如果单独重载iptables服务,docker这边的配置会丢失
[root@docker ~]# firewall-cmd --reload
success
[root@docker ~]# iptables -L -nv | grep -i docker
0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
[root@docker ~]#
从而导致网络不可达或相关信息的报错
[root@h104 ~]# docker push docker:5000/ubuntu
The push refers to a repository [docker:5000/ubuntu] (len: 1)
unable to ping registry endpoint https://docker:5000/v0/
v2 ping attempt failed with error: Get https://docker:5000/v2/: dial tcp 192.168.100.103:5000: no route to host
v1 ping attempt failed with error: Get https://docker:5000/v1/_ping: dial tcp 192.168.100.103:5000: no route to host
[root@h104 ~]#
就是确保在iptables服务重启后,docker服务也重启一下,以应用docker里的网络策略(最主要的是加载那条 Chain DOCKER)
[root@docker ~]# systemctl stop docker && systemctl start docker
[root@docker ~]# iptables -L -nv | grep -i docker
0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
Chain DOCKER (1 references)
0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:5000
[root@docker ~]#
----------
[root@h104 ~]# docker push docker:5000/ubuntu
The push refers to a repository [docker:5000/ubuntu] (len: 1)
8693db7e8a00: Image already exists
a4c5be5b6e59: Image already exists
c4fae638e7ce: Image already exists
latest: digest: sha256:45d78ef16a9e6199ffbbc78f71c2c6ef6647f3be6b9721fe3f1b08d6e3fcf6b3 size: 6800
[root@h104 ~]#
Tip: 由docker export出来的端口不必在主机的防火墙filter表中另外打开,因为它的数据进入了forward链中
本文系转载,前往查看
如有侵权,请联系 cloudcommunity@tencent.com 删除。
本文系转载,前往查看
如有侵权,请联系 cloudcommunity@tencent.com 删除。