前言
已经在内网开放了 80 443 等需要在端口在重启docker compose的时候报错
[root@halo /]# firewall-cmd --zone=public --add-port=9002/tcp --permanent
success
[root@halo /]# firewall-cmd --zone=public --add-port=9002/tcp --permanent
Warning: ALREADY_ENABLED: 9002:tcp
success
[root@halo /]# firewall-cmd --zone=public --add-port=9001/tcp --permanent
success
[root@halo /]# firewall-cmd --zone=public --add-port=8090/tcp --permanent
success
[root@halo /]# firewall-cmd --zone=public --add-port=5244/tcp --permanent
success
[root@halo /]# firewall-cmd --zone=public --add-port=80/tcp --permanent
success
[root@halo /]# firewall-cmd --zone=public --add-port=443/tcp --permanent
success
[root@halo /]# firewall-cmd --reload
success故障信息
重启docker compose后提示信息
[root@halo holo]# docker-compose -f docker-compose-3.yml restart
[+] Restarting 0/3
⠹ Container nginx Restarting 0.2s
⠹ Container halo Restarting 0.2s
⠹ Container halodb Restarting 0.2s
Error response from daemon: Cannot restart container 33a878b780251e61580c7b1f93718aa08562d6f0d79fab3b21bed4744e81fab3: driver failed programming external connectivity on endpoint nginx (44c7fa55304e87bdcc1e61018ddf9e284a967b26520a3a70c830f6368b43abc3): (iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 443 -j DNAT --to-destination 172.23.0.2:443 ! -i br-28e8ab381344: iptables: No chain/target/match by that name.
(exit status 1)) ✘ Network holo_halo_network Error 0.0s
failed to create network holo_halo_network: Error response from daemon: Failed to Setup IP tables: Unable to enable SKIP DNAT rule: (iptables failed: iptables --wait -t nat -I DOCKER -i br-963ea509a24b -j RETURN: iptables: No chain/target/match by that name.
(exit status 1))✘ 网络holo_halo_network错误 0.0s
无法创建网络holo_halo_network: 来自守护程序的错误响应: 无法设置 IP 表: 无法启用跳过 DNAT 规则: (iptables 失败: iptables --wait -t nat -I DOCKER -i br-963ea509a24b -j 返回: iptables: 没有该名称的链/目标/匹配。
(退出状态 1))随后就把docker compose给 down了
[root@halo holo]# docker-compose -f docker-compose-3.yml down
[+] Running 4/0
✔ Container halo Removed 0.0s
✔ Container nginx Removed 0.0s
✔ Container halodb Removed 0.0s
✔ Network holo_halo_network Removed 重新up docker compose文件
[root@halo holo]# docker-compose -f docker-compose-3.yml up -d
[+] Building 0.0s (0/0)
[+] Running 1/0
✘ Network holo_halo_network Error 0.0s
failed to create network holo_halo_network: Error response from daemon: Failed to Setup IP tables: Unable to enable SKIP DNAT rule: (iptables failed: iptables --wait -t nat -I DOCKER -i br-23bde5ba629a -j RETURN: iptables: No chain/target/match by that name.
