntu Hirsute Hippo (development branch)
Whether the issue is on WSL 2 and/or WSL 1: WSL2

Steps to reproduce

1. Installing Ubuntu 20.10 (the best way is Ubuntu on Windows Community Preview)
2. installing docker from the ubuntu repository (sudo apt install docker.io)
3. start dockerd;

Expected behavior

dockerd should end up at the state API listen on /var/run/docker.sock

Actual behavior

dockerd throws the following error:

 failed to start daemon: Error initializing network controller: error obtaining controller instance: unable to add return rule in DOCKER-ISOLATION-STAGE-1 chain:  (iptables failed: iptables --wait -A DOCKER-ISOLATION-STAGE-1 -j RETURN: iptables v1.8.7 (nf_tables):  RULE_APPEND failed (No such file or directory): rule in chain DOCKER-ISOLATION-STAGE-1
 (exit status 4))

Some related stuff

related article: https://patrickwu.space/2021/03/09/wsl-solution-to-native-docker-daemon-not-starting/
related bug report: https://bugs.launchpad.net/ubuntu-wsl-integration/+bug/1908539

[WSLUser]

In the kernel config:

#
# IP: Netfilter Configuration
#
CONFIG_NF_DEFRAG_IPV4=y
# CONFIG_NF_SOCKET_IPV4 is not set
# CONFIG_NF_TPROXY_IPV4 is not set
CONFIG_NF_TABLES_IPV4=y
# CONFIG_NFT_DUP_IPV4 is not set
# CONFIG_NFT_FIB_IPV4 is not set
# CONFIG_NF_TABLES_ARP is not set
# CONFIG_NF_DUP_IPV4 is not set
# CONFIG_NF_LOG_ARP is not set
CONFIG_NF_LOG_IPV4=y
CONFIG_NF_REJECT_IPV4=y

IPv4 is supported as shown here. I noticed Patrick identified using 5.8 instead seems to work. Use my kernel config with 5.8 kernel (or use a newer kernel) and you should be fine until MS decides to bump up to stable. I think they're sticking to LTS releases though.

[therealkenc]

/dupe #6044. There is some docker talk in #4872 (message).

[ghost]

Hi! We've identified this issue as a duplicate of another one that already exists in this repository. This specific instance is being closed in favor of tracking the concern over on the referenced thread.

Thanks for your report!

[Unintendedz]

wsl2 ubuntu 22.04, This worked for me

sudo update-alternatives --set iptables /usr/sbin/iptables-legacy
sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy

sudo dockerd &

[wooncherk]

wsl2 ubuntu 22.04, This worked for me

sudo update-alternatives --set iptables /usr/sbin/iptables-legacy
sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy

sudo dockerd &

This saved the day! Thanks! :)

[Narc17]

wsl2 ubuntu 22.04, This worked for me

sudo update-alternatives --set iptables /usr/sbin/iptables-legacy
sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy

sudo dockerd &

Thanks a lot. wsl2 ubuntu 22.04 with Docker Desktop in Windows 10 Enterprise 21H2 here.
You saved my day! :D

[jlegido]

It also works in Debian distro

[bolodecenouracomcafe]

Thanks! Works for me too with Windows 11 Home 22H2, WSL version 2 with Ubuntu

wsl2 ubuntu 22.04, This worked for me

sudo update-alternatives --set iptables /usr/sbin/iptables-legacy
sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy

sudo dockerd &

[Biswa96]

This seems to be an old issue. dockerd works without those iptables commands in newer Linux distributions with WSL from Windows Store.

[drehermi]

@Biswa96 : can you please be more precise?

I mean I'm using the following versions of "Debian" and can't get it running:

$ cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

$ uname -a
Linux md1u9ddc 4.4.0-19041-Microsoft #1237-Microsoft Sat Sep 11 14:32:00 PST 2021 x86_64 GNU/Linux

To be more precise the iptables command gives the following error:

$ sudo iptables-legacy -L
iptables v1.8.7 (legacy): can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

But there seems to be no newer kernel version:

wsl -d Debian --update
Checking for updates...
No updates are available.
Kernel version: 5.10.102.1

wsl -d Debian --status
Default Distribution: score
Default Version: 2

Windows Subsystem for Linux was last updated on 12.10.2022
WSL automatic updates are on.

Kernel version: 5.10.102.1

Michael

[Biswa96]

From the output of uname -a in your Debian distribution, it seems that it is still running in WSL1 environment. You can confirm that by running wsl.exe -l -v command. If yes, try to convert the distribution with wsl.exe --set-version Debian 2 command.

[drehermi]

wsl.exe --set-version Debian 2

@Biswa96: thanks, exactly that was the problem, now it is working!

I was installing WSL2 and assuming that all distributions would then run wsl2 but as you said the Debian one was still running WLS1. I was not aware that it is possible to mix WSL2 and WSL1.

The output of wsl -d Debian --status is misleading because it doesn't show the actual WSL version but only the default one.

[Biswa96]

The output of wsl -d Debian --status is misleading...

That command is not valid or at least it does not work the way you intended. The --status option is not distribution specific, just like --help or --version etc. The wsl.exe --status command would show the same output.

[randuladela]

sudo dockerd &

Whoever you are ,you saved my day,thanks

[liuya1s]

wsl2 ubuntu 22.04, This worked for me

sudo update-alternatives --set iptables /usr/sbin/iptables-legacy
sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy

sudo dockerd &

Thanks a lot, docker is running！

[jlriven]

using systemctl start docker mistake: