worker with latest docker image - iptables: create-instance-chains: iptables: No chain/target/match by that name about concourse-docker HOT 8 OPEN

Had the same problem and after some debugging I could fix it for me by building the netfilter comment match module on the host system.
Activating the following kernel option and compile the module
CONFIG_NETFILTER_XT_MATCH_COMMENT=m
So my problem was the -m comment. Hopefully it can help someone in the future

from concourse-docker.

@avoidik Gentoo and kernel version 5.4.38-gentoo

from concourse-docker.

it has failed on

{
  "timestamp": "1541758414.146682024",
  "source": "guardian",
  "message": "guardian.iptables-runner.command.failed",
  "log_level": 2,
  "data": {
    "argv": [
      "/worker-state/4.2.1/assets/iptables/sbin/iptables",
      "--wait",
      "--table",
      "nat",
      "-A",
      "w--prerouting",
      "--jump",
      "w--instance-pbd2incpuj9",
      "-m",
      "comment",
      "--comment",
      "cdc24ff9-ad25-4fc8-6443-5c5ae9317b35"
    ],
    "error": "exit status 1",
    "exit-status": 1,
    "session": "1.2",
    "stderr": "iptables: No chain/target/match by that name.\n",
    "stdout": "",
    "took": "2.687238ms"
  }
}

from concourse-docker.

solved with docker downgrade

from concourse-docker.

It's not really a fix though. I have the same issue, and I don't plan on downgrading my Docker install.

from concourse-docker.

I agree, given the CVE-2019-5736 downgrade is not an option

from concourse-docker.

@NewJorg what OS, kernel version it was?

from concourse-docker.

I had this issue with Concourse on Kubernetes installed with Helm chart. I was using Arch on the host with kernel 5.4.94-1-lts.
After some experimenting I found that changing worker runtime to containerd solves the issue. Here's excerpt from values.yaml I used:

concourse:
  worker:
    runtime: containerd

from concourse-docker.