I have an Incus container based on image images:ubuntu/focal/cloud.
ufw was not installed by default in the container so I installed it: sudo apt install ufw
But then when I try to configure ufw (i.e., sudo ufw allow ...), I get the following error:
ERROR: initcaps
[Errno 2] modprobe: FATAL: Module ip6_tables not found in directory /lib/modules/6.8.0-45-generic
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
Any idea what may cause this issue inside the container ?
It looks like a case where the kernel module is not loaded on the host, therefore the functionality is not available in the container.
You can load the kernel module on the host and then try again.
If that now works for you, you can setup this container so that when it is started in the future, it will automatically load any required kernel modules.
Actually I cannot find module ip6_tables on the host. In particular, here is the list of files & directories in /lib/modules/6.8.0-45-generic (on the host):
ufw is installed and works fine (in particular, the above bug does not occur)
Container:
when the container image is images:ubuntu/20.04/cloud then the bug occurs
when the container image is images:ubuntu/22.04/cloud then ufw works perfectly fine in the container (no bug)
when the container image is images:ubuntu/24.04/cloud then ufw works perfectly fine in the container (no bug)
I could reproduce the above scenarios both on my personal laptop and on a server.
It seems the kernel modules used by ufw in Ubuntu 20 were different than those used by Ubuntu 22 onwards (at least this is what I understand). And since containers are using the kernel modules of the host, ufw cannot work on Ubuntu 20 containers.
Is my understanding correct ? Or is it due to a kernel incompatibility ? Is there a workaround (I need ubuntu 20.04 for one of my apps) ?
To get insight on a kernel module, you would run modinfo on the name.
Per this link, the kernel module first appeared in the Linux kernel since some time ago.
Here is me launching a container with Ubuntu 20.04, trying to enable the UFW firewall, failing, then doing modprobe ip6_tables, then succeeding.
$ incus launch images:ubuntu/20.04/cloud focal
Launching focal
$ incus exec focal -- su -l ubuntu
ubuntu@focal:~$ ufw
-bash: ufw: command not found
ubuntu@focal:~$ sudo apt install -y ufw
...
ubuntu@focal:~$ sudo ufw enable
ERROR: initcaps
[Errno 2] modprobe: FATAL: Module ip6_tables not found in directory /lib/modules/6.8.0-45-generic
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
ubuntu@focal:~$ logout
$ sudo modprobe ip6_tables
$ incus exec focal -- su -l ubuntu
ubuntu@focal:~$ sudo ufw enable
Firewall is active and enabled on system startup
ubuntu@focal:~$ logout
$
But can we make sure that Incus will load the ip6_tables kernel module when you start those containers that require it? Do the following and that’s it.
incus config set focal linux.kernel_modules ip6_tables
