操作系统:CentOS Linux release 7.9.2009 (Core)
emqx镜像版本:emqx:5.6.1
容器启动命令:docker run -d --name emqx -p 1883:1883 -p 8083:8083 -p 8084:8084 -p 8883:8883 -p 18083:18083 emqx/emqx:5.6.1
现象截图:
目前排查可能是iptables规则影响,但不确认具体原因,更换了多台设备部署都会出现,想资讯下还有其他解决办法没?(容器运行一段时间后出现,大概四五个小时),出现一次后就必现了
运行容器后 iptables规则:
[root@node2 project]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all – anywhere anywhere
INPUT_direct all – anywhere anywhere
INPUT_ZONES_SOURCE all – anywhere anywhere
INPUT_ZONES all – anywhere anywhere
DROP all – anywhere anywhere ctstate INVALID
REJECT all – anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all – anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all – anywhere anywhere
FORWARD_direct all – anywhere anywhere
FORWARD_IN_ZONES_SOURCE all – anywhere anywhere
FORWARD_IN_ZONES all – anywhere anywhere
FORWARD_OUT_ZONES_SOURCE all – anywhere anywhere
FORWARD_OUT_ZONES all – anywhere anywhere
DROP all – anywhere anywhere ctstate INVALID
REJECT all – anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all – anywhere anywhere
OUTPUT_direct all – anywhere anywhere
Chain DOCKER (1 references)
target prot opt source destination
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:18083
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:secure-mqtt
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8084
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:us-srv
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:ibm-mqisdp
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
RETURN all – anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target prot opt source destination
DROP all – anywhere anywhere
RETURN all – anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all – anywhere anywhere
Chain FORWARD_IN_ZONES (1 references)
target prot opt source destination
FWDI_docker all – anywhere anywhere [goto]
FWDI_public all – anywhere anywhere [goto]
FWDI_public all – anywhere anywhere [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_OUT_ZONES (1 references)
target prot opt source destination
FWDO_docker all – anywhere anywhere [goto]
FWDO_public all – anywhere anywhere [goto]
FWDO_public all – anywhere anywhere [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_direct (1 references)
target prot opt source destination
Chain FWDI_docker (1 references)
target prot opt source destination
FWDI_docker_log all – anywhere anywhere
FWDI_docker_deny all – anywhere anywhere
FWDI_docker_allow all – anywhere anywhere
ACCEPT all – anywhere anywhere
Chain FWDI_docker_allow (1 references)
target prot opt source destination
Chain FWDI_docker_deny (1 references)
target prot opt source destination
Chain FWDI_docker_log (1 references)
target prot opt source destination
Chain FWDI_public (2 references)
target prot opt source destination
FWDI_public_log all – anywhere anywhere
FWDI_public_deny all – anywhere anywhere
FWDI_public_allow all – anywhere anywhere
ACCEPT icmp – anywhere anywhere
Chain FWDI_public_allow (1 references)
target prot opt source destination
Chain FWDI_public_deny (1 references)
target prot opt source destination
Chain FWDI_public_log (1 references)
target prot opt source destination
Chain FWDO_docker (1 references)
target prot opt source destination
FWDO_docker_log all – anywhere anywhere
FWDO_docker_deny all – anywhere anywhere
FWDO_docker_allow all – anywhere anywhere
ACCEPT all – anywhere anywhere
Chain FWDO_docker_allow (1 references)
target prot opt source destination
Chain FWDO_docker_deny (1 references)
target prot opt source destination
Chain FWDO_docker_log (1 references)
target prot opt source destination
Chain FWDO_public (2 references)
target prot opt source destination
FWDO_public_log all – anywhere anywhere
FWDO_public_deny all – anywhere anywhere
FWDO_public_allow all – anywhere anywhere
Chain FWDO_public_allow (1 references)
target prot opt source destination
Chain FWDO_public_deny (1 references)
target prot opt source destination
Chain FWDO_public_log (1 references)
target prot opt source destination
Chain INPUT_ZONES (1 references)
target prot opt source destination
IN_docker all – anywhere anywhere [goto]
IN_public all – anywhere anywhere [goto]
IN_public all – anywhere anywhere [goto]
Chain INPUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain INPUT_direct (1 references)
target prot opt source destination
Chain IN_docker (1 references)
target prot opt source destination
IN_docker_log all – anywhere anywhere
IN_docker_deny all – anywhere anywhere
IN_docker_allow all – anywhere anywhere
ACCEPT all – anywhere anywhere
Chain IN_docker_allow (1 references)
target prot opt source destination
Chain IN_docker_deny (1 references)
target prot opt source destination
Chain IN_docker_log (1 references)
target prot opt source destination
Chain IN_public (2 references)
target prot opt source destination
IN_public_log all – anywhere anywhere
IN_public_deny all – anywhere anywhere
IN_public_allow all – anywhere anywhere
ACCEPT icmp – anywhere anywhere
Chain IN_public_allow (1 references)
target prot opt source destination
ACCEPT tcp – anywhere anywhere tcp dpt:ssh ctstate NEW,UNTRACKED
ACCEPT tcp – anywhere anywhere tcp dpt:18083 ctstate NEW,UNTRACKED
ACCEPT tcp – anywhere anywhere tcp dpt:ibm-mqisdp ctstate NEW,UNTRACKED
ACCEPT tcp – anywhere anywhere tcp dpt:http ctstate NEW,UNTRACKED
ACCEPT tcp – anywhere anywhere tcp dpt:afs3-fileserver ctstate NEW,UNTRACKED
ACCEPT tcp – anywhere anywhere tcp dpt:afs3-callback ctstate NEW,UNTRACKED
ACCEPT tcp – anywhere anywhere tcp dpt:38080 ctstate NEW,UNTRACKED
ACCEPT tcp – anywhere anywhere tcp dpt:mysql ctstate NEW,UNTRACKED
Chain IN_public_deny (1 references)
target prot opt source destination
Chain IN_public_log (1 references)
target prot opt source destination
Chain OUTPUT_direct (1 references)
target prot opt source destination