Description
- Rootless
userland-proxy=falsebr_netfilter kernel module unloaded
This combination fails, but the error could be just a warning, probably:
error creating default "bridge" network: cannot restrict inter-container communication or run without the userland proxy: stat /proc/sys/net/bridge/bridge-nf-call-iptables: no such file or directory: set environment variable DOCKER_IGNORE_BR_NETFILTER_ERROR=1 to ignore
Inter-container communication and port forwarding seem to work fine with DOCKER_IGNORE_BR_NETFILTER_ERROR=1 .
Reproduce
- Make sure that
lsmod doesn't contain br_netfilter
dockerd-rootless.sh --userland-proxy=false fail with the following error:
$ dockerd-rootless.sh --userland-proxy=false
[...]
WARN[2026-04-03T20:41:00.703090246+09:00] could not create bridge network for id 350d72f18df79ca67ed3ab726d7ae847cd9891da2df1e36991876acf91798565 bridge name docker0 while booting up from persistent state: cannot restrict inter-container communication or run without the userland proxy: stat /proc/sys/net/bridge/bridge-nf-call-iptables: no such file or directory: set environment variable DOCKER_IGNORE_BR_NETFILTER_ERROR=1 to ignore
INFO[2026-04-03T20:41:00.708609550+09:00] stopping event stream following graceful shutdown error="<nil>" module=libcontainerd namespace=moby
INFO[2026-04-03T20:41:00.708719936+09:00] stopping healthcheck following graceful shutdown module=libcontainerd
INFO[2026-04-03T20:41:00.708734114+09:00] stopping event stream following graceful shutdown error="context canceled" module=libcontainerd namespace=plugins.moby
INFO[2026-04-03T20:41:01.710803603+09:00] Daemon shutdown complete error="failed to start daemon: Error initializing network controller: error creating default \"bridge\" network: cannot restrict inter-container communication or run without the userland proxy: stat /proc/sys/net/bridge/bridge-nf-call-iptables: no such file or directory: set environment variable DOCKER_IGNORE_BR_NETFILTER_ERROR=1 to ignore"
failed to start daemon: Error initializing network controller: error creating default "bridge" network: cannot restrict inter-container communication or run without the userland proxy: stat /proc/sys/net/bridge/bridge-nf-call-iptables: no such file or directory: set environment variable DOCKER_IGNORE_BR_NETFILTER_ERROR=1 to ignore
[rootlesskit:child ] error: command [/usr/bin/dockerd-rootless.sh --userland-proxy=false] exited: exit status 1
[rootlesskit:parent] error: child exited: exit status 1
Expected behavior
It shouldn't hard-fail
docker version
Client: Docker Engine - Community
Version: 29.3.1
API version: 1.54
Go version: go1.25.8
Git commit: c2be9cc
Built: Wed Mar 25 16:16:48 2026
OS/Arch: linux/arm64
Context: rootless
Server: Docker Engine - Community
Engine:
Version: 29.3.1
API version: 1.54 (minimum version 1.40)
Go version: go1.25.8
Git commit: f78c987
Built: Wed Mar 25 16:16:48 2026
OS/Arch: linux/arm64
Experimental: false
containerd:
Version: v2.2.2
GitCommit: 301b2dac98f15c27117da5c8af12118a041a31d9
runc:
Version: 1.3.4
GitCommit: v1.3.4-0-gd6d73eb8
docker-init:
Version: 0.19.0
GitCommit: de40ad0
rootlesskit:
Version: 2.3.6
ApiVersion: 1.1.1
NetworkDriver: slirp4netns
PortDriver: builtin
StateDir: /run/user/501/dockerd-rootless
slirp4netns:
Version: 1.2.1
GitCommit: 09e31e92fa3d2a1d3ca261adaeb012c8d75a8194
docker info
Client: Docker Engine - Community
Version: 29.3.1
Context: rootless
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.33.0
Path: /usr/libexec/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v5.1.1
Path: /usr/libexec/docker/cli-plugins/docker-compose
model: Docker Model Runner (Docker Inc.)
Version: v1.1.29
Path: /usr/libexec/docker/cli-plugins/docker-model
Server:
Containers: 1
Running: 0
Paused: 0
Stopped: 1
Images: 2
Server Version: 29.3.1
Storage Driver: overlayfs
driver-type: io.containerd.snapshotter.v1
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
CDI spec directories:
/etc/cdi
/var/run/cdi
/home/suda.guest/.config/cdi
/run/user/501/cdi
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 301b2dac98f15c27117da5c8af12118a041a31d9
runc version: v1.3.4-0-gd6d73eb8
init version: de40ad0
Security Options:
seccomp
Profile: builtin
rootless
cgroupns
Kernel Version: 6.8.0-101-generic
Operating System: Ubuntu 24.04.4 LTS
OSType: linux
Architecture: aarch64
CPUs: 4
Total Memory: 3.813GiB
Name: lima-docker
ID: 7a6d0b64-bff9-40be-b4b4-b3a7d8f98fb0
Docker Root Dir: /home/suda.guest/.local/share/docker
Debug Mode: false
Experimental: false
Insecure Registries:
::1/128
127.0.0.0/8
Live Restore Enabled: false
Firewall Backend: iptablesAdditional Info
The benefit in disabling userland-proxy for rootless: With RootlessKit v3.0 (to be released soon), its default builtin port driver can now propagate src IP when userland-proxy is disabled:
Description
userland-proxy=falsebr_netfilterkernel module unloadedThis combination fails, but the error could be just a warning, probably:
Inter-container communication and port forwarding seem to work fine with
DOCKER_IGNORE_BR_NETFILTER_ERROR=1.Reproduce
lsmoddoesn't containbr_netfilterdockerd-rootless.sh --userland-proxy=falsefail with the following error:Expected behavior
It shouldn't hard-fail
docker version
docker info
Additional Info
The benefit in disabling
userland-proxyfor rootless: With RootlessKit v3.0 (to be released soon), its defaultbuiltinport driver can now propagate src IP whenuserland-proxyis disabled: