Concourse Worker fails to create containers

Question

I am trying to run the concourse worker using a docker image on a gentoo host. When running the docker image of the worker in privileged mode I get:

iptables: create-instance-chains: iptables: No chain/target/match by that name.

My docker-compose file is

version: '3'

services:
  worker:
     image: private-concourse-worker-with-keys
     command: worker
     ports:
     - "7777:7777"
     - "7788:7788"
     - "7799:7799"
     #restart: on-failure
     privileged: true
     environment:
     - CONCOURSE_TSA_HOST=concourse-web-1.dev
     - CONCOURSE_GARDEN_NETWORK

My Dockerfile

FROM concourse/concourse

COPY keys/tsa_host_key.pub /concourse-keys/tsa_host_key.pub
COPY keys/worker_key /concourse-keys/worker_key

Some more errors

worker_1  | {"timestamp":"1526507528.298546791","source":"guardian","message":"guardian.create.containerizer-create.finished","log_level":1,"data":{"handle":"426762cc-b9a8-47b0-711a-8f5ce18ff46c","session":"23.2"}}
worker_1  | {"timestamp":"1526507528.298666477","source":"guardian","message":"guardian.create.containerizer-create.watch.watching","log_level":1,"data":{"handle":"426762cc-b9a8-47b0-711a-8f5ce18ff46c","session":"23.2.4"}}
worker_1  | {"timestamp":"1526507528.303164721","source":"guardian","message":"guardian.create.network.started","log_level":1,"data":{"handle":"426762cc-b9a8-47b0-711a-8f5ce18ff46c","session":"23.5","spec":""}}
worker_1  | {"timestamp":"1526507528.303202152","source":"guardian","message":"guardian.create.network.config-create","log_level":1,"data":{"config":{"ContainerHandle":"426762cc-b9a8-47b0-711a-8f5ce18ff46c","HostIntf":"wbpuf2nmpege-0","ContainerIntf":"wbpuf2nmpege-1","IPTablePrefix":"w--","IPTableInstance":"bpuf2nmpege","BridgeName":"wbrdg-0afe0000","BridgeIP":"x.x.0.1","ContainerIP":"x.x.0.2","ExternalIP":"x.x.0.2","Subnet":{"IP":"x.x.0.0","Mask":"/////A=="},"Mtu":1500,"PluginNameservers":null,"OperatorNameservers":[],"AdditionalNameservers":["x.x.0.2"]},"handle":"426762cc-b9a8-47b0-711a-8f5ce18ff46c","session":"23.5","spec":""}}
worker_1  | {"timestamp":"1526507528.324085236","source":"guardian","message":"guardian.iptables-runner.command.failed","log_level":2,"data":{"argv":["/worker-state/3.6.0/assets/iptables/sbin/iptables","--wait","-A","w--instance-bpuf2nmpege-log","-m","conntrack","--ctstate","NEW,UNTRACKED,INVALID","--protocol","all","--jump","LOG","--log-prefix","426762cc-b9a8-47b0-711a-8f5c ","-m","comment","--comment","426762cc-b9a8-47b0-711a-8f5ce18ff46c"],"error":"exit status 1","exit-status":1,"session":"1.26","stderr":"iptables: No chain/target/match by that name.\n","stdout":"","took":"1.281243ms"}}

Answer 1

You should choose container runtime, I recommend containerd.

You can do with that env CONCOURSE_WORKER_RUNTIME: "containerd"

Answer 2

These are the env which I have used in my docker-compose to make it work:

environment:
  CONCOURSE_POSTGRES_HOST: concourse-db
  CONCOURSE_POSTGRES_USER: concourse_user
  CONCOURSE_POSTGRES_PASSWORD: concourse_pass
  CONCOURSE_POSTGRES_DATABASE: concourse
  CONCOURSE_EXTERNAL_URL: http://localhost:8080
  CONCOURSE_ADD_LOCAL_USER: test:test
  CONCOURSE_MAIN_TEAM_LOCAL_USER: test
  # instead of relying on the default "detect"
  CONCOURSE_WORKER_BAGGAGECLAIM_DRIVER: overlay
  CONCOURSE_CLIENT_SECRET: Y29uY291cnNlLXdlYgo=
  CONCOURSE_TSA_CLIENT_SECRET: Y29uY291cnNlLXdvcmtlcgo=
  CONCOURSE_X_FRAME_OPTIONS: allow
  CONCOURSE_CONTENT_SECURITY_POLICY: "*"
  CONCOURSE_CLUSTER_NAME: tutorial
  CONCOURSE_WORKER_CONTAINERD_DNS_SERVER: "8.8.8.8"
  # For ARM-based machine, change the Concourse runtime to "houdini"
  CONCOURSE_WORKER_RUNTIME: "containerd"

Reference: https://concourse-ci.org/quick-start.html

Answer 3

It turns out it was because we were missing the log kernel module for iptables compiled into our distro.