https://www.centos.bz/2018/02/%E5%AE%9A%E5%88%B6entrypoint%E8%87%AA%E5%8A%A8%E4%BF%AE%E6%94%B9docker%E4%B8%ADvolume%E7%9A%84%E6%9D%83%E9%99%90/
……….
Other way
1、make shell and run shell, before run docker-compose.
mkdir ./data sudo chown docker ./data #sudo chown user01 ./data sudo chmod g+rwx ./data sudo chgrp 994 ./data Directory exist and correct Access. 994 or 50 or 1000 see /etc/passwd or /etc/group
2、But sometime OS install docker by you don’t know way… maybe have user dockerroot、group dockerroot or only group docker
you maybe already run sudo usermod -a -G docker $(whoami) 100% in docker group.
docker & docker-compose 一堆坑
FROM alpine
RUN apk –no-cache upgrade
RUN apk update &&\
apk add bash
Use chown 1000 xxxoo xxxooo file name
logtest: build: context: logtest/ volumes: - ./logtest/logs:./logs:rw networks: - elk command: | /bin/sh -c '/bin/sh -s << EOF echo "Start filebeat...." filebeat run -c ./filebeat.yml -v & sleep 2 while [ ! -f ./logs/filebeat ] do sleep 2 done chown 1000 ./logs/filebeat tail -f /dev/null EOF'
docker-compose.yml
services: elasticsearch: logstash: kibana: nginx: docker-compose run ngnix
docker-compose run kibana
restart docker service iptables be reset
Docker Basic rule (New Docker maybe change somethings)
*nat
:PREROUTING ACCEPT [27:11935]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [598:57368]
:POSTROUTING ACCEPT [591:57092]
:DOCKER - [0:0]
-A PREROUTING -m addrtype –dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype –dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
COMMIT
# Completed on Sun Sep 20 17:35:31 2015
# Generated by iptables-save v1.
http://blog.pulipuli.info/2011/07/
http://linux.vbird.org/linux_server/0250simple_firewall.php
iptables \[-AI 鏈\] \[-io 網路介面\] \[-p tcp,udp\] \\ \> \[-s 來源IP/網域\] \[--sport 埠口範圍\] \\ \> \[-d 目標IP/網域\] \[--dport 埠口範圍\] -j \[ACCEPT|DROP|REJECT\] 選項與參數: \--sport 埠口範圍:限制來源的埠口號碼,埠口號碼可以是連續的,例如 1024:65535 \--dport 埠口範圍:限制目標的埠口號碼。 \[root@www ~\]# iptables -A INPUT \[-m state\] \[--state 狀態\] 選項與參數: \-m :一些 iptables 的外掛模組,主要常見的有: state :狀態模組 mac :網路卡硬體位址 (hardware address) \--state :一些封包的狀態,主要有: INVALID :無效的封包,例如資料破損的封包狀態 ESTABLISHED:已經連線成功的連線狀態; NEW :想要新建立連線的封包狀態; RELATED :這個最常用!表示這個封包是與我們主機發送出去的封包有關 範例:只要已建立或相關封包就予以通過,只要是不合法封包就丟棄 \[root@www ~\]# iptables -A INPUT -m state \\ \> \--state RELATED,ESTABLISHED -j ACCEPT \[root@www ~\]# iptables -A INPUT -m state --state INVALID -j DROP https://www.
https://meta.discourse.org/t/applying-docker-discourse-iptables-rules-when-using-csf-firewall/70531/5
csf v12.08
NOTE: This feature is currently in BETA testing, so may not work correctly
This section provides the configuration of iptables rules to allow Docker
containers to communicate through the host. If the generated rules do not
work with your setup you will have to use a /etc/csf/csfpost.sh file and add
your own iptables configuration instead
1 to enable, 0 to disable
