【报错】部署portainer可视化工具报错

【报错】

[root@localhost portainer]# docker run -p 9000:9000 -p 8000:8000 --name portainer \
>     --restart=always \
>     -v /var/run/docker.sock:/var/run/docker.sock \
>     -v /mydata/portainer/data:/data \
>     -v /mydata/portainer/public:/public  \
>     -d portainer/portainer 
306ad4d3e33c31765f4e2dbf351e664812e331d0c3fad929d93843c2d7c4fd06
docker: Error response from daemon: driver failed programming external connectivity on endpoint portainer (15ad9664ca79d00fe2b6c282da4331a89467387cb5a6ec800b1a0aca82d8dd40):  (iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 9000 -j DNAT --to-destination 172.17.0.2:9000 ! -i docker0: iptables: No chain/target/match by that name.

【原因】

• 主要是因为在启动docker容器的时候或者做docker配置的时候，还对防火墙设置重新启动等配置
  这样会清除docker的相关配置，导致在查询防火墙规则的时候显示不到docker的链。

[root@localhost portainer]# iptables -L 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination    

【分析】
docker容器的底层原理：

• 在启动docker的时候会自动在iptables中注册一个链，通过防火墙的链也可以找到其注册的信息，主要注册这些链，是docker中的容器为了暴露端口而使用的
• 具体原因是你删除了iptables中的链

删除链接的方式有很多种

• 重启firewalld防火墙即可对其清除，firewalld是centos7以上，iptables是centos6以下都会有，而firewalld的底层是涉及在iptables上的，在启动firewalld的时候会自动删除iptables链的相关链接
• 删除该链接的其他方式博主暂未遇到有特殊情况的，待发现
  所以在涉及防火墙firewalld的命令或者是iptables中的命令的时候小心删除其涉及docker的链

【解决】

[root@localhost portainer]# systemctl restart docker
[root@localhost portainer]# docker  rm portainer 
portainer
[root@localhost portainer]# docker run -p 9000:9000 -p 8000:8000 --name portainer     --restart=always     -v /var/run/docker.sock:/var/run/docker.sock     -v /mydata/portainer/data:/data     -v /mydata/portainer/public:/public      -d portainer/portainer 
92323aaf47be7a5021d400e1fdda83c722a89025cfe3464c81c2a39cc7150ad5

[root@localhost portainer]# iptables -L             
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOCKER (2 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             172.18.0.2           tcp dpt:mysql
ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:cslistener
ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:irdmi

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere