Driver failed programming external connectivity on endpoint quirky_ allen

docker port mapping or starting container Error Error response from daemon: driver failed programming external connectivity on endpoint quirky_allen

phenomenon:

[root@localhost ~]# docker run -d -p 9000:80 centos:httpd /bin/sh -c /usr/local/bin/start.sh
d5b2bd5a7bc4895a973fe61efd051847047d26385f65c278aaa09e4fa31c4d76
docker: Error response from daemon: driver failed programming external connectivity on endpoint quirky_allen (6bda693d1143657e46bee0300276aa05820da2b21a3d89441e820d1a274c48b6): (iptables failed: Iptables — wait-T nat-a Docker-P TCP-D 0/0 — Dport 9000-j DNAT — to-Destination 172.17.0.2:80! -i docker0: iptables: No chain/target/match by that name.
(exit status 1)).

[root@localhost ~]# docker start d5b2bd5a7bc4
Error response from daemon: driver failed programming external connectivity on endpoint quirky_allen (4127da7466709fd45695a1fbe98e13c2ac30c2a554e18fb902ef5a03ba308438): (iptables failed: Iptables — wait-T nat-a Docker-P TCP-D 0/0 — Dport 9000-j DNAT — to-Destination 172.17.0.2:80! -i docker0: iptables: No chain/target/match by that name.
(exit status 1))
Error: failed to start containers: d5b2bd5a7bc4

reason :
docker service startup custom chain docker due to centos7 firewall has been removed

The

firewall is based on iptables for data filtering, which may cause conflicts with Docker.

when firewalld is started or restarted, the rules of DOCKER will be removed from the iptables, thus affecting the normal work of DOCKER.

when you are using Systemd, firewalld will start before Docker, but if you start after Docker or restart firewalld, you will need to restart the Docker process.

restart docker service and regenerate the custom docker

chain

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination        
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        
DOCKER     all  --  0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination        
MASQUERADE  all  --  172.17.0.0/16        0.0.0.0/0          
MASQUERADE  tcp  --  172.17.0.2           172.17.0.2           tcp dpt:8080

Chain DOCKER (2 references)
target     prot opt source               destination        
RETURN     all  --  0.0.0.0/0            0.0.0.0/0          
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8888 to:172.17.0.2:8080
root@router:playbook#iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination        
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        
DOCKER     all  --  0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination        
MASQUERADE  all  --  172.17.0.0/16        0.0.0.0/0          
MASQUERADE  tcp  --  172.17.0.2           172.17.0.2           tcp dpt:8080

Chain DOCKER (2 references)
target     prot opt source               destination        
RETURN     all  --  0.0.0.0/0            0.0.0.0/0          
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8888 to:172.17.0.2:8080


restart docker service then start the container
systemctl restart docker
docker start foo