Carlos: excellent questions. Thanks for asking them, and for experimenting with the docker image!
I am not a Docker expert; if one happens along, they may refine what I say here. But I believe I can shed a little light.
Docker defies some assumptions that are common among linux power users, and this can be a bit disconcerting at first. A normal linux instance is a multipurpose OS where you might have a handful of shells and dozens of daemons running. Access into and out of the OS is typically over the network, which means a firewall is crucial. Many users may interact with it simultaneously. Docker containers, on the other hand, are designed to be ultra lightweight, so they eliminate everything that is not essential. Each container is dedicated to a single use, and by default all access into or out of the container is turned off, except via stdin/stdout in the shell or process that launched the container. This means that when you fire up a docker container and drop into a bash prompt “inside” it, that prompt is the only way to interact with it. Nobody else can log in, no incoming network traffic can reach it, etc. It can make outgoing network calls, and docker will route packets back for responses, but that’s it. (I’m simplifying quite a bit here, but in broad brush strokes, this is true.) Of course you can punch holes through, start ssh daemons, etc–but none of that is done by default.
As a result, docker containers typically don’t have any iptables running (or even installed) internally. And likewise, docker containers often run as the root user (since multiple login isn’t expected)–which means they have no need for sudo. This is why you saw errors about iptables and sudo. The error from start_sovrin_node is caused by lack of incoming communication for the container.
If you want to open ports, you have to use Docker–not iptables–to do it. Typically you do this by using the -p switch on the “docker run” commandline.
The docker image we published has all the software necessary to run as a validator–but it is not configured to do so if you launch the container in the way we described in the Getting Started tutorial. That cmdline is sufficient to run the sovrin CLI to call other validator nodes and get through the tutorial, nothing more. If you want to use the image to run the docker image as a validator node, you will need to use the docker cmdline to map ports 9700 to 9799 between your container and your host OS, and you will need to give the container an externally callable IP address. I believe both of these things would feel easy to a Docker expert, but I do not know how to do them off the top of my head. Perhaps with these hints you will find the details with a quick web search.
I will check back tomorrow (running out of energy and laptop battery) to see if you’ve had any success.