Error response from daemon: Failed to program NAT chain: COMMAND_FAILED: 'python-nftables' failed

  • When I start a docker compose file I get the error:

    "Error response from daemon: Failed to program NAT chain: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory"

    My architecture is debain 11 / OMV6.

    Any idea how to fix this?

  • votdev

    Approved the thread.
  • When I start a docker compose file I get the error:

    "Error response from daemon: Failed to program NAT chain: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory"

    My architecture is debain 11 / OMV6.

    Any idea how to fix this?

    Show your docker set up? did you also tick the docker box on omv-extras?

  • Thanks for the reply. adding "data setting" did not do the job.

    FYI I am appending the output of systemctl status docker.service:


    docker.service - Docker Application Container Engine

    Loaded: loaded (/lib/systemd/system/docker.service; enabled; vendor preset: enabled)

    Drop-In: /etc/systemd/system/docker.service.d

    └─waitAllMounts.conf

    Active: active (running) since Sun 2024-02-18 20:32:05 CET; 15h ago

    TriggeredBy: ● docker.socket

    Docs: https://docs.docker.com

    Main PID: 3091 (dockerd)

    Tasks: 12

    Memory: 133.1M

    CGroup: /system.slice/docker.service

    └─3091 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock


    Feb 18 20:28:32 wdmch dockerd[3091]: time="2024-02-18T20:28:32.580311535+01:00" level=info msg="Loading containers: done."

    Feb 18 20:28:32 wdmch dockerd[3091]: time="2024-02-18T20:28:32.987832418+01:00" level=info msg="Docker daemon" commit=f417435 containerd-snapshotter=false storage-driver=overlay2 version=25.0.3

    Feb 18 20:28:33 wdmch dockerd[3091]: time="2024-02-18T20:28:33.134241060+01:00" level=info msg="Daemon has completed initialization"

    Feb 18 20:32:05 wdmch dockerd[3091]: time="2024-02-18T20:32:05.527602601+01:00" level=info msg="API listen on /run/docker.sock"

    Feb 18 20:32:05 wdmch systemd[1]: Started Docker Application Container Engine.

    Feb 19 08:43:16 wdmch dockerd[3091]: time="2024-02-19T08:43:16.682846307+01:00" level=warning msg="reference for unknown type: " digest="sha256:0335a1a22f8c5dd1b697f14f079934f5152eaaa216c09b61e293be285491f8ee" remote="docker.io/tensorchord/pgvecto-rs@sha256:0335a1a22f8c5dd1b697f14f079934f5152eaaa216c09b61e293be285491f8ee" spanID=639c82418c348535 traceID=a7239afe0d2ddad5b08cf2f81a8994b6

    Feb 19 08:43:16 wdmch dockerd[3091]: time="2024-02-19T08:43:16.682846344+01:00" level=warning msg="reference for unknown type: " digest="sha256:afb290a0a0d0b2bd7537b62ebff1eb84d045c757c1c31ca2ca48c79536c0de82" remote="docker.io/library/redis@sha256:afb290a0a0d0b2bd7537b62ebff1eb84d045c757c1c31ca2ca48c79536c0de82" spanID=5d89e385a04679ef traceID=8ceed1fc628bee22ebf2b29eb392cf0f

    Feb 19 08:45:25 wdmch dockerd[3091]: time="2024-02-19T08:45:25.913607706+01:00" level=warning msg="xtables contention detected while running [-t nat -C POSTROUTING -s 172.18.0.0/16 ! -o br-507f4c39422d -j MASQUERADE]: Waited for 2.17 seconds and received \"\""

