centos 7中一些IPV6和防火墙问题

在学习docker的一些问题。 (1)在使用docker时,如果启用ipv6,当我们在启动容器并做端口映射时,如果没有指定地址,docker会默认把端口绑定在ipv6上面,这个时候我们需要关闭centos 7的ipv6. 添加ipv6.disable=1

[root@k8s ~]# cat /etc/default/grub GRUB_TIMEOUT=5 GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)" GRUB_DEFAULT=saved GRUB_DISABLE_SUBMENU=true GRUB_TERMINAL_OUTPUT="console"

GRUB_CMDLINE_LINUX="vconsole.keymap=us crashkernel=auto vconsole.font=latarcyrheb-sun16 rhgb quiet"

GRUB_CMDLINE_LINUX="rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet" GRUB_DISABLE_RECOVERY="true"

修改后: [root@k8s ~]# cat /etc/default/grub GRUB_TIMEOUT=5 GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)" GRUB_DEFAULT=saved GRUB_DISABLE_SUBMENU=true GRUB_TERMINAL_OUTPUT="console"

GRUB_CMDLINE_LINUX="vconsole.keymap=us crashkernel=auto vconsole.font=latarcyrheb-sun16 rhgb quiet"

GRUB_CMDLINE_LINUX="ipv6.disable=1 rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet" GRUB_DISABLE_RECOVERY=“true"

grub2-mkconfig -o /boot/grub2/grub.cfg 重启系统

(2)在运行一些带端口对外提供服务的容器时,可能会遇到下面的问题: docker run -d -p 80:80 --name firstweb nginx 运行nginx 报错: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 80 -j DNAT --to-destination 192.168.0.2:80 ! -i docker0: iptables: No chain/target/match by that name.

这个问题是防火墙问题造成的,运行docker容器时端口直接的映射是由nat映射而成,需要开启nat链。操作如下:

首先先验证docker容器内部网络是否能ping通宿主机 如果能ping通,即可通过重建docker0网络恢复 先停掉宿主机上运行的docker容器,然后执行以下命令 在宿主机执行: 1. pkill docker 2. iptables -t nat -F 3. ifconfig docker0 down 4. brctl delbr docker0 注:yum install bridge-utils 5. docker -d 6. systmctl restart docker 重启docker服务 7. /usr/sbin/iptables-save > /etc/sysconfig/iptables 保存防火墙规则

查看iptables规则: [root@k8s ~]# iptables-save

Generated by iptables-save v1.4.21 on Mon Jul 31 10:24:49 2017

*nat :PREROUTING ACCEPT [37537:1988278] :INPUT ACCEPT [29754:1663126] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [9:468] :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 192.168.0.0/20 ! -o docker0 -j MASQUERADE -A POSTROUTING -s 192.168.0.3/32 -d 192.168.0.3/32 -p tcp -m tcp --dport 5000 -j MASQUERADE -A DOCKER -i docker0 -j RETURN -A DOCKER ! -i docker0 -p tcp -m tcp --dport 5000 -j DNAT --to-destination 192.168.0.3:5000 COMMIT

Completed on Mon Jul 31 10:24:49 2017

Generated by iptables-save v1.4.21 on Mon Jul 31 10:24:49 2017

*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [376657:86070633] :DOCKER - [0:0] :DOCKER-ISOLATION - [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -s 106.37.232.114/32 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j DOCKER-ISOLATION -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o docker0 -j DOCKER -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A DOCKER -d 192.168.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 5000 -j ACCEPT -A DOCKER-ISOLATION -j RETURN COMMIT

Completed on Mon Jul 31 10:24:49 2017

About
高洋,IT从业人员, 1989年4月10日, 邮箱:gy59821@163.com, 现就职于北京玩蟹科技有限公司.