컨테이너의 포트를 호스트에 게시하려고 하면 docker가 iptables 규칙을 추가하지 못합니다.
$ sudo docker run --rm -p 8080:80 nginx
docker: Error response from daemon: driver failed programming external
connectivity on endpoint:
iptables failed:
iptables --wait -t nat -A DOCKER -p tcp -d 0/0
--dport 8080 -j DNAT --to-destination 172.17.0.2:80 ! -i docker0
iptables: No chain/target/match by that name. (exit status 1)).
나를 혼란스럽게 하는 것은 다음과 같은 DOCKER체인이 존재하는 것 같다는 것입니다.
$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (2 references)
target prot opt source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
...그리고 여기:
$ sudo iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 172.17.0.0/16 anywhere
MASQUERADE all -- 172.18.0.0/16 anywhere
Chain DOCKER (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
어쩌면 관련이 있을 수도 있습니다: ip a디스플레이가 docker0꺼져 있습니다:
$ ip a
...
74: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:01:52:de:7d brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
도커를 중지하고 손상된 docker0장치를 제거한 후 도커를 다시 시작해 보았습니다. 같은 오류:
sudo systemctl stop docker.service
sudo ip link del docker0
sudo systemctl start docker.service
ip a여전히 docker0하락세를 보이고 있습니다. 실행 시에도 sudo docker run --rm -p 8080:80 nginx
위와 같은 오류 메시지가 나타납니다 .
시스템 메시지:
$ docker --version
Docker version 18.05.0-ce, build f150324782
$ uname -a
Linux amd8-arch 4.16.7-1-ARCH #1 SMP PREEMPT Wed May 2 21:12:36 UTC 2018 x86_64 GNU/Linux
저는 아치 리눅스를 사용하고 있습니다.
답변1
Docker 18.05.0-ce는 다음 네트워킹 기능을 채택한 첫 번째 버전입니다.
브리지 네트워크 격리 규칙의 확장성을 개선하기 위해 libnetwork를 업데이트했습니다. 모비/모비#36774
이 함수에서는 체인도커 격리iptable 필터 테이블의 내용은 다음으로 대체됩니다.Docker 격리 1단계그리고Docker 격리 2단계.
릴리스 로그 보기18.05.0-CE.