    Feb 19 08:45:26 wdmch dockerd[3091]: time="2024-02-19T08:45:26.725889196+01:00" level=error msg="Handler for POST /v1.44/networks/create returned error: Failed to program NAT chain: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory\n\ninternal:0:0-0: Error: Could not process rule: No such file or directory\n\ninternal:0:0-0: Error: Could not process rule: No such file or directory\n\ninternal:0:0-0: Error: Could not process rule: No such file or directory\n\ninternal:0:0-0: Error: Could not process rule: No such file or directory\n\ninternal:0:0-0: Error: Could not process rule: No such file or directory\n\ninternal:0:0-0: Error: Could not process rule: No such file or directory\n\ninternal:0:0-0: Error: Could not process rule: No such file or directory\n\n\nJSON blob:\n{\"nftables\": [{\"metainfo\": {\"json_schema_version\": 1}}, {\"insert\": {\"rule\": {\"family\": \"inet\", \"table\": \"firewalld\", \"chain\": \"filter_INPUT_ZONES\", \"expr\": [{\"match\": {\"left\": {\"meta\": {\"key\": \"iifname\"}}, \"op\": \"==\", \"right\": \"br-507f4c39422d\"}}, {\"goto\": {\"target\": \"filter_IN_docker\"}}]}}}, {\"insert\": {\"rule\": {\"family\": \"inet\", \"table\": \"firewalld\", \"chain\": \"filter_FORWARD_OUT_ZONES\", \"expr\": [{\"match\": {\"left\": {\"meta\": {\"key\": \"oifname\"}}, \"op\": \"==\", \"right\": \"br-507f4c39422d\"}}, {\"goto\": {\"target\": \"filter_FWDO_docker\"}}]}}}, {\"insert\": {\"rule\": {\"family\": \"ip\", \"table\": \"firewalld\", \"chain\": \"nat_POSTROUTING_ZONES\", \"expr\": [{\"match\": {\"left\": {\"meta\": {\"key\": \"oifname\"}}, \"op\": \"==\", \"right\": \"br-507f4c39422d\"}}, {\"goto\": {\"target\": \"nat_POST_docker\"}}]}}}, {\"insert\": {\"rule\": {\"family\": \"ip6\", \"table\": \"firewalld\", \"chain\": \"nat_POSTROUTING_ZONES\", \"expr\": [{\"match\": {\"left\": {\"meta\": {\"key\": \"oifname\"}}, \"op\": \"==\", \"right\": \"br-507f4c39422d\"}}, {\"goto\": {\"target\": \"nat_POST_docker\"}}]}}}, {\"insert\": {\"rule\": {\"family\": \"inet\", \"table\": \"firewalld\", \"chain\": \"filter_FORWARD_IN_ZONES\", \"expr\": [{\"match\": {\"left\": {\"meta\": {\"key\": \"iifname\"}}, \"op\": \"==\", \"right\": \"br-507f4c39422d\"}}, {\"goto\": {\"target\": \"filter_FWDI_docker\"}}]}}}, {\"insert\": {\"rule\": {\"family\": \"ip\", \"table\": \"firewalld\", \"chain\": \"nat_PREROUTING_ZONES\", \"expr\": [{\"match\": {\"left\": {\"meta\": {\"key\": \"iifname\"}}, \"op\": \"==\", \"right\": \"br-507f4c39422d\"}}, {\"goto\": {\"target\": \"nat_PRE_docker\"}}]}}}, {\"insert\": {\"rule\": {\"family\": \"ip6\", \"table\": \"firewalld\", \"chain\": \"nat_PREROUTING_ZONES\", \"expr\": [{\"match\": {\"left\": {\"meta\": {\"key\": \"iifname\"}}, \"op\": \"==\", \"right\": \"br-507f4c39422d\"}}, {\"goto\": {\"target\": \"nat_PRE_docker\"}}]}}}, {\"insert\": {\"rule\": {\"family\": \"inet\", \"table\": \"firewalld\", \"chain\": \"mangle_PREROUTING_ZONES\", \"expr\": [{\"match\": {\"left\": {\"meta\": {\"key\": \"iifname\"}}, \"op\": \"==\", \"right\": \"br-507f4c39422d\"}}, {\"goto\": {\"target\": \"mangle_PRE_docker\"}}]}}}]}"

    Feb 19 12:23:50 wdmch dockerd[3091]: time="2024-02-19T12:23:50.214567805+01:00" level=error msg="Handler for POST /v1.44/networks/create returned error: Failed to program NAT chain: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory\n\ninternal:0:0-0: Error: Could not process rule: No such file or directory\n\ninternal:0:0-0: Error: Could not process rule: No such file or directory\n\ninternal:0:0-0: Error: Could not process rule: No such file or directory\n\ninternal:0:0-0: Error: Could not process rule: No such file or directory\n\ninternal:0:0-0: Error: Could not process rule: No such file or directory\n\ninternal:0:0-0: Error: Could not process rule: No such file or directory\n\ninternal:0:0-0: Error: Could not process rule: No such file or directory\n\n\nJSON blob:\n{\"nftables\": [{\"metainfo\": {\"json_schema_version\": 1}}, {\"insert\": {\"rule\": {\"family\": \"inet\", \"table\": \"firewalld\", \"chain\": \"filter_INPUT_ZONES\", \"expr\": [{\"match\": {\"left\": {\"meta\": {\"key\": \"iifname\"}}, \"op\": \"==\", \"right\": \"br-8717d569bd95\"}}, {\"goto\": {\"target\": \"filter_IN_docker\"}}]}}}, {\"insert\": {\"rule\": {\"family\": \"inet\", \"table\": \"firewalld\", \"chain\": \"filter_FORWARD_OUT_ZONES\", \"expr\": [{\"match\": {\"left\": {\"meta\": {\"key\": \"oifname\"}}, \"op\": \"==\", \"right\": \"br-8717d569bd95\"}}, {\"goto\": {\"target\": \"filter_FWDO_docker\"}}]}}}, {\"insert\": {\"rule\": {\"family\": \"ip\", \"table\": \"firewalld\", \"chain\": \"nat_POSTROUTING_ZONES\", \"expr\": [{\"match\": {\"left\": {\"meta\": {\"key\": \"oifname\"}}, \"op\": \"==\", \"right\": \"br-8717d569bd95\"}}, {\"goto\": {\"target\": \"nat_POST_docker\"}}]}}}, {\"insert\": {\"rule\": {\"family\": \"ip6\", \"table\": \"firewalld\", \"chain\": \"nat_POSTROUTING_ZONES\", \"expr\": [{\"match\": {\"left\": {\"meta\": {\"key\": \"oifname\"}}, \"op\": \"==\", \"right\": \"br-8717d569bd95\"}}, {\"goto\": {\"target\": \"nat_POST_docker\"}}]}}}, {\"insert\": {\"rule\": {\"family\": \"inet\", \"table\": \"firewalld\", \"chain\": \"filter_FORWARD_IN_ZONES\", \"expr\": [{\"match\": {\"left\": {\"meta\": {\"key\": \"iifname\"}}, \"op\": \"==\", \"right\": \"br-8717d569bd95\"}}, {\"goto\": {\"target\": \"filter_FWDI_docker\"}}]}}}, {\"insert\": {\"rule\": {\"family\": \"ip\", \"table\": \"firewalld\", \"chain\": \"nat_PREROUTING_ZONES\", \"expr\": [{\"match\": {\"left\": {\"meta\": {\"key\": \"iifname\"}}, \"op\": \"==\", \"right\": \"br-8717d569bd95\"}}, {\"goto\": {\"target\": \"nat_PRE_docker\"}}]}}}, {\"insert\": {\"rule\": {\"family\": \"ip6\", \"table\": \"firewalld\", \"chain\": \"nat_PREROUTING_ZONES\", \"expr\": [{\"match\": {\"left\": {\"meta\": {\"key\": \"iifname\"}}, \"op\": \"==\", \"right\": \"br-8717d569bd95\"}}, {\"goto\": {\"target\": \"nat_PRE_docker\"}}]}}}, {\"insert\": {\"rule\": {\"family\": \"inet\", \"table\": \"firewalld\", \"chain\": \"mangle_PREROUTING_ZONES\", \"expr\": [{\"match\": {\"left\": {\"meta\": {\"key\": \"iifname\"}}, \"op\": \"==\", \"right\": \"br-8717d569bd95\"}}, {\"goto\": {\"target\": \"mangle_PRE_docker\"}}]}}}]}"


    Any ideas? Thanks!

  • Here also the output from systemctl status firewalld.service:


    ● firewalld.service - firewalld - dynamic firewall daemon

    Loaded: loaded (/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)

    Active: active (running) since Mon 2024-02-19 18:19:46 CET; 8s ago

    Docs: man:firewalld(1)

    Main PID: 7818 (firewalld)

    Tasks: 2 (limit: 1099)

    Memory: 25.3M

    CGroup: /system.slice/firewalld.service

    └─7818 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid


    Feb 19 18:19:44 wdmch systemd[1]: Starting firewalld - dynamic firewall daemon...

