docker端口映射或启动容器时报错 driver failed programming external connectivity on endpoint

docker端口映射或启动容器时报错 Error response from daemon: driver failed programming external connectivity on endpoint quirky_allen

现象：

[root@localhost ~]# docker run -d -p 9000:80 centos:httpd /bin/sh -c /usr/local/bin/start.sh

d5b2bd5a7bc4895a973fe61efd051847047d26385f65c278aaa09e4fa31c4d76

docker: Error response from daemon: driver failed programming external connectivity on endpoint quirky_allen (6bda693d1143657e46bee0300276aa05820da2b21a3d89441e820d1a274c48b6): (iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 9000 -j DNAT --to-destination 172.17.0.2:80 ! -i docker0: iptables: No chain/target/match by that name.

(exit status 1)).

[root@localhost ~]# docker start d5b2bd5a7bc4

Error response from daemon: driver failed programming external connectivity on endpoint quirky_allen (4127da7466709fd45695a1fbe98e13c2ac30c2a554e18fb902ef5a03ba308438): (iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 9000 -j DNAT --to-destination 172.17.0.2:80 ! -i docker0: iptables: No chain/target/match by that name.

(exit status 1))

Error: failed to start containers: d5b2bd5a7bc4

原因:

docker服务启动时定义的自定义链DOCKER由于 centos7 firewall 被清掉

firewall的底层是使用iptables进行数据过滤，建立在iptables之上，这可能会与 Docker 产生冲突。

当 firewalld 启动或者重启的时候，将会从 iptables 中移除 DOCKER 的规则，从而影响了 Docker 的正常工作。

当你使用的是 Systemd 的时候， firewalld 会在 Docker 之前启动，但是如果你在 Docker 启动之后再启动 或者重启 firewalld ，你就需要重启 Docker 进程了。

重启docker服务及可重新生成自定义链DOCKER

Chain PREROUTING (policy ACCEPT)targetprot opt sourcedestination DOCKERall -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCALChain INPUT (policy ACCEPT)targetprot opt sourcedestination Chain OUTPUT (policy ACCEPT)targetprot opt sourcedestination DOCKERall -- 0.0.0.0/0 !127.0.0.0/8ADDRTYPE match dst-type LOCALChain POSTROUTING (policy ACCEPT)targetprot opt sourcedestination MASQUERADE all -- 172.17.0.0/16 0.0.0.0/0MASQUERADE tcp -- 172.17.0.2 172.17.0.2 tcp dpt:8080Chain DOCKER (2 references)targetprot opt sourcedestination RETURNall -- 0.0.0.0/0 0.0.0.0/0DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8888 to:172.17.0.2:8080root@router:playbook#iptables -t nat -nLChain PREROUTING (policy ACCEPT)targetprot opt sourcedestination DOCKERall -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCALChain INPUT (policy ACCEPT)targetprot opt sourcedestination Chain OUTPUT (policy ACCEPT)targetprot opt sourcedestination DOCKERall -- 0.0.0.0/0 !127.0.0.0/8ADDRTYPE match dst-type LOCALChain POSTROUTING (policy ACCEPT)targetprot opt sourcedestination MASQUERADE all -- 172.17.0.0/16 0.0.0.0/0MASQUERADE tcp -- 172.17.0.2 172.17.0.2 tcp dpt:8080Chain DOCKER (2 references)targetprot opt sourcedestination RETURNall -- 0.0.0.0/0 0.0.0.0/0DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8888 to:172.17.0.2:8080

解决:

重启docker服务后再启动容器

systemctl restart dockerdocker start foo