微信公众号搜"智元新知"关注
微信扫一扫可直接关注哦!

Centos 7 docker 启动容器 iptables 报 No chain/target/match by that name

分类:CentOS作者:编程之家

启动一个有 nat 映射端口的容器时,iptables 报 No chain/target/match by that name

Shell
1
2
docker run - d - p 2181 : 2181 - p 2888 : 2888 - p 3888 : 3888 garland / zookeeper
Error response from daemon : Cannot start container 565c06efde6cd4411e2596ef3d726817c58dd777bc5fd13762e0c34d86076b9e : iptables Failed : iptables -- wait - t nat - A DOCKER - p tcp - d 0 / 0 -- dport 3888 - j DNAT -- to - destination 192.168.42.11 : 3888 ! - i docker0 : iptables : No chain / target / match by that name

找了N多网站和官方issue后,还是没找到真正的解决方法,网上到处转载的只是分析了原因,并没有明确的解决方案,为此与同事通宵加班终于解决了这个问题。

找到系统的/etc/sysconfig/iptables,如果没有用以下命令保存一下,然后查看里边的内容

Shell
1
2
iptables - save > / etc / sysconfig / iptables
cat / etc / sysconfig / iptables

发现内容如下

Shell
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
* filter
: INPUT ACCEPT [ 0 : 0 ]
: FORWARD ACCEPT [ 0 : 0 ]
: OUTPUT ACCEPT [ 0 : 0 ]
- N whitelist
- A whitelist - s 192.168.42.0 / 24 - j ACCEPT
#syn
- N syn - flood
- A INPUT - p tcp -- syn - j syn - flood
- I syn - flood - p tcp - m limit -- limit 3 / s -- limit - burst 6 - j RETURN
- A syn - flood - j REJECT
#DOS
- A INPUT - i eth0 - p tcp -- syn - m connlimit -- connlimit - above 15 - j DROP
- A INPUT - p tcp - m state -- state ESTABLISHED , RELATED - j ACCEPT
## 省略一些简单的防火墙规则

查看启动容器的报错信息发现-A DOCKERDOCKER链,但在iptables文件里并没有找到,

由于之前在自己的系统(archlinux)学习使用docker时并没遇到这问题,

所以马上去看了下自己系统里的iptables的文件

内容如下

Shell
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
* nat
: PREROUTING ACCEPT [ 27 : 11935 ]
: INPUT ACCEPT [ 0 : 0 ]
: OUTPUT ACCEPT [ 598 : 57368 ]
: POSTROUTING ACCEPT [ 591 : 57092 ]
: DOCKER - [ 0 : 0 ]
- A PREROUTING - m addrtype -- dst - type LOCAL - j DOCKER
- A OUTPUT ! - d 127.0.0.0 / 8 - m addrtype -- dst - type LOCAL - j DOCKER
- A POSTROUTING - s 172.17.0.0 / 16 ! - o docker0 - j MASQUERADE
- A POSTROUTING - s 172.17.0.3 / 32 - d 172.17.0.3 / 32 - p tcp - m tcp -- dport 1521 - j MASQUERADE
- A POSTROUTING - s 172.17.0.3 / 32 - d 172.17.0.3 / 32 - p tcp - m tcp -- dport 22 - j MASQUERADE
- A DOCKER ! - i docker0 - p tcp - m tcp -- dport 49161 - j DNAT -- to - destination 172.17.0.3 : 1521
- A DOCKER ! - i docker0 - p tcp - m tcp -- dport 49160 - j DNAT -- to - destination 172.17.0.3 : 22
COMMIT
# Completed on Sun Sep 20 17:35:31 2015
# Generated by iptables-save v1.4.21 on Sun Sep 20 17:35:31 2015
* filter
: INPUT ACCEPT [ 139291 : 461018923 ]
: FORWARD ACCEPT [ 0 : 0 ]
: OUTPUT ACCEPT [ 127386 : 5251162 ]
: DOCKER - [ 0 : 0 ]
- A FORWARD - o docker0 - j DOCKER
- A FORWARD - o docker0 - m conntrack -- ctstate RELATED , ESTABLISHED - j ACCEPT
- A FORWARD - i docker0 ! - o docker0 - j ACCEPT
- A FORWARD - i docker0 - o docker0 - j ACCEPT
- A DOCKER - d 172.17.0.3 / 32 ! - i docker0 - o docker0 - p tcp - m tcp -- dport 1521 - j ACCEPT
- A DOCKER - d 172.17.0.3 / 32 ! - i docker0 - o docker0 - p tcp - m tcp -- dport 22 - j ACCEPT
COMMIT
# Completed on Sun Sep 20 17:35:31 2015

