docker가 "iptables: No chain/target/match by that name"으로 실패합니다.

docker가 "iptables: No chain/target/match by that name"으로 실패합니다.

컨테이너의 포트를 호스트에 게시하려고 하면 docker가 iptables 규칙을 추가하지 못합니다.

$ sudo docker run --rm -p 8080:80 nginx
docker: Error response from daemon: driver failed programming external 
connectivity on endpoint:

iptables failed:
  iptables --wait -t nat -A DOCKER -p tcp -d 0/0
           --dport 8080 -j DNAT --to-destination 172.17.0.2:80 ! -i docker0

 iptables: No chain/target/match by that name. (exit status 1)).

나를 혼란스럽게 하는 것은 다음과 같은 DOCKER체인이 존재하는 것 같다는 것입니다.

$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOCKER (2 references)
target     prot opt source               destination         

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

...그리고 여기:

$ sudo iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  anywhere            !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  172.17.0.0/16        anywhere            
MASQUERADE  all  --  172.18.0.0/16        anywhere            

Chain DOCKER (2 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

어쩌면 관련이 있을 수도 있습니다: ip a디스플레이가 docker0꺼져 있습니다:

$ ip a
...
74: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:01:52:de:7d brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever

도커를 중지하고 손상된 docker0장치를 제거한 후 도커를 다시 시작해 보았습니다. 같은 오류:

sudo systemctl stop docker.service
sudo ip link del docker0
sudo systemctl start docker.service

ip a여전히 docker0하락세를 보이고 있습니다. 실행 시에도 sudo docker run --rm -p 8080:80 nginx 위와 같은 오류 메시지가 나타납니다 .


시스템 메시지:

$ docker --version
Docker version 18.05.0-ce, build f150324782

$ uname -a
Linux amd8-arch 4.16.7-1-ARCH #1 SMP PREEMPT Wed May 2 21:12:36 UTC 2018 x86_64 GNU/Linux

저는 아치 리눅스를 사용하고 있습니다.

답변1

Docker 18.05.0-ce는 다음 네트워킹 기능을 채택한 첫 번째 버전입니다.

브리지 네트워크 격리 규칙의 확장성을 개선하기 위해 libnetwork를 업데이트했습니다. 모비/모비#36774

이 함수에서는 체인도커 격리iptable 필터 테이블의 내용은 다음으로 대체됩니다.Docker 격리 1단계그리고Docker 격리 2단계.

릴리스 로그 보기18.05.0-CE.

관련 정보