啟動一個有 nat 對映埠的容器時,iptables 報 No chain/target/match by that name
|
1 2 |
docker run -d -p 2181:2181 -p 2888:2888 -p 3888:3888 garland/zookeeper Error response from daemon: Cannot start container 565c06efde6cd4411e2596ef3d726817c58dd777bc5fd13762e0c34d86076b9e: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 3888 -j DNAT --to-destination 192.168.42.11:3888 ! -i docker0: iptables: No chain/target/match by that name |
找了N多網站和官方issue後,還是沒找到真正的解決方法,網上到處轉載的只是分析了原因,並沒有明確的解決方案,為此與同事通宵加班終於解決了這個問題。
找到系統的/etc/sysconfig/iptables ,如果沒有用以下命令儲存一下,然後檢視裡邊的內容
|
1 2 |
iptables-save > /etc/sysconfig/iptables cat /etc/sysconfig/iptables |
發現內容如下
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -N whitelist -A whitelist -s 192.168.42.0/24 -j ACCEPT #syn -N syn-flood -A INPUT -p tcp --syn -j syn-flood -I syn-flood -p tcp -m limit --limit 3/s --limit-burst 6 -j RETURN -A syn-flood -j REJECT #DOS -A INPUT -i eth0 -p tcp --syn -m connlimit --connlimit-above 15 -j DROP -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT ## 省略一些簡單的防火牆規則 |
檢視啟動容器的報錯資訊發現-A DOCKER DOCKER鏈,但在iptables檔案裡並沒有找到,
由於之前在自己的系統(archlinux)學習使用docker時並沒遇到這問題,
所以馬上去看了下自己系統裡的iptables的檔案,
內容如下
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
*nat :PREROUTING ACCEPT [27:11935] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [598:57368] :POSTROUTING ACCEPT [591:57092] :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE -A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 1521 -j MASQUERADE -A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 22 -j MASQUERADE -A DOCKER ! -i docker0 -p tcp -m tcp --dport 49161 -j DNAT --to-destination 172.17.0.3:1521 -A DOCKER ! -i docker0 -p tcp -m tcp --dport 49160 -j DNAT --to-destination 172.17.0.3:22 COMMIT # Completed on Sun Sep 20 17:35:31 2015 # Generated by iptables-save v1.4.21 on Sun Sep 20 17:35:31 2015 *filter :INPUT ACCEPT [139291:461018923] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [127386:5251162] :DOCKER - [0:0] -A FORWARD -o docker0 -j DOCKER -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT -A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 1521 -j ACCEPT -A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 22 -j ACCEPT COMMIT # Completed on Sun Sep 20 17:35:31 2015 |
對比後以去掉不相關的規則,以現*nat規則裡有以下的對於docker的配置
|
1 2 3 4 5 6 7 8 9 |
*nat :PREROUTING ACCEPT [27:11935] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [598:57368] :POSTROUTING ACCEPT [591:57092] :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE COMMIT |
*filter 規則裡對docker的配置如下
|
1 2 3 4 5 6 7 8 9 10 |
*filter :INPUT ACCEPT [139291:461018923] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [127386:5251162] :DOCKER - [0:0] -A FORWARD -o docker0 -j DOCKER -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT COMMIT |
去掉不相關規則後的配置檔案如下(可以直接用):
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
*nat :PREROUTING ACCEPT [27:11935] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [598:57368] :POSTROUTING ACCEPT [591:57092] :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE COMMIT # Completed on Sun Sep 20 17:35:31 2015 # Generated by iptables-save v1.4.21 on Sun Sep 20 17:35:31 2015 *filter :INPUT ACCEPT [139291:461018923] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [127386:5251162] :DOCKER - [0:0] -A FORWARD -o docker0 -j DOCKER -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT COMMIT # Completed on Sun Sep 20 17:35:31 2015 |
然後再加上自己伺服器的過濾規則,合併後覆蓋到Centos 7的 /etc/sysconfig/iptables 檔案
重啟iptables 服務
|
1 |
systemctl restart iptables.service |
兩次啟動對應docker容器,
|
1 |
docker run -d -p 2181:2181 -p 2888:2888 -p 3888:3888 garland/zookeeper |
發現容器啟動成功,雖然有警告,但並不影響容器的使用