碧海长天

【解决】docker启动报错：Running modprobe xt_conntrack failed with message: `modprobe: ERROR: could not insert 'xt_conntrack'......

2019-5-9

昨天给一台新机器装安装docker，但报错了，解决了一整天也没有头绪。今天起了个大早，破天荒的吃了早饭，然后继续解决。终于找到了问题。


报错详情：

ocker.service - Docker Application Container Engine
   Loaded: loaded (/usr/lib/systemd/system/docker.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since 四 2019-05-09 10:00:57 CST; 5s ago
     Docs: http://docs.docker.com
  Process: 1489 ExecStart=/usr/bin/dockerd-current --add-runtime docker-runc=/usr/libexec/docker/docker-runc-current --default-runtime=docker-runc --exec-opt native.cgroupdriver=systemd --userland-proxy-path=/usr/libexec/docker/docker-proxy-current --init-path=/usr/libexec/docker/docker-init-current --seccomp-profile=/etc/docker/seccomp.json $OPTIONS $DOCKER_STORAGE_OPTIONS $DOCKER_NETWORK_OPTIONS $ADD_REGISTRY $BLOCK_REGISTRY $INSECURE_REGISTRY $REGISTRIES (code=exited, status=1/FAILURE)
 Main PID: 1489 (code=exited, status=1/FAILURE)

5月 09 10:00:56 VM_27_128_centos dockerd-current[1489]: time="2019-05-09T10:00:56.906755492+08:00" level=info msg="Loading containers: start."
5月 09 10:00:56 VM_27_128_centos dockerd-current[1489]: time="2019-05-09T10:00:56.949712004+08:00" level=warning msg="Running modprobe xt_conntrack failed with message: `modprobe: ERROR: could not insert 'xt_conntrack': Unknown symbol in module, or unknown parameter (see dmesg)\ninstall /bin/true \ninsmod /lib/modules/3.10.0-862.3.2.el7.x86_64/kernel/net/netfilter/xt_conntrack.ko.xz`, error: exit status 1"
5月 09 10:00:56 VM_27_128_centos dockerd-current[1489]: time="2019-05-09T10:00:56.951789512+08:00" level=info msg="Firewalld running: false"
5月 09 10:00:57 VM_27_128_centos dockerd-current[1489]: Error starting daemon: Error initializing network controller: error obtaining controller instance: failed to create NAT chain: iptables failed: iptables --wait -t nat -N DOCKER: iptables v1.4.21: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
5月 09 10:00:57 VM_27_128_centos dockerd-current[1489]: Perhaps iptables or your kernel needs to be upgraded.
5月 09 10:00:57 VM_27_128_centos dockerd-current[1489]: (exit status 3)
5月 09 10:00:57 VM_27_128_centos systemd[1]: docker.service: main process exited, code=exited, status=1/FAILURE
5月 09 10:00:57 VM_27_128_centos systemd[1]: Failed to start Docker Application Container Engine.
5月 09 10:00:57 VM_27_128_centos systemd[1]: Unit docker.service entered failed state.

可以看到有一行 Running modprobe xt_conntrack failed with message: `modprobe: ERROR: could not insert 'xt_conntrack'
这一行出现的原因很可能是  xt_conntrack 模块被加入了黑名单。
解决方法：
第一步：
打开/etc/modprobe.d/blacklist.conf
可以看到这个黑名单中有以下内容

blacklist chsc_sch
blacklist nf_conntrack
blacklist nf_conntrack_ipv6
blacklist xt_conntrack
blacklist nf_conntrack_ftp
blacklist xt_state
blacklist iptable_nat
blacklist ipt_REDIRECT
blacklist nf_nat
blacklist nf_conntrack_ipv4

将 xt_conntrack 至 nf_conntrack_ipv4的都注释掉。
第二步：
打开/etc/modprobe.d/connectiontracking.conf

install nf_nat /bin/true
install xt_state  /bin/true
install iptable_nat /bin/true
install nf_conntrack /bin/true
install nf_defrag_ipv4   /bin/true
install nf_conntrack_ipv4 /bin/true
install nf_conntrack_ipv6  /bin/true

这里的含义是如果发生install xxx的行为，跳过加载过程直接返回install /bin/true，所以也起到了加载模块屏蔽的作用。解决办法为将文件的后缀名进行修改，此处将其重命名为connectiontracking.conf.old使其失效（或将文件内容全部加上注释）

然后 重启你的docker吧～
systemctl start docker.service

启动成功～
感谢 https://bluesmilery.github.io/blogs/252e6902 

标签: docker