vFunction Server installation fails because the vFunction Docker Network cannot be created

Overview of the Issue

This issue occurs in the following circumstances:

  1. An organization installs Docker on a Linux VM for the vFunction Server
  2. A workflow on the Linux VM prevents Docker from creating its default IPTables rules
  3. The organization downloads the vFunction Server Installation TGZ
  4. The organization modifies the vFunction configurable settings
  5. When running the vFunction Installation Script, the installation fails with the following errors
Creating dedicated network "vfunction"...
Error response from daemon: network vfunction not found
Using network vfunction with gateway <ipAddress>
Error response from daemon: network vfunction not found

Installing fluentd...
Error response from daemon: network vfunction not found
Pulling image vfunction-fluentd-alpine:<version>...
v<version>: Pulling from vfunction/vfunction-fluentd-alpine
Digest: sha256:<id>
Status: Image is up to date for vfunction/vfunction-fluentd-alpine:v<version>
docker.io/vfunction/vfunction-fluentd-alpine:v<version>
Running docker with command: docker run --name vfunction-fluentd -e VFUNCTION_FQDN=<fqdn> -e ORG=<org> -e IMAGE_VERSION=v<version> -v /var/log/vfunction:/var/log/vfunction -p 24224:24224 -p 9880:9880 --restart=unless-stopped --user 1500:1500 --security-opt no-new-privileges --cap-drop=all -d vfunction/vfunction-fluentd-alpine:v<version>
<id>
docker: Error response from daemon: driver failed programming external connectivity on endpoint vfunction-fluentd (<id>):  (iptables failed: iptables --wait -t filter -A DOCKER ! -i docker0 -o docker0 -p tcp -d <ip> --dport 24224 -j ACCEPT: iptables: No chain/target/match by that name.

The following steps can be used to resolve this issue:

  1. Remove any vFunction Containers, Networks and Volumes which may have been partially installed and may prevent the install.sh script from continuing in the future
docker stop vfunction-monit
systemctl restart docker
docker rm $(docker ps -a -f "name=vfunction" -q)
docker network rm vfunction
docker volume rm mysql_vol vfapi_measurements_storage_vol
  1. Identify the workflow that is preventing Docker from writing entries to IPTables
  2. Disable the workflow or manually enter the following exceptions for Docker
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-N Docker
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
  1. If adding exceptions, add the following exceptions for vFunction
-A FORWARD -o vfunction -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o vfunction -j DOCKER
-A FORWARD -i vfunction ! -o vfunction -j ACCEPT
-A FORWARD -i vfunction -o vfunction -j ACCEPT
-A DOCKER -d 172.18.0.2/32 ! -i vfunction -o vfunction -p tcp -m tcp --dport 2812 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 24224 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9880 -j ACCEPT
-A DOCKER -d 172.18.0.3/32 ! -i vfunction -o vfunction -p tcp -m tcp --dport 3306 -j ACCEPT
-A DOCKER -d 172.18.0.4/32 ! -i vfunction -o vfunction -p tcp -m tcp --dport 8443 -j ACCEPT
-A DOCKER -d 172.18.0.5/32 ! -i vfunction -o vfunction -p tcp -m tcp --dport 8004 -j ACCEPT
-A DOCKER -d 172.18.0.6/32 ! -i vfunction -o vfunction -p tcp -m tcp --dport 8001 -j ACCEPT
-A DOCKER -d 172.18.0.7/32 ! -i vfunction -o vfunction -p tcp -m tcp --dport 8005 -j ACCEPT
-A DOCKER -d 172.18.0.8/32 ! -i vfunction -o vfunction -p tcp -m tcp --dport 8003 -j ACCEPT
-A DOCKER -d 172.18.0.9/32 ! -i vfunction -o vfunction -p tcp -m tcp --dport 8443 -j ACCEPT
-A DOCKER -d 172.18.0.9/32 ! -i vfunction -o vfunction -p tcp -m tcp --dport 8080 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i vfunction ! -o vfunction -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-2 -o vfunction -j DROP
  1. Run the install.sh script again to install the vFunction Server

Updated on 15 Mar 2024