    Feb 19 18:19:46 wdmch systemd[1]: Started firewalld - dynamic firewall daemon.

    Feb 19 18:19:46 wdmch firewalld[7818]: WARNING: ipset not usable, disabling ipset usage in firewall.

    Feb 19 18:19:47 wdmch firewalld[7818]: ERROR: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory

  • Dear BlueCoffee,

    thanks fore the hint. But sorry to say even after de-installing all docker relevant files through the GUI I still get the error for systemctl status firewalld.service:


    ● firewalld.service - firewalld - dynamic firewall daemon

    Loaded: loaded (/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)

    Active: active (running) since Tue 2024-02-20 20:37:53 CET; 8min ago

    Docs: man:firewalld(1)

    Main PID: 2811 (firewalld)

    Tasks: 2 (limit: 1099)

    Memory: 41.5M

    CGroup: /system.slice/firewalld.service

    └─2811 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid


    Feb 20 20:37:48 wdmch systemd[1]: Starting firewalld - dynamic firewall daemon...

    Feb 20 20:37:53 wdmch systemd[1]: Started firewalld - dynamic firewall daemon.

    Feb 20 20:37:53 wdmch firewalld[2811]: WARNING: ipset not usable, disabling ipset usage in firewall.

    Feb 20 20:37:56 wdmch firewalld[2811]: ERROR: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory


    internal:0:0-0: Error: Could not process rule: Numerical result out of range


    also


    iptables -L

    Chain INPUT (policy ACCEPT)

    target prot opt source destination


    Chain FORWARD (policy ACCEPT)

    target prot opt source destination


    Chain OUTPUT (policy ACCEPT)

    target prot opt source destination



    Seems to be a firewall issue and not at all related to docker.

    Do you have an idea?

  • Dear BlueCoffee,


    sorry for not being more clear. I am trying to get a docker running following the brilliant guidance. However I already fail to launch the most probably simplest docker "hello world" up and running: I get the error "Error response from daemon: Failed to program NAT chain: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory".


    I run OMV6 on debian 11, aarch64.


    Thanks!

  • Here you go:


    hello.yml

    ----------------------------------------------------

    services:

    hello_world:

    image: hello-world

    ----------------------------------------------------


    Error message (truncated):


    ----------------------------------------------------------


    Failed to execute command 'export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; export LANG=C.UTF-8; export LANGUAGE=; docker compose --file '/srv/dev-disk-by-uuid-02054f28-6a37-b05b-8105-af0cd39cd60e/docker_appdata/hello/hello.yml' --env-file '/srv/dev-disk-by-uuid-02054f28-6a37-b05b-8105-af0cd39cd60e/docker_appdata/hello/hello.env' --env-file '/srv/dev-disk-by-uuid-02054f28-6a37-b05b-8105-af0cd39cd60e/docker_appdata/global.env' up -d 2>&1': Network hello_default Creating

    Network hello_default Error

    failed to create network hello_default: Error response from daemon: Failed to program NAT chain: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory

    -----------------------------------------------------------

  • that is not the docker yaml. again you need too read the Docs!

  • Dear BlueCoffee,


    I am sorry to say, but even after studying the Docs I was not able to find the solution for the 'python-nftables' problem.

    I am able to run Plex in the docker container, it is running like a charm.

    For other applications, I however keep on getting the error:


    "Network pigallery_default Error

    failed to create network pigallery_default: Error response from daemon: Failed to program NAT chain: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory"


    here is the compose-file, which results in above error:

    ---------------------------------------------------------------------

    version: '3.9'

    services:

    pigallery2:

    image: bpatrik/pigallery2:latest

    container_name: pigallery2

    environment:

    - PUID=$PUID

    - PGID=$PGID

    - TZ=$TZ

    - NODE_ENV=production # set to 'debug' for full debug logging

    volumes:

    - $HOME/config:/app/data/config # CHANGE ME

    - $HOME/db-data:/app/data/db

    - /srv/dev-disk-by-uuid-02054f28-6a37-b05b-8105-af0cd39cd60e/Shared/Photos:/app/data/images:ro # CHANGE ME, ':ro' means read-only

    - $HOME/tmp:/app/data/tmp # CHANGE ME

    ports:

    - 8222:8022

    restart: always

    -------------------------------------------------------------------------------

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!