Centos7.5.1804mini安装下docker容器不能访问主机端口问题排查

背景

主机信息

[root@htwy ~]# lsb_release -a
LSB Version: :core-4.1-amd64:core-4.1-noarch:cxx-4.1-amd64:cxx-4.1-noarch:desktop-4.1-amd64:desktop-4.1-noarch:languages-4.1-amd64:languages-4.1-noarch:printing-4.1-amd64:printing-4.1-noarch
Distributor ID: CentOS
Description: CentOS Linux release 7.5.1804 (Core)
Release: 7.5.1804
Codename: Core
[root@htwy ~]# docker info
Containers: 16
Running: 16
Paused: 0
Stopped: 0
Images: 35
Server Version: 18.06.1-ce
Storage Driver: overlay2
Backing Filesystem: xfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 468a545b9edcd5932818eb9de8e72413e616e86e
runc version: 69663f0bd4b60df09991c08812a60108003fa340
init version: fec3683
Security Options:
seccomp
Profile: default
Kernel Version: 3.10.0-862.el7.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
CPUs: 6
Total Memory: 31.02GiB
Name: htwy
ID: XKVN:JBW6:RFQX:4SJA:TVR3:VCOH:2WGT:E2SF:LYMC:GPQN:MW33:MICD
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false


问题

在主机中我创建了两个容器：jenkins, gitlab。

[root@htwy ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
0b8e4372c845 maven-node-jenkins:lts "/sbin/tini -- /usr/…" 4 hours ago Up About an hour 0.0.0.0:50000->50000/tcp, 0.0.0.0:8081->8080/tcp jenkins
c1bd3be46aa0 gitlab/gitlab-ce:11.1.4-ce.0 "/assets/wrapper" 27 hours ago Up About an hour (healthy) 443/tcp, 0.0.0.0:8087->22/tcp, 0.0.0.0:8088->80/tcp gitlab


在jenkins中不能正常获取gitlab中的代码，报Failed to connect to 192.168.31.100 port 8088: No route to host错误，
进入到jenkins容器，发现是可以连通192.168.31.100网络的，但
curl http://192.168.31.100:8088就出现No route to host错误

初步判断是防火墙问题，于是先手式关闭防火墙
systemctl stop firewalld.service
发现jenkins可以访问192.168.31.100:8088，但jenkins容器访问外网又出现了
connect to 115.239.210.27 port 80 (tcp) failed: No route to host
错误，不能访问外网了。
这样就重复出现了：
开启防火墙，容器可以访问外网，但不能访问主机
报Failed to connect to 192.168.31.100 port 8088: No route to host
关闭防火墙，容器不能访问外网，但可以访问主机
报connect to 115.239.210.27 port 80 (tcp) failed: No route to host

这样，docker就不能好好玩了。

排查

在参考了一些资料后
Docker NAT iptables实现 及网络配置 （网络二）

Docker Port与iptables一个请求是如何从实体机传递到我们的应用的
还是不能解决我碰到问题，

问题的解决思路就是围绕着docker与firewall的关系进行解决。

[root@htwy ~]# systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2018-08-29 22:20:50 EDT; 4h 37min ago
Docs: man:firewalld(1)
Main PID: 107747 (firewalld)
Tasks: 2
Memory: 25.8M
CGroup: /system.slice/firewalld.service
└─107747 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
Aug 30 02:05:51 htwy firewalld[107747]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C POSTROUTING -p tcp -s 172.27.0.4 -d 172.27.0.4 --dport 443 -j MASQUERADE' failed: iptables: N... by that name.
Aug 30 02:05:53 htwy firewalld[107747]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C DOCKER -p tcp -d 0/0 --dport 8880 -j DNAT --to-destination 172.27.0.4:80 ! -i br-d729b10fd4b1... by that name.
Aug 30 02:05:53 htwy firewalld[107747]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C DOCKER ! -i br-d729b10fd4b1 -o br-d729b10fd4b1 -p tcp -d 172.27.0.4 --dport 80 -j ACCEPT' ... that chain?).
Aug 30 02:05:53 htwy firewalld[107747]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C POSTROUTING -p tcp -s 172.27.0.4 -d 172.27.0.4 --dport 80 -j MASQUERADE' failed: iptables: No... by that name.
Aug 30 02:05:53 htwy firewalld[107747]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C DOCKER -p tcp -d 0/0 --dport 4443 -j DNAT --to-destination 172.27.0.4:4443 ! -i br-d729b10fd4... by that name.
Aug 30 02:05:53 htwy firewalld[107747]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C DOCKER ! -i br-d729b10fd4b1 -o br-d729b10fd4b1 -p tcp -d 172.27.0.4 --dport 4443 -j ACCEPT... that chain?).
Aug 30 02:05:53 htwy firewalld[107747]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C POSTROUTING -p tcp -s 172.27.0.4 -d 172.27.0.4 --dport 4443 -j MASQUERADE' failed: iptables: ... by that name.
Aug 30 02:05:53 htwy firewalld[107747]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C DOCKER -p tcp -d 0/0 --dport 443 -j DNAT --to-destination 172.27.0.4:443 ! -i br-d729b10fd4b1... by that name.
Aug 30 02:05:53 htwy firewalld[107747]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C DOCKER ! -i br-d729b10fd4b1 -o br-d729b10fd4b1 -p tcp -d 172.27.0.4 --dport 443 -j ACCEPT'... that chain?).
Aug 30 02:05:53 htwy firewalld[107747]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C POSTROUTING -p tcp -s 172.27.0.4 -d 172.27.0.4 --dport 443 -j MASQUERADE' failed: iptables: N... by that name.
Hint: Some lines were ellipsized, use -l to show in full.
[root@htwy ~]#


