Docs

# Cycloid workers known errors

# Worker iptables issue on Debian 12

Related to this bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998716 (opens new window) on some Cloud provider Debian 12 image is not fully working.

# The error message

This trigger the following Concourse errors:

itables legacy

error: Exit trace for group: garden exited with error: Exit trace for group: containerd-garden-backend exited with error: setup host network failed: appending accept rule for RELATED & ESTABLISHED connections failed: running [/usr/sbin/ --ctstate RELATED,ESTABLISHED -j ACCEPT --wait]: exit status 1: Warning: Extension conntrack revision 0 not supported, missing kernel module? iptables: No chain/target/match by that name.

new iptables

error: Exit trace for group: garden exited with error: Exit trace for group: containerd-garden-backend exited with error: setup host network failed: appending accept rule for RELATED & ESTABLISHED connections failed: running [/usr/sbin/ --ctstate RELATED,ESTABLISHED -j ACCEPT --wait]: exit status 4: Warning: Extension conntrack revision 0 not supported, missing kernel module? iptables v1.8.9 (nf_tables): RULE_APPEND failed (No such file or directory): rule in chain CONCOURSE-OPERATOR

# Identify

Loading the required conntrack kernel module should fail

modprobe nf_conntrack
1

# Source of the error

To sum up the issue the kernel modules source code on disk does not match the running kernel. Concourse require the conntrack kernel module to be loaded. If you try to load this module modprobe nf_conntrack the following error might appear in dmesg logs

[57802.094590] missing module BTF, cannot register kfuncs
[58115.134821] BPF:      type_id=25464 bits_offset=0
[58115.138633] BPF:  
[58115.144178] BPF: Invalid name
[58115.147384] BPF: 
[58115.150361] failed to validate module [nf_conntrack] BTF: -22
1
2
3
4
5
6

# Resolution

Update the initrd of your server and reboot. After the reboot you should be able to load the conntrack kernel module

update-initramfs -u
# Then reboot
1
2

Note: On some distrib is you still have iptables related issue you can try to also switch back to iptables legacy using:

update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
1
2