【报错】
[root@localhost portainer]# docker run -p 9000:9000 -p 8000:8000 --name portainer \
> --restart=always \
> -v /var/run/docker.sock:/var/run/docker.sock \
> -v /mydata/portainer/data:/data \
> -v /mydata/portainer/public:/public \
> -d portainer/portainer
306ad4d3e33c31765f4e2dbf351e664812e331d0c3fad929d93843c2d7c4fd06
docker: Error response from daemon: driver failed programming external connectivity on endpoint portainer (15ad9664ca79d00fe2b6c282da4331a89467387cb5a6ec800b1a0aca82d8dd40): (iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 9000 -j DNAT --to-destination 172.17.0.2:9000 ! -i docker0: iptables: No chain/target/match by that name.
【原因】
- 主要是因为在启动docker容器的时候或者做docker配置的时候,还对防火墙设置重新启动等配置
这样会清除docker的相关配置,导致在查询防火墙规则的时候显示不到docker的链。
[root@localhost portainer]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
【分析】
docker容器的底层原理:
- 在启动docker的时候会自动在iptables中注册一个链,通过防火墙的链也可以找到其注册的信息,主要注册这些链,是docker中的容器为了暴露端口而使用的
- 具体原因是你删除了iptables中的链
删除链接的方式有很多种
- 重启firewalld防火墙即可对其清除,firewalld是centos7以上,iptables是centos6以下都会有,而firewalld的底层是涉及在iptables上的,在启动firewalld的时候会自动删除iptables链的相关链接
- 删除该链接的其他方式博主暂未遇到有特殊情况的,待发现
所以在涉及防火墙firewalld的命令或者是iptables中的命令的时候小心删除其涉及docker的链
【解决】
[root@localhost portainer]# systemctl restart docker
[root@localhost portainer]# docker rm portainer
portainer
[root@localhost portainer]# docker run -p 9000:9000 -p 8000:8000 --name portainer --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v /mydata/portainer/data:/data -v /mydata/portainer/public:/public -d portainer/portainer
92323aaf47be7a5021d400e1fdda83c722a89025cfe3464c81c2a39cc7150ad5
[root@localhost portainer]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.18.0.2 tcp dpt:mysql
ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:cslistener
ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:irdmi
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere