参考https://docs.docker.com/network/iptables/
这里面说明了添加的规则,添加完成后是可以生效,问题是系统重启呢?或者docker重启呢都会重新写iptables规则,添加就失效了
所以好的办法是放在docker重启后添加。
[root@CentOS7-6 middleware]# cat set_rule.sh
#!/bin/bash
rule_num=$(iptables -L DOCKER -n --line-number | grep 9200 | awk '{print $1}')
if [ "$rule_num" != "" ];then
iptables -R DOCKER $rule_num -p tcp -m tcp -s 10.6.118.22 --dport 9200 -j ACCEPT ;
echo "set rule ok"
else
echo "iptables rule needn't set."
fi
[root@CentOS7-6 middleware]# cat /etc/systemd/system/docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.com
After=network.target docker.socket
Wants=docker.socket
[Service]
Type=notify
Environment=GOTRACEBACK=crash
ExecReload=/bin/kill -s HUP $MAINPID
Delegate=yes
KillMode=process
ExecStart=/usr/bin/dockerd \
--default-address-pool base=172.17.0.0,size=16 \
--insecure-registry=intranet.uihcloud.registry:5000 \
--data-root /data/docker_lib \
--log-opt max-size=10m \
--log-opt max-file=3
ExecStartPost=/var/middleware/set_rule.sh
TasksMax=infinity
LimitNOFILE=1048576
LimitNPROC=1048576
LimitCORE=infinity
TimeoutStartSec=1min
# restart the docker process if it exits prematurely
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s
[Install]
WantedBy=multi-user.target
还看到有一种方式添加privileged=true http://www.manongjc.com/article/127102.html 待测试。
网友评论