RHEL7 docker远程连接
RHEL7 dockerd remote connection
我正在探索创建一个可以在 rhel7 系统上启动和停止 docker 容器的网关。我对我的 /usr/lib/systemd/system/docker.service 进行了更改,以在具有以下界面的界面上启动 docker。
ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:23751 --containerd=/run/containerd/containerd.sock
除非禁用防火墙,否则我无法连接到 dockerd 以获取容器的状态。但是如果我禁用防火墙,我就不能启动conatiners。
Caused by: com.amihaiemil.docker.UnexpectedResponseException: Expected status 204 but got 500 when calling
http://192.168.1.70:23751/v1.35/containers/e3f0f09269a699ec27bbac8a5027d1383ae15cf64b5e6b649e76be1297cc2535/start.
Response body was {"message":"driver failed programming external connectivity on endpoint hello-service
(eef135f889322f1899800f19612404e9d8b1f39c7866f31ca5059562aa501bf6):
(iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 34570 -j DNAT --to-destination 192.168.10.40:8080 ! -i br-4982fe847356: iptables: No chain/target/match by that name.\n (exit status 1))"}
我意识到 运行 为 dockerd 打开 tcp 端口会产生后果。之前,我确保一切安全,我想了解网关如何做这样的事情。
有没有其他人有过这样的经历?
经过反复试验,我发现 firewalld 正在阻止该端口。
要启用该端口,请执行以下操作。
sudo firewall-cmd --zone=public --add-port=2375/tcp
Please note, doing this opens a very large security vulnerability as the commenter above has pointed out. In my case, this was done behind a firewall where no outside connections can make a connection to inside my network's firewall. This is still a bad idea, but in this case it is being used to explore some concepts and is turned off when not being used. Please explore the security implications when doing this.
Also, the firewall will not save the configuration in the above command unless you use the --permanent argument
我正在探索创建一个可以在 rhel7 系统上启动和停止 docker 容器的网关。我对我的 /usr/lib/systemd/system/docker.service 进行了更改,以在具有以下界面的界面上启动 docker。
ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:23751 --containerd=/run/containerd/containerd.sock
除非禁用防火墙,否则我无法连接到 dockerd 以获取容器的状态。但是如果我禁用防火墙,我就不能启动conatiners。
Caused by: com.amihaiemil.docker.UnexpectedResponseException: Expected status 204 but got 500 when calling
http://192.168.1.70:23751/v1.35/containers/e3f0f09269a699ec27bbac8a5027d1383ae15cf64b5e6b649e76be1297cc2535/start.
Response body was {"message":"driver failed programming external connectivity on endpoint hello-service
(eef135f889322f1899800f19612404e9d8b1f39c7866f31ca5059562aa501bf6):
(iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 34570 -j DNAT --to-destination 192.168.10.40:8080 ! -i br-4982fe847356: iptables: No chain/target/match by that name.\n (exit status 1))"}
我意识到 运行 为 dockerd 打开 tcp 端口会产生后果。之前,我确保一切安全,我想了解网关如何做这样的事情。
有没有其他人有过这样的经历?
经过反复试验,我发现 firewalld 正在阻止该端口。
要启用该端口,请执行以下操作。
sudo firewall-cmd --zone=public --add-port=2375/tcp
Please note, doing this opens a very large security vulnerability as the commenter above has pointed out. In my case, this was done behind a firewall where no outside connections can make a connection to inside my network's firewall. This is still a bad idea, but in this case it is being used to explore some concepts and is turned off when not being used. Please explore the security implications when doing this. Also, the firewall will not save the configuration in the above command unless you use the --permanent argument