CNI plugins: firewall / iptables failure (seen on CI)

[apostasie]

Description

?

=== RUN   TestIssue2993/Issue_#2993_-_nerdctl_no_longer_leaks_containers_and_etchosts_directories_and_files_when_containers_are_removed.
=== PAUSE TestIssue2993/Issue_#2993_-_nerdctl_no_longer_leaks_containers_and_etchosts_directories_and_files_when_containers_are_removed.
=== CONT  TestIssue2993/Issue_#2993_-_nerdctl_no_longer_leaks_containers_and_etchosts_directories_and_files_when_containers_are_removed.
    container_create_linux_test.go:305: ======================== Pre-test cleanup ========================
    command.go:112: /usr/local/bin/nerdctl --namespace=nerdctl-test --data-root /tmp/TestIssue2993Issue_#2993_-_nerdctl_no_longer_leaks_containers_and_etchosts_directories_and_files_when_containers_are_removed.39[502](https://github.com/containerd/nerdctl/actions/runs/11229452200/job/31215023669?pr=3517#step:6:503)85910/001 rm -f testissue2993-issue-2993-nerdctl-no-longer-leaks-containers-and-etc-e5720a82
    container_create_linux_test.go:305: ======================== Test setup ========================
    command.go:112: /usr/local/bin/nerdctl --namespace=nerdctl-test run --data-root /tmp/TestIssue2993Issue_#2993_-_nerdctl_no_longer_leaks_containers_and_etchosts_directories_and_files_when_containers_are_removed.3950285910/001 --name testissue2993-issue-2993-nerdctl-no-longer-leaks-containers-and-etc-e5720a82 -d ghcr.io/stargz-containers/alpine:3.13-org sleep infinity
    command.go:112: assertion failed: expect.ExitCode is not result.ExitCode: Expected exit code: 0
        
        Command:  /usr/local/bin/nerdctl --namespace=nerdctl-test run --data-root /tmp/TestIssue2993Issue_#2993_-_nerdctl_no_longer_leaks_containers_and_etchosts_directories_and_files_when_containers_are_removed.3950285910/001 --name testissue2993-issue-2993-nerdctl-no-longer-leaks-containers-and-etc-e5720a82 -d ghcr.io/stargz-containers/alpine:3.13-org sleep infinity
        ExitCode: 1
        Error:    exit status 1
        Stdout:   
        Stderr:   time="2024-10-08T06:03:38Z" level=fatal msg="failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error running hook #0: error running hook: exit status 1, stdout: , stderr: time=\"2024-10-08T06:03:38Z\" level=fatal msg=\"failed to call cni.Setup: plugin type=\\\"firewall\\\" failed (add): running [/usr/sbin/iptables -t filter -N CNI-FORWARD --wait]: exit status 4: iptables v1.8.10 (nf_tables):  CHAIN_USER_ADD failed (File exists): chain CNI-FORWARD\\n\": unknown"
        
        Env:
        HOSTNAME=47ad67bf5a9f
        MEMORY_PRESSURE_WRITE=c29tZSAyMDAwMDAgMjAwMDAwMAA=
        SYSTEMD_EXEC_PID=80
        container=docker
        HOME=/root
        LANG=C.UTF-8
        MEMORY_PRESSURE_WATCH=/sys/fs/cgroup/system.slice/docker-entrypoint.service/memory.pressure
        INVOCATION_ID=564e223b0f6745cab3beba6a101faf41
        TERM=xterm
        USER=root
        SHLVL=3
        CGO_ENABLED=0
        _=/usr/local/bin/gotestsum
        PATH=/usr/local/go/bin:/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
        ***
        DOCKER_CONFIG=/tmp/TestIssue2993Issue_#2993_-_nerdctl_no_longer_leaks_containers_and_etchosts_directories_and_files_when_containers_are_removed.3950285910/001
        NERDCTL_TOML=/tmp/TestIssue2993Issue_#2993_-_nerdctl_no_longer_leaks_containers_and_etchosts_directories_and_files_when_containers_are_removed.3950285910/001/nerdctl.toml
    case.go:164: ======================== Post-test cleanup ========================
    command.go:112: /usr/local/bin/nerdctl --namespace=nerdctl-test --data-root /tmp/TestIssue2993Issue_#2993_-_nerdctl_no_longer_leaks_containers_and_etchosts_directories_and_files_when_containers_are_removed.3950285910/001 rm -f testissue2993-issue-2993-nerdctl-no-longer-leaks-containers-and-etc-e5720a82
--- FAIL: TestIssue2993/Issue_#2993_-_nerdctl_no_longer_leaks_containers_and_etchosts_directories_and_files_when_containers_are_removed. (0.48s)
FAIL cmd/nerdctl/container.TestIssue2993/Issue_#2993_-_nerdctl_no_longer_leaks_containers_and_etchosts_directories_and_files_when_containers_are_removed. (0.48s)
=== RUN   TestIssue2993
=== PAUSE TestIssue2993
=== CONT  TestIssue2993
    container_create_linux_test.go:305: ======================== Pre-test cleanup ========================
    container_create_linux_test.go:305: ======================== Test setup ========================
    container_create_linux_test.go:305: ======================== Test Run ========================
    container_create_linux_test.go:305: ======================== Processing subtests ========================
    case.go:164: ======================== Post-test cleanup ========================
--- FAIL: TestIssue2993 (0.00s)

Steps to reproduce the issue

No response

Describe the results you received and expected

na

What version of nerdctl are you using?

main

Are you using a variant of nerdctl? (e.g., Rancher Desktop)

None

Host information

No response

[apostasie]

Relevant part is of course:

"failed to call cni.Setup: plugin type=\"firewall\" failed (add): running [/usr/sbin/iptables -t filter -N CNI-FORWARD --wait]: exit status 4: iptables v1.8.10 (nf_tables): CHAIN_USER_ADD failed (File exists): chain CNI-FORWARD\n": unknown"

[apostasie]

Maybe is a variant of #2908 ...

[apostasie]

Closing - as #3522 locking will prevent this.