啓動一個有nat映射端口的容器時iptables 報No chain/target/match by that name
docker run -d -p 2181:2181 -p 2888:2888 -p 3888:3888 garland/zookeeper Error response from daemon: Cannot start container 565c06efde6cd4411e2596ef3d726817c58dd777bc5fd13762e0c34d86076b9e: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 3888 -j DNAT --to-destination 192.168.42.11:3888 ! -i docker0: iptables: No chain/target/match by that name
找了N多網站和官方issue後,還是沒找到真正的解決方法,網上到處轉載的只是分析了原因,
並沒有明確的解決方案,爲此與同事通宵加班終於解決了這個問題
找到系統的/etc/sysconfig/iptables
,如果沒有用以下命令保存一下,然後查看裏邊的內容
iptables-save > /etc/sysconfig/iptables cat /etc/sysconfig/iptables
發現內容如下
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0]-N whitelist-A whitelist -s 192.168.42.0/24 -j ACCEPT#syn-N syn-flood-A INPUT -p tcp --syn -j syn-flood-I syn-flood -p tcp -m limit --limit 3/s --limit-burst 6 -j RETURN-A syn-flood -j REJECT#DOS-A INPUT -i eth0 -p tcp --syn -m connlimit --connlimit-above 15 -j DROP-A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT## 省略一些簡單的防火牆規則
查看啓動容器的報錯信息發現-A DOCKER
DOCKER鏈,但在iptables文件裏並沒有找到,
由於之前在自己的系統(archlinux)學習使用docker時並沒遇到這問題,
所以馬上去看了下自己系統裏的iptables的文件,
內容如下
*nat :PREROUTING ACCEPT [27:11935] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [598:57368] :POSTROUTING ACCEPT [591:57092] :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE -A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 1521 -j MASQUERADE-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 22 -j MASQUERADE-A DOCKER ! -i docker0 -p tcp -m tcp --dport 49161 -j DNAT --to-destination 172.17.0.3:1521-A DOCKER ! -i docker0 -p tcp -m tcp --dport 49160 -j DNAT --to-destination 172.17.0.3:22COMMIT # Completed on Sun Sep 20 17:35:31 2015# Generated by iptables-save v1.4.21 on Sun Sep 20 17:35:31 2015*filter :INPUT ACCEPT [139291:461018923] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [127386:5251162] :DOCKER - [0:0] -A FORWARD -o docker0 -j DOCKER -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT-A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT -A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 1521 -j ACCEPT-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 22 -j ACCEPTCOMMIT # Completed on Sun Sep 20 17:35:31 2015
對比後以去掉不相關的規則,以現*nat
規則裏有以下的對於docker的配置
*nat:PREROUTING ACCEPT [27:11935]:INPUT ACCEPT [0:0]:OUTPUT ACCEPT [598:57368]:POSTROUTING ACCEPT [591:57092]:DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADECOMMIT
*filter
規則裏對docker的配置如下
*filter:INPUT ACCEPT [139291:461018923]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [127386:5251162]:DOCKER - [0:0]-A FORWARD -o docker0 -j DOCKER-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT-A FORWARD -i docker0 ! -o docker0 -j ACCEPT-A FORWARD -i docker0 -o docker0 -j ACCEPTCOMMIT
去掉不相關規則後的配置文件如下(可以直接用):
*nat:PREROUTING ACCEPT [27:11935]:INPUT ACCEPT [0:0]:OUTPUT ACCEPT [598:57368]:POSTROUTING ACCEPT [591:57092]:DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADECOMMIT # Completed on Sun Sep 20 17:35:31 2015# Generated by iptables-save v1.4.21 on Sun Sep 20 17:35:31 2015*filter:INPUT ACCEPT [139291:461018923]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [127386:5251162]:DOCKER - [0:0] -A FORWARD -o docker0 -j DOCKER-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT-A FORWARD -i docker0 ! -o docker0 -j ACCEPT-A FORWARD -i docker0 -o docker0 -j ACCEPTCOMMIT # Completed on Sun Sep 20 17:35:31 2015
然後再加上自己服務器的過濾規則,合併後覆蓋到Centos 7的 /etc/sysconfig/iptables
文件
重啓iptables 服務
systemctl restart iptables.service
兩次啓動對應docker容器,
docker run -d -p 2181:2181 -p 2888:2888 -p 3888:3888 garland/zookeeper
發現容器啓動成功,雖然有警告,但並不影響容器的使用
PS: @孫振樹 提供的解決辦法: 如果iptables是在docker後安裝的,把docker重新安裝下就可以了
轉自:http://www.lxy520.net/2015/09/24/centos-7-docker-qi-dong-bao/