按irewalld[107747]: WARNING: COMMAND_FAILED: &＃8216;/usr/sbin/iptables关键词在google中查找，
找到
Docker Firewalld/iptables WARNING: COMMAND_FAILED这个提问，问题指向docker的一个issue
Docker vs. firewalld on CentOS 7 #16137

看来大家碰到的问题也类似，从2015-09开始，陆续有人在提问。
其中 **tiangolo ** 提出一个解决方法

The (new) fix (updated 2017-01-13) (updated 2017-01-16)

The ultra short version of the fix

• Run all these commands:

nmcli connection modify docker0 connection.zone trusted
systemctl stop NetworkManager.service
firewall-cmd --permanent --zOne=trusted --change-interface=docker0
systemctl start NetworkManager.service
nmcli connection modify docker0 connection.zone trusted
systemctl restart docker.service


The explained version and how to check everything worked

The current workaround that seems to work ends up creating a trusted.xml file AND a ifcfg-docker0 file. The trusted.xml file would set the zone after a reboot (read and used by firewalld) and the ifcfg-docker0 would set the zone after reload or restart of services and interface or connections restarted (read and used mainly by NetworkManager).

To achieve that:

• After having the new interface (e.g. after installing Docker) and having FirewallD enabled and started, set the zone of the interface with NetworkManager&＃8217;s nmcli:

nmcli connection modify docker0 connection.zone trusted


&＃8230;that would set the zone in NetworkManager and FirewallD for the current session and will create the ifcfg-docker0 file for services, network or interfaces&＃8217; restarts and reloads.

• Check that the file was created with:

cat /etc/sysconfig/network-scripts/ifcfg-docker0


&＃8230;it should output something like:

DEVICE=docker0
STP=no
BRIDGING_OPTS=ageing_time=299
TYPE=Bridge
BOOTPROTO=none
IPADDR=172.17.0.1
PREFIX=16
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=no
NAME=docker0
UUID=5ccc8292-95a2-40d5-9ed6-ab6202fa629e
OnBOOT=no
ZOnE=trusted


&＃8230;specifically, it should have a:

ZOnE=trusted


• Now we need FirewallD to generate that trusted.xml file so that it uses it while booting, but for FirewallD to write that file it must think that NetworkManager is not active, so stop NetworkManager:

systemctl stop NetworkManager.service


• Now set the zone with FirewallD&＃8217;s firewall-cmd:

firewall-cmd --permanent --zOne=trusted --change-interface=docker0


• As NetworkManager is stopped, it won&＃8217;t modify (or even try to create) an ifcfg-docker0 file, if NetworkManager was running it would try to create that same file and wouldn&＃8217;t work after reboot. But this time, as Networkmanager is stopped, it will create a file in the other place for configurations, we can see it with:

cat /etc/firewalld/zones/trusted.xml


&＃8230;outputs:



Trusted
All network connections are accepted.




&＃8230;we can see that the docker0 interface was added to this trusted zone by the:

• And now we can start NetworkManager again:

systemctl start NetworkManager.service


• It is possible that you need to set the zone with NetworkManager again as firewalld might have &＃8220;forgotten&＃8221; the zone settings, it won&＃8217;t do any harm:

nmcli connection modify docker0 connection.zone trusted


• We can check that FirewallD thinks that the docker0 is in the trusted zone. Check the zone of the docker0 interface as seen by FirewallD:

firewall-cmd --get-zone-of-interface=docker0


&＃8230;outputs:

trusted


• And NetworkManager also thinks that it is in the trusted zone. Check the zone of the docker0interface as seen by NetworkManager:

nmcli connection show docker0 | grep zone


&＃8230;outputs something like:

connection.zone: trusted


• We can restart the system and check that the zone will persist, for both FirewallD and NetworkManager.

