在CentOS 7上將主機埠與容器埠映射時可能遇到無法訪問容器服務的問題,涉及到firewalld的配置。 ...
在CentOS 7上當我們以類似下列命令將主機埠與容器埠映射時可能遇到無法訪問容器服務的問題
docker run --name web_a -p 192.168.1.250:803:80 -d web_a:beta1.0.0 .
由於docker在執行此命令時,是向iptables註入了一條規則將主機803映射到容器80埠,但是CentOS 7中以firewalld服務替代了iptables。因此,上述命令的埠映射不會生效。
解決方法:首先觀察一下主機上的網卡信息,確認增加了一個docker0的虛擬網卡:
[root@localhost /home]# ifconfig
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
inet6 fe80::42:5cff:fe0e:82f9 prefixlen 64 scopeid 0x20<link>
ether 02:42:5c:0e:82:f9 txqueuelen 0 (Ethernet)
RX packets 1288 bytes 1561177 (1.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1594 bytes 108755 (106.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
enp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.250 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::76f4:9aea:4973:ec6c prefixlen 64 scopeid 0x20<link>
inet6 240e:379:542:2800:8844:77ba:78dd:7 prefixlen 128 scopeid 0x0<global>
inet6 240e:379:542:2811:3ead:218:ba68:38e6 prefixlen 64 scopeid 0x0<global>
ether 74:d4:35:09:93:19 txqueuelen 1000 (Ethernet)
RX packets 10166908 bytes 1221399579 (1.1 GiB)
RX errors 0 dropped 3014 overruns 0 frame 0
TX packets 982334 bytes 427296782 (407.5 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 18
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 1833650 bytes 450567722 (429.6 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1833650 bytes 450567722 (429.6 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vethecef228: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::f425:f1ff:fe82:9c19 prefixlen 64 scopeid 0x20<link>
ether f6:25:f1:82:9c:19 txqueuelen 0 (Ethernet)
RX packets 234 bytes 1520113 (1.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 613 bytes 39809 (38.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
使用如下命令確認容器實例得到的虛擬ip:
docker inspect web_a
假設容器中的ip為172.17.0.2,接下來我們要為此IP做個NAT轉發規則,並讓firewalld服務處理此規則:
#主機埠請求轉發到容器(容器中的服務不要監聽localhost而要監聽容器分配的虛擬IP或者以0.0.0.0替代) firewall-cmd --permanent --zone=public --add-masquerade 啟用埠NAT轉發 #將主機803埠請求轉發到容器上的80埠 firewall-cmd --add-forward-port=port=803:proto=tcp:toaddr=172.17.0.2:toport=80 --permanent #重載規則 firewall-cmd --reload #列出所有規則 firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: enp2s0 sources: services: ssh dhcpv6-client ports: 3306/tcp 80/tcp 21/tcp 5000/tcp 6379/tcp 900/tcp 801/tcp 802/tcp 6000/tcp 5002/tcp 90/tcp 9092/tcp 81/tcp 803/tcp protocols: masquerade: yes forward-ports: port=803:proto=tcp:toport=80:toaddr=172.17.0.2 source-ports: icmp-blocks: rich rules:
#重新啟動docker systemctl restart docker #重新啟動容器 docker start web_a
經上述操作,就能以主機IP:803訪問容器上的80埠的服務,並不需要關閉firewalld(很多網上的結論是換成iptables服務,實測不需要)。