(exit status 1))The main part of the error message that stands out is:突出的错误消息的主要部分是:
iptables: No chain/target/match by that name. (exit status 1)此消息表明在 IP 表配置中找不到 SKIP DNAT 规则所需的特定链、目标或匹配项,从而导致 Docker 网络创建失败
检查docker 当前的 IP 表规则
看不出任何有问题的信息
[root@halo holo]# sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
FORWARD_direct all -- anywhere anywhere
FORWARD_IN_ZONES_SOURCE all -- anywhere anywhere
FORWARD_IN_ZONES all -- anywhere anywhere
FORWARD_OUT_ZONES_SOURCE all -- anywhere anywhere
FORWARD_OUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
OUTPUT_direct all -- anywhere anywhere
Chain FORWARD_IN_ZONES (1 references)
target prot opt source destination
FWDI_trusted all -- anywhere anywhere [goto]
FWDI_public all -- anywhere anywhere [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_OUT_ZONES (1 references)
target prot opt source destination
FWDO_trusted all -- anywhere anywhere [goto]
FWDO_public all -- anywhere anywhere [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_direct (1 references)
target prot opt source destination
Chain FWDI_public (1 references)
target prot opt source destination
FWDI_public_log all -- anywhere anywhere
FWDI_public_deny all -- anywhere anywhere
FWDI_public_allow all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
Chain FWDI_public_allow (1 references)
target prot opt source destination
Chain FWDI_public_deny (1 references)
target prot opt source destination
Chain FWDI_public_log (1 references)
target prot opt source destination
Chain FWDI_trusted (1 references)
target prot opt source destination
FWDI_trusted_log all -- anywhere anywhere
FWDI_trusted_deny all -- anywhere anywhere
FWDI_trusted_allow all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain FWDI_trusted_allow (1 references)
target prot opt source destination
Chain FWDI_trusted_deny (1 references)
target prot opt source destination
Chain FWDI_trusted_log (1 references)
target prot opt source destination
Chain FWDO_public (1 references)
target prot opt source destination
FWDO_public_log all -- anywhere anywhere
FWDO_public_deny all -- anywhere anywhere
FWDO_public_allow all -- anywhere anywhere
Chain FWDO_public_allow (1 references)
target prot opt source destination
Chain FWDO_public_deny (1 references)
target prot opt source destination
Chain FWDO_public_log (1 references)
target prot opt source destination
Chain FWDO_trusted (1 references)
target prot opt source destination
FWDO_trusted_log all -- anywhere anywhere
FWDO_trusted_deny all -- anywhere anywhere
FWDO_trusted_allow all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain FWDO_trusted_allow (1 references)
target prot opt source destination
Chain FWDO_trusted_deny (1 references)
target prot opt source destination
Chain FWDO_trusted_log (1 references)
target prot opt source destination
Chain INPUT_ZONES (1 references)
target prot opt source destination
IN_trusted all -- anywhere anywhere [goto]
IN_public all -- anywhere anywhere [goto]
Chain INPUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain INPUT_direct (1 references)
target prot opt source destination
Chain IN_public (1 references)
target prot opt source destination
IN_public_log all -- anywhere anywhere
IN_public_deny all -- anywhere anywhere
IN_public_allow all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
Chain IN_public_allow (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:dynamid ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:etlservicemgr ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:8090 ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:5244 ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:http ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:https ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:mysql ctstate NEW,UNTRACKED
Chain IN_public_deny (1 references)
target prot opt source destination
Chain IN_public_log (1 references)
target prot opt source destination
Chain IN_trusted (1 references)
target prot opt source destination
IN_trusted_log all -- anywhere anywhere
IN_trusted_deny all -- anywhere anywhere
IN_trusted_allow all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain IN_trusted_allow (1 references)
target prot opt source destination
Chain IN_trusted_deny (1 references)
target prot opt source destination
Chain IN_trusted_log (1 references)
target prot opt source destination
Chain OUTPUT_direct (1 references)
target prot opt source destination 故障排查
重新启动docker服务后docker服务无法运行
sudo systemctl restart docker新的报错,docker直接起不来了
[root@halo holo]# sudo systemctl restart docker
Job for docker.service failed because the control process exited with error code. See "systemctl status docker.service" and "journalctl -xe" for details.
[root@halo holo]# docker ps
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?看docker 服务状态
loaded
[root@halo holo]# sudo systemctl status docker
● docker.service - Docker Application Container Engine
Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset: disabled)
Active: failed (Result: start-limit) since Thu 2023-07-20 11:17:45 CST; 2min 35s ago
Docs: https://docs.docker.com
Process: 7739 ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock (code=exited, status=1/FAILURE)
Main PID: 7739 (code=exited, status=1/FAILURE)
Jul 20 11:17:43 halo systemd[1]: docker.service failed.
Jul 20 11:17:45 halo systemd[1]: docker.service holdoff time over, scheduling restart.
Jul 20 11:17:45 halo systemd[1]: Stopped Docker Application Container Engine.
