解决 -i docker0: iptables: No chain/target/match by that name.

异常问题

[root@centos docker]# docker run -d -v /www/registry:/var/lib/registry -p 5000:5000 --restart=always --name registry registry:latest
76b76ed7493328503f1670a079f2e96568e0ec9027ccff4846a911db710e5770
docker: Error response from daemon: driver failed programming external connectivity on endpoint registry (3ab8c17e8bbbec5393fd6dcaf8a3f0972458440c064c5afa137d6010b2726404): iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 5000 -j DNAT --to-destination 172.17.0.2:5000 ! -i docker0: iptables: No chain/target/match by that name.
 (exit status 1).

问题分析

通过分析异常信息，发现是因为在进行原地址到目标地址转换的时候没有在docker主机的iptables规则中找到nat表规则，只有filter表规则。

问题解决

增加nat表配置规则需要说明的是docker容器的网段是172.17.0.0/16，另外需要注意filter表中也要有docker链的相关配置。

$ vi /etc/sysconfig/iptables
# sample configuration for iptables service  
# you can edit this manually or use system-config-firewall  
# please do not ask us to add additional ports/services to this default configuration  
*nat  
:PREROUTING ACCEPT [27:11935]  
:INPUT ACCEPT [0:0]  
:OUTPUT ACCEPT [0:0]  
:POSTROUTING ACCEPT [0:0]  
:DOCKER -[0:0]  
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER  
-A OUTPUT !-d 127.0.0.0/8-m addrtype --dst-type LOCAL -j DOCKER  
-A POSTROUTING -s 172.17.0.0/16!-o docker0 -j MASQUERADE  
COMMIT  

*filter  
:INPUT ACCEPT [0:0]  
:FORWARD ACCEPT [0:0]  
:OUTPUT ACCEPT [0:0]  
:DOCKER -[0:0]  
-A FORWARD -o docker0 -j DOCKER  
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT  
-A FORWARD -i docker0 !-o docker0 -j ACCEPT  
-A FORWARD -i docker0 -o docker0 -j ACCEPT  
.....

-i docker0: iptables: No chain/target/match by that name.

解决 -i docker0: iptables: No chain/target/match by that name.

异常问题

问题分析

问题解决

results matching ""

No results matching ""