• If you already checked that it worked and don&＃8217;t want to restart the system, you still will have to restart the Docker service for it to re-create it&＃8217;s ipatables rules:

systemctl restart docker.service


• If you need to change more things with FirewallD and NetworkManager, or if something doesn&＃8217;t seem to be working, please read that issue in FirewallD, as here I&＃8217;m not showing a lot of the details: https://github.com/t-woerner/firewalld/issues/195

执行命令

[root@htwy ~]# nmcli connection modify docker0 connection.zone trusted
[root@htwy ~]# systemctl stop NetworkManager.service
[root@htwy ~]# firewall-cmd --permanent --zOne=trusted --change-interface=docker0
success
[root@htwy ~]# systemctl start NetworkManager.service
[root@htwy ~]# nmcli connection modify docker0 connection.zone trusted
[root@htwy ~]# systemctl restart docker.service


去验证结果：jenkins可能访问gitlab服务了

[root@htwy ~]# docker exec -it jenkins curl http://192.168.31.100:8088/
You are being redirected.


执行命令后网络环境变更信息

前

active-zone-1.png

后

active-zone-2.png

前

active-zone-3-1.png

后

active-zone-3-2.png

前

trusted-1.png

后

trusted-2.png

iptables信息对比

前

[root@htwy ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
INPUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-1 all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_IN_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_IN_ZONES all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_OUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_OUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
OUTPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER (11 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 172.17.0.2 tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 172.17.0.4 tcp dpt:50000
ACCEPT tcp -- 0.0.0.0/0 172.17.0.4 tcp dpt:8080
ACCEPT tcp -- 0.0.0.0/0 172.17.0.6 tcp dpt:27017
ACCEPT tcp -- 0.0.0.0/0 172.17.0.2 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 172.17.0.3 tcp dpt:3306
ACCEPT tcp -- 0.0.0.0/0 172.17.0.5 tcp dpt:27017
ACCEPT tcp -- 0.0.0.0/0 172.17.0.7 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 172.17.0.7 tcp dpt:3306
ACCEPT tcp -- 0.0.0.0/0 172.27.0.2 tcp dpt:10514
ACCEPT tcp -- 0.0.0.0/0 172.27.0.9 tcp dpt:4443
ACCEPT tcp -- 0.0.0.0/0 172.27.0.9 tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 172.27.0.9 tcp dpt:80
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (0 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_IN_ZONES (1 references)
target prot opt source destination
FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_OUT_ZONES (1 references)
target prot opt source destination
FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_direct (1 references)
target prot opt source destination
Chain FWDI_public (2 references)
target prot opt source destination
FWDI_public_log all -- 0.0.0.0/0 0.0.0.0/0
FWDI_public_deny all -- 0.0.0.0/0 0.0.0.0/0
FWDI_public_allow all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
Chain FWDI_public_allow (1 references)
target prot opt source destination
Chain FWDI_public_deny (1 references)
target prot opt source destination
Chain FWDI_public_log (1 references)
target prot opt source destination
Chain FWDO_public (2 references)
target prot opt source destination
FWDO_public_log all -- 0.0.0.0/0 0.0.0.0/0
FWDO_public_deny all -- 0.0.0.0/0 0.0.0.0/0
FWDO_public_allow all -- 0.0.0.0/0 0.0.0.0/0
Chain FWDO_public_allow (1 references)
target prot opt source destination
Chain FWDO_public_deny (1 references)
target prot opt source destination
Chain FWDO_public_log (1 references)
target prot opt source destination
Chain INPUT_ZONES (1 references)
target prot opt source destination
IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
Chain INPUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain INPUT_direct (1 references)
target prot opt source destination
Chain IN_public (2 references)
target prot opt source destination
IN_public_log all -- 0.0.0.0/0 0.0.0.0/0
IN_public_deny all -- 0.0.0.0/0 0.0.0.0/0
IN_public_allow all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
Chain IN_public_allow (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
Chain IN_public_deny (1 references)
target prot opt source destination
Chain IN_public_log (1 references)
target prot opt source destination
Chain OUTPUT_direct (1 references)
target prot opt source destination


