Centos 7 docker 啟動容器 iptables 報 No chain/target/match by that name

星痕發表於2016-03-20

啟動一個有 nat 對映埠的容器時，iptables 報 No chain/target/match by that name

docker run -d -p 2181:2181 -p 2888:2888 -p 3888:3888 garland/zookeeper  
Error response from daemon: Cannot start container 565c06efde6cd4411e2596ef3d726817c58dd777bc5fd13762e0c34d86076b9e: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 3888 -j DNAT --to-destination 192.168.42.11:3888 ! -i docker0: iptables: No chain/target/match by that name

docker run -d -p 2181:2181 -p 2888:2888 -p 3888:3888 garland/zookeeper

Error response from daemon: Cannot start container 565c06efde6cd4411e2596ef3d726817c58dd777bc5fd13762e0c34d86076b9e: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 3888 -j DNAT --to-destination 192.168.42.11:3888 ! -i docker0: iptables: No chain/target/match by that name

找了N多網站和官方issue後，還是沒找到真正的解決方法，網上到處轉載的只是分析了原因，並沒有明確的解決方案，為此與同事通宵加班終於解決了這個問題。

找到系統的/etc/sysconfig/iptables ，如果沒有用以下命令儲存一下,然後檢視裡邊的內容

iptables-save > /etc/sysconfig/iptables  
cat /etc/sysconfig/iptables

1 2	iptables-save > /etc/sysconfig/iptables cat /etc/sysconfig/iptables

發現內容如下

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

-N whitelist
-A whitelist -s 192.168.42.0/24 -j ACCEPT
#syn
-N syn-flood
-A INPUT -p tcp --syn -j syn-flood
-I syn-flood -p tcp -m limit --limit 3/s --limit-burst 6 -j RETURN
-A syn-flood -j REJECT
#DOS
-A INPUT -i eth0 -p tcp --syn -m connlimit --connlimit-above 15 -j DROP
-A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
## 省略一些簡單的防火牆規則

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

-N whitelist

-A whitelist -s 192.168.42.0/24 -j ACCEPT

#syn

-N syn-flood

-A INPUT -p tcp --syn -j syn-flood

-I syn-flood -p tcp -m limit --limit 3/s --limit-burst 6 -j RETURN

-A syn-flood -j REJECT

#DOS

-A INPUT -i eth0 -p tcp --syn -m connlimit --connlimit-above 15 -j DROP

-A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT

## 省略一些簡單的防火牆規則

檢視啟動容器的報錯資訊發現-A DOCKER DOCKER鏈，但在iptables檔案裡並沒有找到，

由於之前在自己的系統(archlinux)學習使用docker時並沒遇到這問題，

所以馬上去看了下自己系統裡的iptables的檔案，

內容如下

*nat
:PREROUTING ACCEPT [27:11935]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [598:57368]
:POSTROUTING ACCEPT [591:57092]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 1521 -j MASQUERADE
-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 22 -j MASQUERADE
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 49161 -j DNAT --to-destination 172.17.0.3:1521
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 49160 -j DNAT --to-destination 172.17.0.3:22
COMMIT  
# Completed on Sun Sep 20 17:35:31 2015
# Generated by iptables-save v1.4.21 on Sun Sep 20 17:35:31 2015
*filter
:INPUT ACCEPT [139291:461018923]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [127386:5251162]
:DOCKER - [0:0]
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 1521 -j ACCEPT
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 22 -j ACCEPT
COMMIT  
# Completed on Sun Sep 20 17:35:31 2015

*nat

:PREROUTING ACCEPT [27:11935]

:INPUT ACCEPT [0:0]

:OUTPUT ACCEPT [598:57368]

:POSTROUTING ACCEPT [591:57092]

:DOCKER - [0:0]

-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER

-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER

-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE

-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 1521 -j MASQUERADE

-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 22 -j MASQUERADE

-A DOCKER ! -i docker0 -p tcp -m tcp --dport 49161 -j DNAT --to-destination 172.17.0.3:1521

-A DOCKER ! -i docker0 -p tcp -m tcp --dport 49160 -j DNAT --to-destination 172.17.0.3:22

COMMIT

# Completed on Sun Sep 20 17:35:31 2015

# Generated by iptables-save v1.4.21 on Sun Sep 20 17:35:31 2015

*filter

:INPUT ACCEPT [139291:461018923]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [127386:5251162]

:DOCKER - [0:0]

-A FORWARD -o docker0 -j DOCKER

-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -i docker0 ! -o docker0 -j ACCEPT

-A FORWARD -i docker0 -o docker0 -j ACCEPT

-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 1521 -j ACCEPT

-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 22 -j ACCEPT

COMMIT

# Completed on Sun Sep 20 17:35:31 2015

對比後以去掉不相關的規則，以現*nat規則裡有以下的對於docker的配置

*nat
:PREROUTING ACCEPT [27:11935]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [598:57368]
:POSTROUTING ACCEPT [591:57092]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
COMMIT

*nat

:PREROUTING ACCEPT [27:11935]

:INPUT ACCEPT [0:0]

:OUTPUT ACCEPT [598:57368]

:POSTROUTING ACCEPT [591:57092]

:DOCKER - [0:0]

-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER

-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE

COMMIT

*filter 規則裡對docker的配置如下

*filter
:INPUT ACCEPT [139291:461018923]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [127386:5251162]
:DOCKER - [0:0]
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
COMMIT

