#Rocky Linux: CNI setup error

Hello.
The dagger engine 0.9.3 does not start on my Rocky Linux 9.2 server with Docker version 24.0.6.
The Rocky Linux only supports nftables and no iptables.
I got an CNI setup error
Here is a part of the dagger engine docker container logs:

time="2023-11-15T09:36:23Z" level=warning msg="failed to release network namespace \"wcldidz72fhka27r8r8o8hdmz\" left over from previous run: plugin type=\"loopback\" failed (delete): unknown FS magic on \"/var/lib/dagger/net/cni/wcldidz72fhka27r8r8o8hdmz\": ef53"
buildkitd: plugin type="bridge" failed (add): failed to list chains: running [/sbin/iptables -t nat -S --wait]: exit status 3: iptables v1.8.9 (legacy): can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

CNI setup error
github.com/moby/buildkit/util/network/cniprovider.(*cniProvider).newNS
    /go/pkg/mod/github.com/moby/buildkit@v0.13.0-beta1.0.20231011161957-86e25b3ad8c2/util/network/cniprovider/cni.go:248

Any ideas? Thanks!

Thanks @gusty dove . This is a perfect candidate for a GitHub issue.

hey @gusty dove ! this has come up in the past. I'm not familiarized with rocky linux, but can you do a quick check to see if you have / can load the iptables_nat kernel module and try again?
modprobe iptable_nat

Thanks. I'll check the iptables.

I looked at this a little and here's what I found on containerized Rocky 9.2

docker run -it --rm rockylinux:9.2 bash
yum install kmod

[root@1fd99060bd07 /]# modprobe iptable_nat
modprobe: FATAL: Module iptable_nat not found in directory /lib/modules/5.15.49-linuxkit-pr

[root@7f8095608e18 local]# modprobe iptable_natmodprobe: FATAL: Module iptable_nat not found in directory /lib/modules/5.15.49-linuxkit-pr

[root@7f8095608e18 local]# findmnt -o PROPAGATION /
PROPAGATION
private,slave

(which needs to be shared for podman to work properly, I think) 👆

containerized is tricky since you're still reusing the underlying kernel to load modules

I do see that we assume/use iptables in various places,
so not sure how we interact with underlying nftables-only OS.
https://github.com/search?q=repo%3Adagger%2Fdagger iptables&type=code
Judging by the outcome below 👇 we require the iptable_nat kernel module to be loaded.

Our Rocky is installed on a vm. We do not run it as container.
But modprobe iptable_nat solved my issue. The engine starts now 👍
Thank you!

Nice!! We have a note to try that in Podman installs here: https://docs.dagger.io/541047/alternative-runtimes/#podman

But we should add a note for Rocky or other nftables-only OS's. Might help.

FWIW this seems to be a broader thing that's affecting multiple containerized projects (https://github.com/search?q=repo%3Amoby%2Fmoby+"kernel+needs+to+be+upgraded"&type=issues) as OSes move from legacy iptables to newer things.