Run nomad with consul sidecar as non-root

Hi, I am a new to nomad and I am trying to run a simple whoami application with a sidecar as described here. Nomad is running as a deamon in the nomad user. Deploying the container with docker without the proxy works fine. I followed the Consul Service Mesh guide. I am getting the following error:

2021-11-16T19:14:11.254Z [ERROR] client.alloc_runner: prerun failed: alloc_id=xx error="pre-run hook "network" failed: failed to configure networking for alloc: failed to initialize table forwarding rules: failed to list iptables chains: running [/usr/sbin/iptables -t filter -S --wait]: exit status 4: Fatal: can't open lock file /run/xtables.lock: Permission denied
2021-11-16T19:14:11.279Z [ERROR] client.alloc_runner.runner_hook: failed to cleanup network for allocation, resources may have leaked: alloc_id=xxx alloc=xx error="neither iptables nor ip6tables usable"

Is there there a possibility to run nomad without root rights?

Thank you.

I investigated further and came a cross different solutions an posts:

  • I found an entry in the nomad-gitter which proposed to set the CAP_SYS_ADMIN, CAP_NET_ADMIN, CAP_CHOWN for the iptables binary or only CAP_SYS_ADMIN, CAP_CHOWN
  • I found this discussion, which was solved by running nomad as root.
  • Maybe it would help to set some permissions via visudo

In the end I ended up going with the root option, which I dont like.

Shouldnt docker have the same issue? I found the post which basically explains the same issue.