无法在 Dockerfile 中运行 iptables
[英]Cant run iptables in Dockerfile
问题描述
I have been battling for a while on this, Given the following Dockerfile. if I leave the RUN iptables.., lines out.
我已经为此奋斗了一段时间,鉴于以下 Dockerfile。如果我离开 RUN iptables..,行出来。 then execute them manually inside the running docker container they work fine.然后在正在运行的 docker 容器中手动执行它们,它们工作正常。 But if I leave them in Dockerfile I get a permissions error.但是,如果我将它们留在 Dockerfile 中,则会出现权限错误。
FROM ubuntu
RUN apt-get update
RUN apt-get install -y iptables
RUN iptables -I INPUT -p tcp --dport 27015 -j ACCEPT
RUN iptables -A INPUT -i eth0 -j QUEUE
The output of docker build gives: docker 构建的 output 给出:
[+] Building 0.4s (7/8)
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 199B 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [internal] load metadata for docker.io/library/ubuntu:latest 0.0s
=> [1/5] FROM docker.io/library/ubuntu 0.0s
=> CACHED [2/5] RUN apt-get update 0.0s
=> CACHED [3/5] RUN apt-get install -y iptables 0.0s
=> ERROR [4/5] RUN iptables -I INPUT -p tcp --dport 27015 -j ACCEPT 0.3s
------
> [4/5] RUN iptables -I INPUT -p tcp --dport 27015 -j ACCEPT:
#7 0.256 getsockopt failed strangely: Operation not permitted
------
executor failed running [/bin/sh -c iptables -I INPUT -p tcp --dport 27015 -j ACCEPT]: exit code: 1
But if I use:但是如果我使用:
FROM ubuntu
RUN apt-get update
RUN apt-get install -y iptables
Docker build completes OK, then I run the image with: Docker 构建完成 OK,然后我运行图像:
docker run -i -t --cap-add NET_RAW --cap-add NET_ADMIN 094d0bb9befb
The container opens and at the command prompt I can type in the iptables rules as above.容器打开,在命令提示符下我可以输入上面的 iptables 规则。 They are accepted and work exactly as I require.他们被接受并完全按照我的要求工作。
Any ideas how I can apply these iptable rules directly from the Dockerfile?有什么想法可以直接从 Dockerfile 应用这些 iptable 规则吗?
1 个解决方案
解决方案1
2 已采纳 2022-02-14 08:50:23
how I can apply these iptable rules directly from the Dockerfile?
You can't.你不能。 And they make little sense - they are affecting the temporary container created for building the image.而且它们毫无意义 - 它们正在影响为构建图像而创建的临时容器。
Each container has a separate.network namespace, which includes separate interfaces and firewall.每个容器都有一个单独的 .network 命名空间,其中包括单独的接口和防火墙。 On container startup, a separate.network space is created.在容器启动时,会创建一个单独的网络空间。
Create a script that will be run on CMD or ENTRYPOINT or manually on container startup and in that script add commands that should affect the current container environment..创建将在CMD或ENTRYPOINT上运行或在容器启动时手动运行的脚本,并在该脚本中添加应影响当前容器环境的命令。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.