启动一个有nat映射端口的容器时iptables 报No chain/target/match by that name
dockerrun-d-p2181:2181-p2888:2888-p3888:3888garland/zookeeper Errorresponsefromdaemon:Cannotstartcontainer565c06efde6cd4411e2596ef3d726817c58dd777bc5fd13762e0c34d86076b9e:iptablesFailed:iptables--wait-tnat-ADOCKER-ptcp-d0/0--dport3888-jDNAT--to-destination192.168.42.11:3888!-idocker0:iptables:Nochain/target/matchbythatname
找了N多网站和官方issue后,还是没找到真正的解决方法,网上到处转载的只是分析了原因,
找到系统的/etc/sysconfig/iptables,如果没有用以下命令保存一下,然后查看里边的内容
iptables-save>/etc/sysconfig/iptables cat/etc/sysconfig/iptables
发现内容如下
*filter :INPUTACCEPT[0:0] :FORWARDACCEPT[0:0] :OUTPUTACCEPT[0:0]-Nwhitelist-Awhitelist-s192.168.42.0/24-jACCEPT#syn-Nsyn-flood-AINPUT-ptcp--syn-jsyn-flood-Isyn-flood-ptcp-mlimit--limit3/s--limit-burst6-jRETURN-Asyn-flood-jREJECT#DOS-AINPUT-ieth0-ptcp--syn-mconnlimit--connlimit-above15-jDROP-AINPUT-ptcp-mstate--stateESTABLISHED,RELATED-jACCEPT##省略一些简单的防火墙规则
查看启动容器的报错信息发现-A DOCKERDOCKER链,但在iptables文件里并没有找到,
由于之前在自己的系统(archlinux)学习使用docker时并没遇到这问题,
所以马上去看了下自己系统里的iptables的文件,
内容如下
*nat :PREROUTINGACCEPT[27:11935] :INPUTACCEPT[0:0] :OUTPUTACCEPT[598:57368] :POSTROUTINGACCEPT[591:57092] :DOCKER-[0:0] -APREROUTING-maddrtype--dst-typeLOCAL-jDOCKER-AOUTPUT!-d127.0.0.0/8-maddrtype--dst-typeLOCAL-jDOCKER-APOSTROUTING-s172.17.0.0/16!-odocker0-jMASQUERADE -APOSTROUTING-s172.17.0.3/32-d172.17.0.3/32-ptcp-mtcp--dport1521-jMASQUERADE-APOSTROUTING-s172.17.0.3/32-d172.17.0.3/32-ptcp-mtcp--dport22-jMASQUERADE-ADOCKER!-idocker0-ptcp-mtcp--dport49161-jDNAT--to-destination172.17.0.3:1521-ADOCKER!-idocker0-ptcp-mtcp--dport49160-jDNAT--to-destination172.17.0.3:22COMMIT#CompletedonSunSep2017:35:312015#Generatedbyiptables-savev1.4.21onSunSep2017:35:312015*filter :INPUTACCEPT[139291:461018923] :FORWARDACCEPT[0:0] :OUTPUTACCEPT[127386:5251162] :DOCKER-[0:0] -AFORWARD-odocker0-jDOCKER -AFORWARD-odocker0-mconntrack--ctstateRELATED,ESTABLISHED-jACCEPT-AFORWARD-idocker0!-odocker0-jACCEPT -AFORWARD-idocker0-odocker0-jACCEPT -ADOCKER-d172.17.0.3/32!-idocker0-odocker0-ptcp-mtcp--dport1521-jACCEPT-ADOCKER-d172.17.0.3/32!-idocker0-odocker0-ptcp-mtcp--dport22-jACCEPTCOMMIT#CompletedonSunSep2017:35:312015
对比后以去掉不相关的规则,以现*nat规则里有以下的对于docker的配置
*nat:PREROUTINGACCEPT[27:11935]:INPUTACCEPT[0:0]:OUTPUTACCEPT[598:57368]:POSTROUTINGACCEPT[591:57092]:DOCKER-[0:0] -APREROUTING-maddrtype--dst-typeLOCAL-jDOCKER-APOSTROUTING-s172.17.0.0/16!-odocker0-jMASQUERADECOMMIT
*filter规则里对docker的配置如下
*filter:INPUTACCEPT[139291:461018923]:FORWARDACCEPT[0:0]:OUTPUTACCEPT[127386:5251162]:DOCKER-[0:0]-AFORWARD-odocker0-jDOCKER-AFORWARD-odocker0-mconntrack--ctstateRELATED,ESTABLISHED-jACCEPT-AFORWARD-idocker0!-odocker0-jACCEPT-AFORWARD-idocker0-odocker0-jACCEPTCOMMIT
去掉不相关规则后的配置文件如下(可以直接用):
*nat:PREROUTINGACCEPT[27:11935]:INPUTACCEPT[0:0]:OUTPUTACCEPT[598:57368]:POSTROUTINGACCEPT[591:57092]:DOCKER-[0:0] -APREROUTING-maddrtype--dst-typeLOCAL-jDOCKER-AOUTPUT!-d127.0.0.0/8-maddrtype--dst-typeLOCAL-jDOCKER-APOSTROUTING-s172.17.0.0/16!-odocker0-jMASQUERADECOMMIT#CompletedonSunSep2017:35:312015#Generatedbyiptables-savev1.4.21onSunSep2017:35:312015*filter:INPUTACCEPT[139291:461018923]:FORWARDACCEPT[0:0]:OUTPUTACCEPT[127386:5251162]:DOCKER-[0:0] -AFORWARD-odocker0-jDOCKER-AFORWARD-odocker0-mconntrack--ctstateRELATED,ESTABLISHED-jACCEPT-AFORWARD-idocker0!-odocker0-jACCEPT-AFORWARD-idocker0-odocker0-jACCEPTCOMMIT#CompletedonSunSep2017:35:312015
然后再加上自己服务器的过滤规则,合并后覆盖到Centos 7的/etc/sysconfig/iptables文件
重启iptables 服务
systemctlrestartiptables.service
两次启动对应docker容器,
dockerrun-d-p2181:2181-p2888:2888-p3888:3888garland/zookeeper
发现容器启动成功,虽然有警告,但并不影响容器的使用
PS: @孙振树 提供的解决办法: 如果iptables是在docker后安装的,把docker重新安装下就可以了
转自:http://www.lxy520.net/2015/09/24/centos-7-docker-qi-dong-bao/
原文链接:https://www.f2er.com/centos/378823.html