解决 -i docker0: iptables: No chain/target/match by that name.
异常问题
[root@centos docker]# docker run -d -v /www/registry:/var/lib/registry -p 5000:5000 --restart=always --name registry registry:latest
76b76ed7493328503f1670a079f2e96568e0ec9027ccff4846a911db710e5770
docker: Error response from daemon: driver failed programming external connectivity on endpoint registry (3ab8c17e8bbbec5393fd6dcaf8a3f0972458440c064c5afa137d6010b2726404): iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 5000 -j DNAT --to-destination 172.17.0.2:5000 ! -i docker0: iptables: No chain/target/match by that name.
(exit status 1).
问题分析
通过分析异常信息,发现是因为在进行原地址到目标地址转换的时候没有在docker主机的iptables规则中找到nat表规则,只有filter表规则。
问题解决
增加nat表配置规则 需要说明的是docker容器的网段是172.17.0.0/16,另外需要注意filter表中也要有docker链的相关配置。
$ vi /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*nat
:PREROUTING ACCEPT [27:11935]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DOCKER -[0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT !-d 127.0.0.0/8-m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16!-o docker0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER -[0:0]
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 !-o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
.....