后

[root@htwy ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
INPUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DOCKER-USER all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-1 all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_IN_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_IN_ZONES all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_OUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_OUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
OUTPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 172.17.0.2 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 172.17.0.2 tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 172.27.0.3 tcp dpt:10514
ACCEPT tcp -- 0.0.0.0/0 172.17.0.4 tcp dpt:50000
ACCEPT tcp -- 0.0.0.0/0 172.17.0.4 tcp dpt:8080
ACCEPT tcp -- 0.0.0.0/0 172.17.0.5 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 172.17.0.5 tcp dpt:3306
ACCEPT tcp -- 0.0.0.0/0 172.17.0.6 tcp dpt:27017
ACCEPT tcp -- 0.0.0.0/0 172.17.0.7 tcp dpt:27017
ACCEPT tcp -- 0.0.0.0/0 172.17.0.8 tcp dpt:3306
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_IN_ZONES (1 references)
target prot opt source destination
FWDI_trusted all -- 0.0.0.0/0 0.0.0.0/0
FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_OUT_ZONES (1 references)
target prot opt source destination
FWDO_trusted all -- 0.0.0.0/0 0.0.0.0/0
FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_direct (1 references)
target prot opt source destination
Chain FWDI_public (2 references)
target prot opt source destination
FWDI_public_log all -- 0.0.0.0/0 0.0.0.0/0
FWDI_public_deny all -- 0.0.0.0/0 0.0.0.0/0
FWDI_public_allow all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
Chain FWDI_public_allow (1 references)
target prot opt source destination
Chain FWDI_public_deny (1 references)
target prot opt source destination
Chain FWDI_public_log (1 references)
target prot opt source destination
Chain FWDI_trusted (1 references)
target prot opt source destination
FWDI_trusted_log all -- 0.0.0.0/0 0.0.0.0/0
FWDI_trusted_deny all -- 0.0.0.0/0 0.0.0.0/0
FWDI_trusted_allow all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain FWDI_trusted_allow (1 references)
target prot opt source destination
Chain FWDI_trusted_deny (1 references)
target prot opt source destination
Chain FWDI_trusted_log (1 references)
target prot opt source destination
Chain FWDO_public (2 references)
target prot opt source destination
FWDO_public_log all -- 0.0.0.0/0 0.0.0.0/0
FWDO_public_deny all -- 0.0.0.0/0 0.0.0.0/0
FWDO_public_allow all -- 0.0.0.0/0 0.0.0.0/0
Chain FWDO_public_allow (1 references)
target prot opt source destination
Chain FWDO_public_deny (1 references)
target prot opt source destination
Chain FWDO_public_log (1 references)
target prot opt source destination
Chain FWDO_trusted (1 references)
target prot opt source destination
FWDO_trusted_log all -- 0.0.0.0/0 0.0.0.0/0
FWDO_trusted_deny all -- 0.0.0.0/0 0.0.0.0/0
FWDO_trusted_allow all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain FWDO_trusted_allow (1 references)
target prot opt source destination
Chain FWDO_trusted_deny (1 references)
target prot opt source destination
Chain FWDO_trusted_log (1 references)
target prot opt source destination
Chain INPUT_ZONES (1 references)
target prot opt source destination
IN_trusted all -- 0.0.0.0/0 0.0.0.0/0
IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
Chain INPUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain INPUT_direct (1 references)
target prot opt source destination
Chain IN_public (2 references)
target prot opt source destination
IN_public_log all -- 0.0.0.0/0 0.0.0.0/0
IN_public_deny all -- 0.0.0.0/0 0.0.0.0/0
IN_public_allow all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
Chain IN_public_allow (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
Chain IN_public_deny (1 references)
target prot opt source destination
Chain IN_public_log (1 references)
target prot opt source destination
Chain IN_trusted (1 references)
target prot opt source destination
IN_trusted_log all -- 0.0.0.0/0 0.0.0.0/0
IN_trusted_deny all -- 0.0.0.0/0 0.0.0.0/0
IN_trusted_allow all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain IN_trusted_allow (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8088 ctstate NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8087 ctstate NEW
Chain IN_trusted_deny (1 references)
target prot opt source destination
Chain IN_trusted_log (1 references)
target prot opt source destination
Chain OUTPUT_direct (1 references)
target prot opt source destination


小结：

如果你也碰到我一样的问题，
执行下面命令吧。

nmcli connection modify docker0 connection.zone trusted
systemctl stop NetworkManager.service
firewall-cmd --permanent --zOne=trusted --change-interface=docker0
systemctl start NetworkManager.service
nmcli connection modify docker0 connection.zone trusted
systemctl restart docker.service