Chapter 8 Known Issues

The following sections describe known issues in the current release of Oracle Container Runtime for Docker.

8.1 WARNING: bridge-nf-call-iptables is disabled

Warning messages may be displayed by Docker Engine when a user performs some actions, such as running docker info if the system kernel on a host system is configured to disable the net.bridge.bridge-nf-call-iptables and net.bridge.bridge-nf-call-ip6tables options. For example, the user may see an error similar to:

WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled

This is expected behavior. These settings control whether packets traversing a network bridge are processed by iptables rules on the host system. Typically, enabling these options is not desirable as this can cause guest container traffic to be blocked by iptables rules that are intended for the host. This could cause unpredictable behavior for containers that do not expect traffic to be firewalled at the host level.

If you accept and understand the implications of enabling these options or you have no iptables rules set on the host, you can enable these options to remove the warning messages. To temporarily enable these options:

# sysctl net.bridge.bridge-nf-call-iptables=1
# sysctl net.bridge.bridge-nf-call-ip6tables=1

To make these options permanent, edit /etc/sysctl.conf and add the lines:

net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1

8.2 Starting the Docker Engine with User Namespace Remapping set to default can fail

Starting the Docker Engine with User Namespace Remapping set to default can fail with an error during the creation of the dockremap user. For example:

# dockerd --userns-remap default
Error during "dockremap" user creation: Couldn't create subordinate ID
ranges: Unable to add subuid range to user: "dockremap"; output: usermod:
invalid option -- 'v'
Usage: usermod [options] LOGIN

Creating a manual map file is unaffected by this issue.

8.3 Issue pulling aarch64 images from Oracle Container Registry

There is an issue pulling images for the Arm (aarch64) platform from Oracle Container Registry. The issue is under investigation.

Images for aarch64 are available on Docker Hub and work as expected.