*filter

:INPUT ACCEPT [139291:461018923]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [127386:5251162]

:DOCKER - [0:0]

-A FORWARD -o docker0 -j DOCKER

-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -i docker0 ! -o docker0 -j ACCEPT

-A FORWARD -i docker0 -o docker0 -j ACCEPT

COMMIT

去掉不相關規則後的配置檔案如下(可以直接用)：

*nat
:PREROUTING ACCEPT [27:11935]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [598:57368]
:POSTROUTING ACCEPT [591:57092]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
COMMIT  
# Completed on Sun Sep 20 17:35:31 2015
# Generated by iptables-save v1.4.21 on Sun Sep 20 17:35:31 2015
*filter
:INPUT ACCEPT [139291:461018923]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [127386:5251162]
:DOCKER - [0:0]
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
COMMIT  
# Completed on Sun Sep 20 17:35:31 2015

*nat

:PREROUTING ACCEPT [27:11935]

:INPUT ACCEPT [0:0]

:OUTPUT ACCEPT [598:57368]

:POSTROUTING ACCEPT [591:57092]

:DOCKER - [0:0]

-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER

-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER

-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE

COMMIT

# Completed on Sun Sep 20 17:35:31 2015

# Generated by iptables-save v1.4.21 on Sun Sep 20 17:35:31 2015

*filter

:INPUT ACCEPT [139291:461018923]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [127386:5251162]

:DOCKER - [0:0]

-A FORWARD -o docker0 -j DOCKER

-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -i docker0 ! -o docker0 -j ACCEPT

-A FORWARD -i docker0 -o docker0 -j ACCEPT

COMMIT

# Completed on Sun Sep 20 17:35:31 2015

然後再加上自己伺服器的過濾規則，合併後覆蓋到Centos 7的 /etc/sysconfig/iptables 檔案

重啟iptables 服務

systemctl restart iptables.service

1	systemctl restart iptables.service

兩次啟動對應docker容器，

docker run -d -p 2181:2181 -p 2888:2888 -p 3888:3888 garland/zookeeper

1	docker run -d -p 2181:2181 -p 2888:2888 -p 3888:3888 garland/zookeeper

發現容器啟動成功，雖然有警告，但並不影響容器的使用

啟動docker容器時報錯：iptables: No chain/target/match by that name.
2019-03-01
DockerAI
iptables:No chain/target/match by the name
2020-09-24
AI
docker 啟動 centos 映象，容器會自動退出
2018-01-11
DockerCentOS
CentOS 7關閉firewalld啟用iptables
2016-02-26
CentOS
Centos7啟動Nginx報錯。
2018-10-22
CentOSNginx
Centos 7 Iscsi target
2015-01-22
CentOS
Docker重啟保持容器自動啟動
2021-06-25
Docker
Docker容器的自啟動
2019-03-21
Docker
centos7安裝iptables
2017-09-19
CentOS
iptables使用詳解(centos7)
2022-03-07
CentOS
CentOS之——CentOS7安裝iptables防火牆
2016-03-02
CentOS防火牆
Docker(十七)-修改Docker容器啟動配置引數
2024-04-24
Docker
使用docker執行CentOS容器
2024-04-24
DockerCentOS
[Docker系列·13]使用fig啟動容器
2017-01-04
Docker
啟動或刪除Docker容器和映象
2018-01-12
Docker
centos7 在iptables中增加通行埠
2017-05-02
CentOS
docker學習6：在Centos7 更改Docker預設映象和容器的位置
2018-05-01
DockerCentOS
CentOS 7 新增win7啟動項——修改預設啟動項
2016-08-02
CentOSWin7
Docker and docker-compose in CentOS 7
2015-11-03
DockerCentOS
CentOS 7啟動時出現報錯提示“Give root password for maintenance”
2017-12-21
CentOSAINaN
CentOS7 nginx啟動指令碼
2020-04-04
CentOSNginx指令碼
linux啟動流程 (centos6,centos7)
2020-11-02
LinuxCentOS
Shell指令碼控制docker容器啟動順序
2021-03-05
指令碼Docker
Centos7 啟動 python指令碼
2018-06-12
CentOSPython指令碼
docker-swarm容器固定到node節點啟動
2021-09-09
DockerSwarm
如何在Docker容器啟動時自動執行指令碼
2024-03-20
Docker指令碼
CentOS7 安裝 docker
2019-09-04
CentOSDocker
centos7安裝docker
2020-10-01
CentOSDocker
centos7 設定tomcat自啟動
2018-10-17
CentOSTomcat
mongodb的安裝與啟動（centos7）
2015-09-17
MongoDBCentOS
Docker容器啟動時初始化Mysql資料庫
2020-05-27
DockerMySql資料庫
docker容器故障致無法啟動解決例項
2017-11-14
Docker
centos7 docker 安裝教程
2020-02-10
CentOSDocker
centos7快速安裝docker
2019-04-02
CentOSDocker
centOs7安裝最新docker
2021-09-09
CentOSDocker
Centos7上安裝docker
2018-09-27
CentOSDocker
centos7下docker安裝
2020-12-16
CentOSDocker
centos7下安裝 docker
2020-11-17
CentOSDocker

Centos 7 docker 啟動容器 iptables 報 No chain/target/match by that name

相關文章