Jul 20 11:17:45 halo systemd[1]: start request repeated too quickly for docker.service
Jul 20 11:17:45 halo systemd[1]: Failed to start Docker Application Container Engine.
Jul 20 11:17:45 halo systemd[1]: Unit docker.service entered failed state.
Jul 20 11:17:45 halo systemd[1]: docker.service failed.
Jul 20 11:17:45 halo systemd[1]: start request repeated too quickly for docker.service
Jul 20 11:17:45 halo systemd[1]: Failed to start Docker Application Container Engine.
Jul 20 11:17:45 halo systemd[1]: docker.service failed.看日志
journalctl -xe
[root@halo holo]# journalctl -xe
Jul 20 11:25:56 halo systemd[1]: docker.service holdoff time over, scheduling restart.
Jul 20 11:25:56 halo systemd[1]: Stopped Docker Application Container Engine.
-- Subject: Unit docker.service has finished shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit docker.service has finished shutting down.
Jul 20 11:25:56 halo systemd[1]: Starting Docker Application Container Engine...
-- Subject: Unit docker.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit docker.service has begun starting up.
Jul 20 11:25:57 halo dockerd[11062]: time="2023-07-20T11:25:57.043278978+08:00" level=info msg="Starting up"
Jul 20 11:25:57 halo dockerd[11062]: time="2023-07-20T11:25:57.085510310+08:00" level=info msg="[graphdriver] using prior storage driver: overlay2"
Jul 20 11:25:57 halo dockerd[11062]: time="2023-07-20T11:25:57.091769499+08:00" level=info msg="Loading containers: start."
Jul 20 11:25:57 halo dockerd[11062]: time="2023-07-20T11:25:57.117525793+08:00" level=info msg="Firewalld: docker zone already exists, returning"
Jul 20 11:25:57 halo firewalld[18165]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D OUTPUT -m addrtype --dst-type LOCAL -j DOCKER' fa
Jul 20 11:25:56 halo systemd[1]: docker.service holdoff time over, scheduling restart.
Jul 20 11:25:56 halo systemd[1]: Stopped Docker Application Container Engine.
-- Subject: Unit docker.service has finished shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit docker.service has finished shutting down.
Jul 20 11:25:56 halo systemd[1]: Starting Docker Application Container Engine...
-- Subject: Unit docker.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit docker.service has begun starting up.
Jul 20 11:25:57 halo dockerd[11062]: time="2023-07-20T11:25:57.043278978+08:00" level=info msg="Starting up"
Jul 20 11:25:57 halo dockerd[11062]: time="2023-07-20T11:25:57.085510310+08:00" level=info msg="[graphdriver] using prior storage driver: overlay2"
Jul 20 11:25:57 halo dockerd[11062]: time="2023-07-20T11:25:57.091769499+08:00" level=info msg="Loading containers: start."
Jul 20 11:25:57 halo dockerd[11062]: time="2023-07-20T11:25:57.117525793+08:00" level=info msg="Firewalld: docker zone already exists, returning"
Jul 20 11:25:57 halo firewalld[18165]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D OUTPUT -m addrtype --dst-type LOCAL -j DOCKER' failed: ipta
Jul 20 11:25:57 halo firewalld[18165]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D PREROUTING' failed: iptables: Bad rule (does a matching rul
Jul 20 11:25:57 halo firewalld[18165]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D OUTPUT' failed: iptables: Bad rule (does a matching rule ex
Jul 20 11:25:57 halo firewalld[18165]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER' failed: iptables: Too many links.
