[英]Cant run iptables in Dockerfile
I have been battling for a while on this, Given the following Dockerfile. if I leave the RUN iptables.., lines out.我已经为此奋斗了一段时间,鉴于以下 Dockerfile。如果我离开 RUN iptables..,行出来。 then execute them manually inside the running docker container they work fine.
然后在正在运行的 docker 容器中手动执行它们,它们工作正常。 But if I leave them in Dockerfile I get a permissions error.
但是,如果我将它们留在 Dockerfile 中,则会出现权限错误。
FROM ubuntu
RUN apt-get update
RUN apt-get install -y iptables
RUN iptables -I INPUT -p tcp --dport 27015 -j ACCEPT
RUN iptables -A INPUT -i eth0 -j QUEUE
The output of docker build gives: docker 构建的 output 给出:
[+] Building 0.4s (7/8)
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 199B 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [internal] load metadata for docker.io/library/ubuntu:latest 0.0s
=> [1/5] FROM docker.io/library/ubuntu 0.0s
=> CACHED [2/5] RUN apt-get update 0.0s
=> CACHED [3/5] RUN apt-get install -y iptables 0.0s
=> ERROR [4/5] RUN iptables -I INPUT -p tcp --dport 27015 -j ACCEPT 0.3s
------
> [4/5] RUN iptables -I INPUT -p tcp --dport 27015 -j ACCEPT:
#7 0.256 getsockopt failed strangely: Operation not permitted
------
executor failed running [/bin/sh -c iptables -I INPUT -p tcp --dport 27015 -j ACCEPT]: exit code: 1
But if I use:但是如果我使用:
FROM ubuntu
RUN apt-get update
RUN apt-get install -y iptables
Docker build completes OK, then I run the image with: Docker 构建完成 OK,然后我运行图像:
docker run -i -t --cap-add NET_RAW --cap-add NET_ADMIN 094d0bb9befb
The container opens and at the command prompt I can type in the iptables rules as above.容器打开,在命令提示符下我可以输入上面的 iptables 规则。 They are accepted and work exactly as I require.
他们被接受并完全按照我的要求工作。
Any ideas how I can apply these iptable rules directly from the Dockerfile?有什么想法可以直接从 Dockerfile 应用这些 iptable 规则吗?
how I can apply these iptable rules directly from the Dockerfile?
如何直接从 Dockerfile 应用这些 iptable 规则?
You can't.你不能。 And they make little sense - they are affecting the temporary container created for building the image.
而且它们毫无意义 - 它们正在影响为构建图像而创建的临时容器。
Each container has a separate.network namespace, which includes separate interfaces and firewall.每个容器都有一个单独的 .network 命名空间,其中包括单独的接口和防火墙。 On container startup, a separate.network space is created.
在容器启动时,会创建一个单独的网络空间。
Create a script that will be run on CMD
or ENTRYPOINT
or manually on container startup and in that script add commands that should affect the current container environment..创建将在
CMD
或ENTRYPOINT
上运行或在容器启动时手动运行的脚本,并在该脚本中添加应影响当前容器环境的命令。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.