docker 网络 不好用 docker: Error response from daemon: failed to create endpoint jovial_wing on network b
2017-03-14 17:21
1426 查看
启动容器时,有可能会遇到如下问题,比如启动redis容器:
sudo docker run -d -p 6379:6379 --name redis redis:latest
Linux代码
![](https://oscdn.geek-share.com/Uploads/Images/Content/201703/89f2545c50a658806543363dc04dae58.png)
docker: Error response from daemon: failed to create endpoint redis on network bridge: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 10.211.55.9 --dport 6379 -j DNAT --to-destination 172.17.0.4:6379 ! -i docker0: iptables: No chain/target/match by that name.
(exit status 1).
通过分析异常信息,发现是因为在进行原地址到目标地址转换的时候没有在docker主机的iptables规则中找到nat表规则,只有filter表规则。
在filter表上面增加nat表配置规则信息,需要说明的是docker容器的网段是172.17.0.0/16,另外需要注意filter表中也要有docker链的相关配置。
sudo vi /etc/sysconfig/iptables
Shell代码
![](https://oscdn.geek-share.com/Uploads/Images/Content/201703/89f2545c50a658806543363dc04dae58.png)
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*nat
:PREROUTING ACCEPT [27:11935]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DOCKER -[0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT !-d 127.0.0.0/8-m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16!-o docker0 -j MASQUERADE
COMMIT
#
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER -[0:0]
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 !-o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22-j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 9090-j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1521-j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 6379-j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
重启iptables
sudo systemctl restart iptables.service
重新启动容器即可。
sudo docker run -d -p 6379:6379 --name redis redis:latest
Linux代码
![](https://oscdn.geek-share.com/Uploads/Images/Content/201703/89f2545c50a658806543363dc04dae58.png)
docker: Error response from daemon: failed to create endpoint redis on network bridge: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 10.211.55.9 --dport 6379 -j DNAT --to-destination 172.17.0.4:6379 ! -i docker0: iptables: No chain/target/match by that name.
(exit status 1).
通过分析异常信息,发现是因为在进行原地址到目标地址转换的时候没有在docker主机的iptables规则中找到nat表规则,只有filter表规则。
在filter表上面增加nat表配置规则信息,需要说明的是docker容器的网段是172.17.0.0/16,另外需要注意filter表中也要有docker链的相关配置。
sudo vi /etc/sysconfig/iptables
Shell代码
![](https://oscdn.geek-share.com/Uploads/Images/Content/201703/89f2545c50a658806543363dc04dae58.png)
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*nat
:PREROUTING ACCEPT [27:11935]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DOCKER -[0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT !-d 127.0.0.0/8-m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16!-o docker0 -j MASQUERADE
COMMIT
#
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER -[0:0]
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 !-o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22-j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 9090-j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1521-j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 6379-j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
重启iptables
sudo systemctl restart iptables.service
重新启动容器即可。
相关文章推荐
- docker: Error response from daemon: driver failed programming external connectivity on endpoint
- docker 报错 Error response from daemon: driver failed programming external connectivity on endpoint mynginx
- docker运行容器报错:Error response from daemon: OCI runtime create failed
- docker rm -f Error response from daemon: Driver overlay failed to remove root filesystem
- docker: Error response from daemon: service endpoint with name XXX already exists.
- 解决 docker: Error response from daemon: ... : net/http: TLS handshake timeout.
- Docker 启动 Centos 镜像 提示"Error response from daemon: No command specified"
- docker 出现 Error response from daemon
- 【原】Android - could not read ok from ADB Server * failed to start daemon * error: cannot connect to d
- docker 错误:Error response from daemon: cannot stop container: connect: connection refused": unknown
- Error response from daemon: Error running DeviceCreate (createSnapDevice) dm_task_run failed
- Docker获取镜像报错 docker: Error response from daemon: unauthorized: incorrect username or password.
- docker swarm:Error response from daemon: rpc error: code = Unavailable desc = grpc: the connection is unavailable
- 启动docker容器提示"docker: Error response from daemon: Container command not found or does not exist"的原因
- Error response from daemon: client is newer than server with Docker 1.9 RC3
- docker 安装 Error response from daemon: Cannot start container no such file or directory
- docker: Error response from daemon: Bad response from Docker engine.
- Failed to load resource: net::ERR_EMPTY_RESPONSE (20:00:55:963 | error, network) at http://localhost
- docker pull images:Error response from daemon: Get https://registry-1.docker.io/v2/: Unauthorized