在CentOS 7上當(dāng)我們以類似下列命令將主機(jī)端口與容器端口映射時可能遇到無法訪問容器服務(wù)的問題
docker run --name web_a -p 192.168.1.250:803:80 -d web_a:beta1.0.0 .
由于docker在執(zhí)行此命令時,是向iptables注入了一條規(guī)則將主機(jī)803映射到容器80端口,但是CentOS 7中以firewalld服務(wù)替代了iptables。因此,上述命令的端口映射不會生效。
解決方法:首先觀察一下主機(jī)上的網(wǎng)卡信息,確認(rèn)增加了一個docker0的虛擬網(wǎng)卡:
[root@localhost /home]# ifconfig
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
inet6 fe80::42:5cff:fe0e:82f9 prefixlen 64 scopeid 0x20<link>
ether 02:42:5c:0e:82:f9 txqueuelen 0 (Ethernet)
RX packets 1288 bytes 1561177 (1.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1594 bytes 108755 (106.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
enp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.250 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::76f4:9aea:4973:ec6c prefixlen 64 scopeid 0x20<link>
inet6 240e:379:542:2800:8844:77ba:78dd:7 prefixlen 128 scopeid 0x0<global>
inet6 240e:379:542:2811:3ead:218:ba68:38e6 prefixlen 64 scopeid 0x0<global>
ether 74:d4:35:09:93:19 txqueuelen 1000 (Ethernet)
RX packets 10166908 bytes 1221399579 (1.1 GiB)
RX errors 0 dropped 3014 overruns 0 frame 0
TX packets 982334 bytes 427296782 (407.5 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 18
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 1833650 bytes 450567722 (429.6 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1833650 bytes 450567722 (429.6 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vethecef228: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::f425:f1ff:fe82:9c19 prefixlen 64 scopeid 0x20<link>
ether f6:25:f1:82:9c:19 txqueuelen 0 (Ethernet)
RX packets 234 bytes 1520113 (1.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 613 bytes 39809 (38.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
使用如下命令確認(rèn)容器實(shí)例得到的虛擬ip:
假設(shè)容器中的ip為172.17.0.2,接下來我們要為此IP做個NAT轉(zhuǎn)發(fā)規(guī)則,并讓firewalld服務(wù)處理此規(guī)則:
#主機(jī)端口請求轉(zhuǎn)發(fā)到容器(容器中的服務(wù)不要監(jiān)聽localhost而要監(jiān)聽容器分配的虛擬IP或者以0.0.0.0替代)
firewall-cmd --permanent --zone=public --add-masquerade 啟用端口NAT轉(zhuǎn)發(fā)
#將主機(jī)803端口請求轉(zhuǎn)發(fā)到容器上的80端口
firewall-cmd --add-forward-port=port=803:proto=tcp:toaddr=172.17.0.2:toport=80 --permanent
#重載規(guī)則
firewall-cmd --reload
#列出所有規(guī)則
firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp2s0
sources:
services: ssh dhcpv6-client
ports: 3306/tcp 80/tcp 21/tcp 5000/tcp 6379/tcp 900/tcp 801/tcp 802/tcp 6000/tcp 5002/tcp 90/tcp 9092/tcp 81/tcp 803/tcp
protocols:
masquerade: yes
forward-ports: port=803:proto=tcp:toport=80:toaddr=172.17.0.2
source-ports:
icmp-blocks:
rich rules:
#重新啟動docker
systemctl restart docker
#重新啟動容器
docker start web_a
經(jīng)上述操作,就能以主機(jī)IP:803訪問容器上的80端口的服務(wù),并不需要關(guān)閉firewalld(很多網(wǎng)上的結(jié)論是換成iptables服務(wù),實(shí)測不需要)。
總結(jié)
到此這篇關(guān)于在CentOS 7 上為docker配置端口轉(zhuǎn)發(fā)以兼容firewall的解決方法的文章就介紹到這了,更多相關(guān)docker配置端口轉(zhuǎn)發(fā)以兼容firewall內(nèi)容請搜索腳本之家以前的文章或繼續(xù)瀏覽下面的相關(guān)文章希望大家以后多多支持腳本之家!
