docker 运行容器时报错Error response from daemon: driver failed programming external connectivity on endpoint biz-waweb-1***********
报错内容如图(也可以是任何容器报类似错误)
错误原因:
因为在启动docker容器的时候或者做docker配置的时候,还会对防火墙设置重新启动等配置
这样会清除在防火墙中docker的相关配置,导致在查询防火墙规则的时候显示不到docker的链
这里可以使用iptables -L 查询iptables 链(如图)
2.其中原理
先要了解docker容器的底层原理:
在启动docker的时候会自动在iptables中注册一个链,通过防火墙的链也可以找到其注册的信息,主要是用于注册这些链,其实是docker中的容器为了暴露端口而使用的这些链,主要原因是你因为删除了iptables中的链,现实中删除链接的方式有很多种,比如:重启firewalld防火墙即可对其清除,firewalld是centos7以上,iptables是centos6以下都会有,而firewall的底层是涉及在iptables上的,在启动firewall的时候会自动删除iptables链的相关链接,所以在涉及防火墙firewalld的命令或者是iptables中的命令的时候小心删除其涉及docker的链。
3,解决方法(重点)
[root@localhost]# systemctl restart docker #重启docker服务
[root@localhost]# iptables -L #查询IPtables链
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:mysql
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
[root@localhost ~]# iptables -t nat -nL | grep DOCKER #对iptables添加docker链
DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain DOCKER (2 references)