Jul 20 11:25:57 halo firewalld[18165]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION-STAGE-1' failed: iptables: Too many lin
Jul 20 11:25:57 halo firewalld[18165]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER-ISOLATION' failed: iptables: No chain/target/matc
Jul 20 11:25:57 halo firewalld[18165]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION' failed: iptables: No chain/target/matc
Jul 20 11:25:57 halo firewalld[18165]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule
Jul 20 11:25:57 halo firewalld[18165]: ERROR: ZONE_CONFLICT: 'docker0' already bound to a zone
Jul 20 11:25:57 halo dockerd[11062]: time="2023-07-20T11:25:57.310971660+08:00" level=warning msg="could not create bridge network for id e5eb8d6a41328b30a006
Jul 20 11:25:57 halo firewalld[18165]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i br-3a66c13d8eb6 -o br-3a66c13d8eb6 -j DROP' failed: ipt
Jul 20 11:25:57 halo dockerd[11062]: time="2023-07-20T11:25:57.351408057+08:00" level=info msg="Firewalld: interface br-3a66c13d8eb6 already part of docker zo
Jul 20 11:25:57 halo dockerd[11062]: time="2023-07-20T11:25:57.375192889+08:00" level=info msg="Firewalld: interface br-3a66c13d8eb6 already part of docker zo
Jul 20 11:25:57 halo firewalld[18165]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i br-4496cc55cd92 -o br-4496cc55cd92 -j DROP' failed: ipt
Jul 20 11:25:57 halo dockerd[11062]: time="2023-07-20T11:25:57.481200249+08:00" level=info msg="Firewalld: interface br-4496cc55cd92 already part of docker zo
Jul 20 11:25:57 halo dockerd[11062]: time="2023-07-20T11:25:57.503952053+08:00" level=info msg="Firewalld: interface br-4496cc55cd92 already part of docker zo
Jul 20 11:25:57 halo dockerd[11062]: time="2023-07-20T11:25:57.568605426+08:00" level=info msg="Default bridge (docker0) is assigned with an IP address 172.17
Jul 20 11:25:57 halo firewalld[18165]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule
Jul 20 11:25:57 halo firewalld[18165]: ERROR: ZONE_CONFLICT: 'docker0' already bound to a zone
Jul 20 11:25:57 halo dockerd[11062]: time="2023-07-20T11:25:57.606233087+08:00" level=info msg="stopping event stream following graceful shutdown" error="<nil
Jul 20 11:25:57 halo dockerd[11062]: failed to start daemon: Error initializing network controller: Error creating default "bridge" network: Failed to program
Jul 20 11:25:57 halo systemd[1]: docker.service: main process exited, code=exited, status=1/FAILURE
Jul 20 11:25:57 halo systemd[1]: Failed to start Docker Application Container Engine.
-- Subject: Unit docker.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit docker.service has failed.
--
-- The result is failed.
Jul 20 11:25:57 halo systemd[1]: Unit docker.service entered failed state.
Jul 20 11:25:57 halo systemd[1]: docker.service failed.找到问题
我前面貌似为了让 docker0 这个虚拟接口放行我把这个接口给加入到 --zone=
public导致配置冲突,其实默认情况下docker0接口就在public
Based on the provided log, it appears that there are conflicts related to Docker's network setup and firewall configurations. The errors specifically mention issues with the "docker0" bridge network and firewall rules. Let's address these issues step by step:根据提供的日志,似乎存在与 Docker 的网络设置和防火墙配置相关的冲突。这些错误特别提到了“docker0”网桥网络和防火墙规则的问题。让我们逐步解决这些问题:删除有问题的接口
sudo firewall-cmd --zone=public --remove-interface=docker0
# [root@halo holo]# sudo firewall-cmd --zone=public --remove-interface=docker0
# success重新刷新防火墙配置
sudo firewall-cmd --reload检查所有防火墙区域信息
sudo firewall-cmd --list-all-zones防火墙一共有9个区域 Linxu 系统默认区域
public
[root@halo holo]# sudo firewall-cmd --list-all-zones
block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
docker (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: br-3a66c13d8eb6 br-4496cc55cd92