对比后以去掉不相关的规则,以现*nat规则里有以下的对于docker的配置

Shell
1
2
3
4
5
6
7
8
9
* nat
: PREROUTING ACCEPT [ 27 : 11935 ]
: INPUT ACCEPT [ 0 : 0 ]
: OUTPUT ACCEPT [ 598 : 57368 ]
: POSTROUTING ACCEPT [ 591 : 57092 ]
: DOCKER - [ 0 : 0 ]
- A PREROUTING - m addrtype -- dst - type LOCAL - j DOCKER
- A POSTROUTING - s 172.17.0.0 / 16 ! - o docker0 - j MASQUERADE
COMMIT

*filter规则里对docker的配置如下

Shell
1
2
3
4
5
6
7
8
9
10
* filter
: INPUT ACCEPT [ 139291 : 461018923 ]
: FORWARD ACCEPT [ 0 : 0 ]
: OUTPUT ACCEPT [ 127386 : 5251162 ]
: DOCKER - [ 0 : 0 ]
- A FORWARD - o docker0 - j DOCKER
- A FORWARD - o docker0 - m conntrack -- ctstate RELATED , ESTABLISHED - j ACCEPT
- A FORWARD - i docker0 ! - o docker0 - j ACCEPT
- A FORWARD - i docker0 - o docker0 - j ACCEPT
COMMIT

去掉不相关规则后的配置文件如下(可以直接用):

Shell
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
* nat
: PREROUTING ACCEPT [ 27 : 11935 ]
: INPUT ACCEPT [ 0 : 0 ]
: OUTPUT ACCEPT [ 598 : 57368 ]
: POSTROUTING ACCEPT [ 591 : 57092 ]
: DOCKER - [ 0 : 0 ]
- A PREROUTING - m addrtype -- dst - type LOCAL - j DOCKER
- A OUTPUT ! - d 127.0.0.0 / 8 - m addrtype -- dst - type LOCAL - j DOCKER
- A POSTROUTING - s 172.17.0.0 / 16 ! - o docker0 - j MASQUERADE
COMMIT
# Completed on Sun Sep 20 17:35:31 2015
# Generated by iptables-save v1.4.21 on Sun Sep 20 17:35:31 2015
* filter
: INPUT ACCEPT [ 139291 : 461018923 ]
: FORWARD ACCEPT [ 0 : 0 ]
: OUTPUT ACCEPT [ 127386 : 5251162 ]
: DOCKER - [ 0 : 0 ]
- A FORWARD - o docker0 - j DOCKER
- A FORWARD - o docker0 - m conntrack -- ctstate RELATED , ESTABLISHED - j ACCEPT
- A FORWARD - i docker0 ! - o docker0 - j ACCEPT
- A FORWARD - i docker0 - o docker0 - j ACCEPT
COMMIT
# Completed on Sun Sep 20 17:35:31 2015

然后再加上自己服务器的过滤规则,合并后覆盖到Centos 7的/etc/sysconfig/iptables文件

重启iptables 服务

Shell
1
systemctl restart iptables .service

两次启动对应docker容器,

Shell
1
docker run - d - p 2181 : 2181 - p 2888 : 2888 - p 3888 : 3888 garland / zookeeper

发现容器启动成功,虽然有警告,但并不影响容器的使用

相关推荐:http://blog.csdn.net/fwj380891124/article/details/53023245

     http://blog.jobbole.com/98869/

版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。

相关推荐

Centos下搭建性能监控Spotlight
Centos下搭建性能监控Spotlight
CentOS 6.3下Strongswan搭建IPSec VPN
CentOS 6.3下Strongswan搭建IPSec VPN
在CentOS6.5上安装Skype与QQ
在CentOS6.5上安装Skype与QQ
阿里云基于centos6.5主机VPN配置
阿里云基于centos6.5主机VPN配置
CentOS 6.3下配置multipah
CentOS 6.3下配置multipah
CentOS安装、配置APR和tomcat-native
CentOS安装、配置APR和tomcat-native
centos6.5下postgres-XC集群安装与配置
centos6.5下postgres-XC集群安装与配置
CentOS 6使用openssl搭建根CA
CentOS 6使用openssl搭建根CA
CentOS6.6中安装VNC server
CentOS6.6中安装VNC server
CentOS下更新Python最新版本
CentOS下更新Python最新版本
苹果市值2025年有望达4万亿美元
pythonJavaScriptjavaHTMLPHPreactjsC#AndroidCSSNode.jssqlrpython-3.xMysqLjQueryc++pandasFlutterangularIOSdjangolinuxswifttypescript路由器JSON路由器设置无线路由器h3c华三华三路由器设置华三路由器电脑软件教程arraysdocker软件图文教程Cvue.jslaravelspring-boot