Skip to content

Docker service fails with "could not insert 'br_netfilter': Operation not permitted" #1008

Open
Open
Docker service fails with "could not insert 'br_netfilter': Operation not permitted"#1008
@iTrooz

Description

@iTrooz
iTrooz
opened on May 6, 2026

Hello !

I just followed the install instructions to install sysbox with Docker, and I'm hitting the following problem: when running registry.nestybox.com/nestybox/ubuntu-bionic-systemd-docker, the docker service (inside the docker container) fails with this:

root@my_cont:~# journalctl -eu docker
-- Logs begin at Wed 2026-05-06 08:22:44 UTC, end at Wed 2026-05-06 08:25:38 UTC. --
May 06 08:22:45 my_cont dockerd[577]: time="2026-05-06T08:22:45.167205832Z" level=info msg="Starting up"
May 06 08:22:45 my_cont dockerd[577]: time="2026-05-06T08:22:45.192943396Z" level=info msg="parsed scheme: \"unix\"" module=grpc
May 06 08:22:45 my_cont dockerd[577]: time="2026-05-06T08:22:45.192954691Z" level=info msg="scheme \"unix\" not registered, fallback to default scheme" module=grpc
May 06 08:22:45 my_cont dockerd[577]: time="2026-05-06T08:22:45.192966310Z" level=info msg="ccResolverWrapper: sending update to cc: {[{unix:///run/containerd/containerd.sock  <nil> 0 <nil>
}] <nil> <nil>}" module=grpc
May 06 08:22:45 my_cont dockerd[577]: time="2026-05-06T08:22:45.192970697Z" level=info msg="ClientConn switching balancer to \"pick_first\"" module=grpc
May 06 08:22:45 my_cont dockerd[577]: time="2026-05-06T08:22:45.193940651Z" level=info msg="parsed scheme: \"unix\"" module=grpc
May 06 08:22:45 my_cont dockerd[577]: time="2026-05-06T08:22:45.193950601Z" level=info msg="scheme \"unix\" not registered, fallback to default scheme" module=grpc
May 06 08:22:45 my_cont dockerd[577]: time="2026-05-06T08:22:45.193959828Z" level=info msg="ccResolverWrapper: sending update to cc: {[{unix:///run/containerd/containerd.sock  <nil> 0 <nil>
}] <nil> <nil>}" module=grpc
May 06 08:22:45 my_cont dockerd[577]: time="2026-05-06T08:22:45.193965566Z" level=info msg="ClientConn switching balancer to \"pick_first\"" module=grpc
May 06 08:22:45 my_cont dockerd[577]: time="2026-05-06T08:22:45.237537357Z" level=info msg="Loading containers: start."
May 06 08:22:45 my_cont dockerd[577]: time="2026-05-06T08:22:45.247172857Z" level=warning msg="Running modprobe bridge br_netfilter failed with message: modprobe: ERROR: could not insert 'b
r_netfilter': Operation not permitted\ninsmod /lib/modules/7.0.3-1-cachyos/kernel/net/bridge/br_netfilter.ko.zst \n, error: exit status 1"
May 06 08:22:45 my_cont dockerd[577]: time="2026-05-06T08:22:45.262006175Z" level=warning msg="Running iptables --wait -t nat -L -n failed with message: `modprobe: ERROR: could not insert '
ip_tables': Operation not permitted\niptables v1.6.1: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)\nPerhaps iptables or your kernel needs to be upgra
ded.`, error: exit status 3"
May 06 08:22:45 my_cont dockerd[577]: time="2026-05-06T08:22:45.396851876Z" level=info msg="stopping event stream following graceful shutdown" error="<nil>" module=libcontainerd namespace=m
oby
May 06 08:22:45 my_cont dockerd[577]: failed to start daemon: Error initializing network controller: error obtaining controller instance: failed to create NAT chain DOCKER: iptables failed:
 iptables -t nat -N DOCKER: modprobe: ERROR: could not insert 'ip_tables': Operation not permitted
May 06 08:22:45 my_cont dockerd[577]: iptables v1.6.1: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
May 06 08:22:45 my_cont dockerd[577]: Perhaps iptables or your kernel needs to be upgraded.
May 06 08:22:45 my_cont dockerd[577]:  (exit status 3)
May 06 08:22:45 my_cont systemd[1]: Failed to start Docker Application Container Engine.
May 06 08:22:47 my_cont dockerd[878]: time="2026-05-06T08:22:47.604683928Z" level=info msg="Starting up"
May 06 08:22:47 my_cont dockerd[878]: time="2026-05-06T08:22:47.618128170Z" level=info msg="parsed scheme: \"unix\"" module=grpc
May 06 08:22:47 my_cont dockerd[878]: time="2026-05-06T08:22:47.618144379Z" level=info msg="scheme \"unix\" not registered, fallback to default scheme" module=grpc
May 06 08:22:47 my_cont dockerd[878]: time="2026-05-06T08:22:47.618163034Z" level=info msg="ccResolverWrapper: sending update to cc: {[{unix:///run/containerd/containerd.sock  <nil> 0 <nil>
}] <nil> <nil>}" module=grpc
May 06 08:22:47 my_cont dockerd[878]: time="2026-05-06T08:22:47.618172872Z" level=info msg="ClientConn switching balancer to \"pick_first\"" module=grpc
May 06 08:22:47 my_cont dockerd[878]: time="2026-05-06T08:22:47.618715538Z" level=info msg="parsed scheme: \"unix\"" module=grpc
May 06 08:22:47 my_cont dockerd[878]: time="2026-05-06T08:22:47.618726581Z" level=info msg="scheme \"unix\" not registered, fallback to default scheme" module=grpc
May 06 08:22:47 my_cont dockerd[878]: time="2026-05-06T08:22:47.618737173Z" level=info msg="ccResolverWrapper: sending update to cc: {[{unix:///run/containerd/containerd.sock  <nil> 0 <nil>
}] <nil> <nil>}" module=grpc
May 06 08:22:47 my_cont dockerd[878]: time="2026-05-06T08:22:47.618744792Z" level=info msg="ClientConn switching balancer to \"pick_first\"" module=grpc
May 06 08:22:47 my_cont dockerd[878]: time="2026-05-06T08:22:47.644961685Z" level=info msg="Loading containers: start."
May 06 08:22:47 my_cont dockerd[878]: time="2026-05-06T08:22:47.650014020Z" level=warning msg="Running modprobe bridge br_netfilter failed with message: modprobe: ERROR: could not insert 'b
r_netfilter': Operation not permitted\ninsmod /lib/modules/7.0.3-1-cachyos/kernel/net/bridge/br_netfilter.ko.zst \n, error: exit status 1"
May 06 08:22:47 my_cont dockerd[878]: time="2026-05-06T08:22:47.655865991Z" level=warning msg="Running iptables --wait -t nat -L -n failed with message: `modprobe: ERROR: could not insert '
ip_tables': Operation not permitted\niptables v1.6.1: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)\nPerhaps iptables or your kernel needs to be upgra
ded.`, error: exit status 3"
May 06 08:22:47 my_cont dockerd[878]: time="2026-05-06T08:22:47.796863203Z" level=info msg="stopping event stream following graceful shutdown" error="<nil>" module=libcontainerd namespace=m
oby
root@my_cont:~# iptables -L
modprobe: ERROR: could not insert 'ip_tables': Operation not permitted
iptables v1.6.1: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

How can I run Docker inside sysbox ?

I am using Docker 29.4.2 on Linux 7.0.3-1-cachyos and sysbox 0.6.7

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions