Centos 7 docker 启动容器iptables报No chain/target/match by that name

发布时间: 更新时间: 总字数:632 阅读时间:2m 作者: IP属地: 分享 复制网址

Docker启动一个有nat映射端口的容器时iptables 报No chain/target/match by that name问题。

错误日志及iptable

[root@xiexianbin_cn xiexianbin.github.io]# docker run -d -t -i -p 8081:8080 -v /var/local/www/xiexianbin.github.io:/opt/docker --name jekyll xiexianbin/centos6:jekyll
38af43f00cd4200318b3a6c077c47757efd6e9c357784105dd901a71f33d6621
docker: Error response from daemon: driver failed programming external connectivity on endpoint jekyll (6a85f15be9d4259de32b021f977bc06adf45a35a3eb8ccb2b71c10e4b9252c21): iptables failed: iptables --wait -t filter -A DOCKER ! -i docker0 -o docker0 -p tcp -d 172.17.0.2 --dport 8080 -j ACCEPT: iptables: No chain/target/match by that name.
 (exit status 1).
[root@xiexianbin_cn xiexianbin.github.io]# iptables-save
# Generated by iptables-save v1.4.21 on Sat Oct 22 20:32:14 2016
*nat
:PREROUTING ACCEPT [2:100]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [10:675]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 3306 -j MASQUERADE
-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 8081 -j DNAT --to-destination 172.17.0.2:8080
COMMIT
# Completed on Sat Oct 22 20:32:14 2016
# Generated by iptables-save v1.4.21 on Sat Oct 22 20:32:14 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [131472:10262802]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Sat Oct 22 20:32:14 2016
[root@xiexianbin_cn xiexianbin.github.io]#

问题分析

查看启动容器的报错信息发现-A DOCKER filter链,但在iptables文件里并没有找到,于是该问题就是处在iptable的filter中。

修复

参照docker官方说明,对iptable的filter修改如下:

[root@xiexianbin_cn ~]# iptables-save
# Generated by iptables-save v1.4.21 on Sat Oct 22 20:53:09 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1362:261696]
:DOCKER - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 1521 -j ACCEPT
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 22 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8080 -j ACCEPT
COMMIT
# Completed on Sat Oct 22 20:53:09 2016

注意-A DOCKER部分的修改。

然后重启iptable,测试通过:

systemctl restart iptables.service

在运行创建名称,成功。

Home Archives Categories Tags Statistics
本文总阅读量 次 本站总访问量 次 本站总访客数