Search code examples
dockerdocker-composeiptables

iptables command not found in docker-compose container

We have the docker-compose file

version: '3'
services:
    prometheus-server:
        image: prom/prometheus
        ports:
            - 9090:9090
        volumes:
            - ./prometheus/prometheus.yml:/etc/prometheus/prometheus.yml

    grafana-ui:
        privileged: true
        image: grafana/grafana-oss:latest
        ports:
            - 3000:3000
        environment:
            - GF_SECURITY_ADMIN_PASSWORD=secret
        links:
            - prometheus-server:prometheus
        cap_add:
            - NET_RAW
            - NET_ADMIN

However, the /bin/sh: iptables: not found when we try to run iptables -nvL -t nat through docker exec -it <grafana-ui container id> /bin/sh. Is there anything am I missing? How to run iptables in the docker container?

Per this question Installing iptables in docker container based on alpinelinux, the parameters --cap-add=NET_ADMIN and --cap-add=NET_RAW is added, however, I failed to run iptables either.

Solution

  • /bin/sh: iptables: not found

    This means the grafana/grafana-oss:latest default doesn't include the iptables command.

    You could install it with apk add --no-cache iptables ip6tables, see Running (and debugging) iptables inside a Docker container.

    A quick experiment as next:

    nxa13855@shlava:~$ docker run --entrypoint /bin/bash -idt --cap-add=NET_ADMIN --cap-add=NET_RAW grafana/grafana-oss:latest
21296933a1d59c45c68c8ab1120b4324b717aea8d220ca070c2c8f21c449e6a5
nxa13855@shlava:~$ docker ps
CONTAINER ID   IMAGE                        COMMAND                  CREATED         STATUS         PORTS                    NAMES
21296933a1d5   grafana/grafana-oss:latest   "/bin/bash"              8 seconds ago   Up 7 seconds   3000/tcp                 awesome_villani
nxa13855@shlava:~$ docker exec -uroot -it 21296933a1d5 /bin/bash
bash-5.1# apk add --no-cache iptables ip6tables
fetch https://dl-cdn.alpinelinux.org/alpine/v3.14/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.14/community/x86_64/APKINDEX.tar.gz
(1/4) Installing libmnl (1.0.4-r1)
(2/4) Installing libnftnl-libs (1.2.0-r0)
(3/4) Installing iptables (1.8.7-r1)
(4/4) Installing ip6tables (1.8.7-r1)
Executing busybox-1.33.1-r6.trigger
Executing glibc-bin-2.30-r0.trigger
/usr/glibc-compat/sbin/ldconfig: /usr/glibc-compat/lib/ld-linux-x86-64.so.2 is not a symbolic link

OK: 29 MiB in 38 packages
bash-5.1# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
bash-5.1#

    For you, you may need to write you owner dockerfile extends from grafana/grafana-oss:latest, in that dockefile, add apk add --no-cache iptables ip6tables to make your image default has the iptables command.

    If just for debug, you could directly exec into that container to install command just like what I did above, but remember add -uroot when exec as that image default not use root.