English | 简体中文 | 繁體中文 | Русский язык | Français | Español | Português | Deutsch | 日本語 | 한국어 | Italiano | بالعربية
CentOS7 Docker 防火墙的简单配置
禁用 firewalld 服务
systemctl disable firewalld systemctl stop firewalld
安装 iptables 防火墙服务
yum install iptables-services
创建 iptables 配置脚本
cat >> /usr/local/bin/fired.sh <<'EOF' #!/bin/bash iptables -F iptables -X iptables -Z iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p icmp --icmp-type 8 -j ACCEPT #iptables -A INPUT -p tcp --dport 80 -i eth0 -m state -state NEW -m recent -update -seconds 60 -hitcount 50 -j DROP #iptables -A OUTPUT -o eth0 -m owner -uid-owner vivek -p tcp --dport 80 -m state -state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --sport 1:1023 --dport 1:1023 --syn -j DROP iptables -A INPUT -p tcp -i eth0 --dport 22 --sport 1024:65534 -j ACCEPT iptables -A INPUT -p tcp --dport 80 --sport 1024:65534 -j ACCEPT iptables -A INPUT -p tcp --dport 2376 --sport 1024:65534 -j ACCEPT iptables -A INPUT -p tcp --dport 3306 --sport 1024:65534 -j ACCEPT # OpenVPN Configuration # iptables -A POSTROUTING -t nat -s 10.8.0.0/24 -o eth0 -j MASQUERADE # iptables -A FORWARD -i tun+ -j ACCEPT # iptables -A INPUT -s 10.8.0.0/24 -j ACCEPT # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # iptables -A INPUT -p TCP -i eth0 --dport 10173 --sport 1024:65534 -j ACCEPT # iptables -A INPUT -p UDP -i eth0 --dport 10173 --sport 1024:65534 -j ACCEPT EOF chmod +x /usr/local/bin/fired.sh
Hinzufügen zu den Startoptionen
cat >> /etc/rc.d/rc.local <<EOF # Firewall & Docker /usr/bin/systemctl start iptables.service /usr/local/bin/fired.sh /usr/bin/systemctl start docker EOF chmod +x /etc/rc.d/rc.local
Deaktivieren Sie den automatischen Start der betreffenden Dienste
# Hinweis: Docker wird automatisch einige Dienste hinzufügen, wenn er gestartet wird systemctl disable iptables.service systemctl disable docker
docker auf CentOS7einige Fallstricke
Beim Installieren von mysql auf CentOS wird 'chown mod' angezeigt /var/lib/mysql permission denied, lösen Sie dieses Problem durch die folgende Methode 1.
Beim Mounten eines Datenvolumens auf CentOS und beim Zugriff auf das Datenvolume innerhalb des Containers wird 'permission denied' gemeldet. Dieses Problem kann durch die folgende Methode 1 gelöst werden.
1.Centos7Security SELinux verbietet einige Sicherheitsrechte, was zu Problemen bei der Mounting von mysql und mariadb führt/var/lib/Beim Ausführen von 'mysql' wird die folgende Meldung angezeigt:
[root@localhost mariadb]# docker run -d -v ~/mariadb/data/:/var/lib/mysql -v ~/mariadb/config/:/etc/mysql/conf.d -e MYSQL_ROOT_PASSWORD=‘123456‘ test01/mariadb 19c4aa113c610f53f9720ee806e3c918dd18d21dff75c043bdd6db60011a135d [root@localhost mariadb]# docker ps -a CONTAINER ID IMAGE COMMAND ERSTELLT STATUS PORTS NAMES 19c4aa113c61 test01/mariadb "docker-entrypoint.sh" 4 vor Sekunden Beendet (1) 1 vor Sekunden desperate_kelle
Überprüfung der Befehlszeile 'logs' zeigt, dass die Meldung folgt: chown: Änderung des Eigentümers von ‘/var/lib/mysql/Zugriff verweigert
So, there are three solutions to solve this problem:
2. Sometimes, when starting a container with port mapping, the following prompt may appear:
1 iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 52080 -j DNAT --to-destination 192.168.20.22:52080 ! -i docker0: iptables: No chain/target/match by that name
This thing, after searching for it, did not give an explanation. I referred to http://www.lxy520.net/2015/09/24/centos-7-docker-qi-dong-bao/This article says to modify the iptables file, just centos7It's possible that there is no such file at all, or the service of iptables is not installed. In the end, after restarting the host machine, it was restored. During this period, firewall was tried.-cmd command query and stop the firewall.
Summary
That's all for this article. I hope the content of this article is of certain reference and learning value to everyone's study or work. If you have any questions, you can leave messages for communication. Thank you for your support of the Shout tutorial.
Statement: The content of this article is from the Internet, and the copyright belongs to the original author. The content is contributed and uploaded by Internet users spontaneously. This website does not own the copyright, has not been manually edited, and does not assume relevant legal liabilities. If you find any content suspected of copyright infringement, please send an email to: notice#oldtoolbag.com (When sending an email, please replace # with @ to report abuse, and provide relevant evidence. Once verified, this site will immediately delete the suspected infringing content.)