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
external
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
public (active)
target: default
icmp-block-inversion: no
interfaces: docker0
sources:
services: dhcpv6-client ssh
ports: 9002/tcp 9001/tcp 8090/tcp 5244/tcp 80/tcp 443/tcp 3306/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
trusted
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@halo holo]# sudo firewall-cmd --zone=public --remove-interface=docker0
success
[root@halo holo]# sudo firewall-cmd --list-all-zones
block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
docker (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: br-3a66c13d8eb6 br-4496cc55cd92
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
external
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports: 9002/tcp 9001/tcp 8090/tcp 5244/tcp 80/tcp 443/tcp 3306/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
trusted
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules: 找到public 区域 interfaces:位置为空就恢复默认
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports: 9002/tcp 9001/tcp 8090/tcp 5244/tcp 80/tcp 443/tcp 3306/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules: 重启docker服务正常运行
[root@halo holo]# sudo systemctl restart docker
[root@halo holo]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
86c8dc315351 xhofe/alist:v3.20.1 "/entrypoint.sh" 2 weeks ago Up 2 seconds 0.0.0.0:5244->5244/tcp, :::5244->5244/tcp, 5245/tcp alist
0e3faaff30a9 portainer/portainer-ce "/portainer" 2 weeks ago Up 2 seconds 0.0.0.0:8000->8000/tcp, :::8000->8000/tcp, 9443/tcp, 0.0.0.0:9001->9000/tcp, :::9001->9000/tcp portainer解决方法
开启防火墙后docker 环境无法访问公网(腾讯轻量化服务器)
在 CentOS 7 上启用防火墙后,可能会阻止 Docker 访问网络。要让 Docker 正常工作,你需要确保正确地配置防火墙规则,以允许 Docker 的流量通过
确认 Docker 的默认网桥:Docker 在 CentOS 上默认使用名为
docker0的网桥。确保它已正确创建并正在运行。
命令
ip link show docker0状态
[root@halo holo]# ip link show docker0
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
link/ether 02:42:d9:3f:a9:c9 brd ff:ff:ff:ff:ff:ff如果网桥不存在或状态显示为DOWN,你可以启动它,默认开启
sudo ip link set dev docker0 up列出所有开启的端口
sudo firewall-cmd --list-all
[root@halo holo]# sudo firewall-cmd --list-all
You're performing an operation over default zone ('public'),
but your connections/interfaces are in zone 'docker' (see --get-active-zones)
You most likely need to use --zone=docker option.
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports: 9002/tcp 9001/tcp 8090/tcp 5244/tcp 80/tcp 443/tcp 3306/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
添加 Docker 防火墙规则
要允许 Docker 流量通过防火墙
第一个命令将允许在公共区域中进行网络地址转换(Masquerade),这对 Docker 容器访问互联网是必要的
第二个命令将
docker0接口添加到受信任的区域,这将允许 Docker 容器与主机进行通信
sudo firewall-cmd --zone=public --add-masquerade --permanent
sudo firewall-cmd --zone=trusted --add-interface=docker0 --permanent
# [root@halo holo]# sudo firewall-cmd --zone=docker --add-masquerade --permanent
# success
# [root@halo holo]# sudo firewall-cmd --zone=docker --add-interface=docker0 --permanent
# Error: ZONE_CONFLICT: docker0重新加载防火墙规则
添加规则后,重新加载防火墙规则以使其生效
sudo firewall-cmd --reload重启 Docker 服务
重启 Docker 服务以应用新的防火墙规则
[root@halo holo]# sudo systemctl restart docker
[root@halo holo]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
86c8dc315351 xhofe/alist:v3.20.1 "/entrypoint.sh" 2 weeks ago Up 4 seconds 0.0.0.0:5244->5244/tcp, :::5244->5244/tcp, 5245/tcp alist
0e3faaff30a9 portainer/portainer-ce "/portainer" 2 weeks ago Up 4 seconds 0.0.0.0:8000->8000/tcp, :::8000->8000/tcp, 9443/tcp, 0.0.0.0:9001->9000/tcp, :::9001->9000/tcp portainer监视日志以查看 Docker 守护程序是否启动时没有任何错误
sudo journalctl -u docker慎用方法
删除任何现有的桥接网络来重置 Docker 的网络配置
docker network prune完全重置 Docker 的网络设置
sudo service docker stop
sudo ip link del docker0 # Delete the docker0 interface
sudo service docker start