[Docker] 啟動 container 時,出現 iptables 找不到 DOCKER chain 的問題
今天想要用 Docker 來跑 Review Board,
不過意外地一執行 docker run 指令,就出現怪異的 iptables 錯誤訊息,
看起來是在 nat 這張表裡面找不到 DOCKER 這條 chain:
[root@localhost /]# docker run -d -p 8000:8000 ikatson/reviewboard /bin/sh -c /start.sh WARNING: IPv4 forwarding is disabled. Networking will not work. e1be8bd758bf3a77c579cb3491f1aa1918897a08bb0c4536d101cf0b74563f5b /usr/bin/docker-current: Error response from daemon: driver failed programming external connectivity on endpoint determined_snyder (b40a33994c3498d73f9a70e06b6e4076b66fb79e9a2fbc7ec8f67ec41710ba73): iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 8000 -j DNAT --to-destination 172.17.0.6:8000 ! -i docker0: iptables: No chain/target/match by that name. (exit status 1).
看一下 iptables 的 nat 表格內容…
看起來就是很一般的 PREROUTING, INPUT, OUTPUT, POSTROUTING,
的確沒有 DOCKER 這條 chain:
[root@localhost /]# iptables -t nat -L -v -n Chain PREROUTING (policy ACCEPT 2771 packets, 452K bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 2763 packets, 450K bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 10 packets, 845 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 10 packets, 845 bytes) pkts bytes target prot opt in out source destination
不過這條 DOCKER chain 是要怎麼生出來呢?
查了一下,原來只要重啟 docker 服務就行了:
service docker restart
重啟之後,DOCKER chain 就生出來了:
[root@localhost /]# iptables -t nat -L -v -n Chain PREROUTING (policy ACCEPT 2 packets, 140 bytes) pkts bytes target prot opt in out source destination 0 0 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL Chain INPUT (policy ACCEPT 2 packets, 140 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0 Chain DOCKER (2 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
docker run 指令也能正常運作:
[root@localhost /]# docker run -d -p 8000:8000 ikatson/reviewboard /bin/sh -c /start.sh 36714a00342c0575a39b7ef0b773e81dcd814f3dfae8504479d257c7d2d52464
不過… 為什麼 DOCKER chain 會突然從 iptables 消失呢?
這一點就有點想不透了,也許有人不小心將 iptables 的內容清掉?
另一點要注意的是,重啟 docker 服務的話,
正在執行的 docker container 都會停掉,
最好是先將 container 都停下來,再重啟 docker 服務囉~
參考資訊:iptables failed – No chain/target/match by that name
(本頁面已被瀏覽過 4,207 次)