Tetap teratur dengan koleksi
Simpan dan kategorikan konten berdasarkan preferensi Anda.
Secara default, firewall host Container-Optimized OS mengizinkan koneksi
keluar dan menerima koneksi masuk hanya melalui layanan SSH. Anda
dapat melihat konfigurasi firewall host yang tepat dengan menjalankan sudo iptables -L di
instance VM yang menjalankan Container-Optimized OS.
Perhatikan bahwa firewall host berbeda dengan aturan firewall Virtual Private Cloud, yang juga harus dikonfigurasi agar aplikasi Anda berfungsi dengan benar.
Lihat Ringkasan Aturan Firewall untuk mempelajari lebih lanjut aturan firewall Virtual Private Cloud.
Menjalankan container di namespace jaringan default Docker
Jika Anda men-deploy container di Container-Optimized OS yang harus
dapat diakses melalui jaringan dan Anda tidak menggunakan opsi --net=host Docker,
jalankan container dengan opsi -p Docker. Dengan opsi ini, Docker akan
otomatis mengonfigurasi firewall host untuk mengekspos aplikasi Anda di
jaringan. Lihat
referensi run Docker untuk mempelajari
opsi run Docker lebih lanjut.
Dalam contoh berikut, penampung nginx akan dapat diakses di jaringan pada port 80:
dockerrun--rm-d-p80:80--name=nginxnginx
Menjalankan container di namespace jaringan host
Jika Anda men-deploy container di Container-Optimized OS yang harus
dapat diakses melalui jaringan dan Anda menggunakan opsi --net=host Docker, Anda
harus mengonfigurasi firewall host secara eksplisit.
Anda dapat mengonfigurasi firewall host dengan perintah iptables standar. Seperti
sebagian besar distribusi GNU/Linux, aturan firewall yang dikonfigurasi dengan perintah iptables
tidak akan tetap ada saat memulai ulang. Untuk memastikan firewall host dikonfigurasi dengan benar
pada setiap booting, konfigurasikan firewall host dalam konfigurasi
cloud-init Anda. Perhatikan contoh cloud-init berikut:
#cloud-configwrite_files:-path:/etc/systemd/system/config-firewall.servicepermissions:0644owner:rootcontent:|[Unit]Description=Configures the host firewall[Service]Type=oneshotRemainAfterExit=trueExecStart=/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT-path:/etc/systemd/system/myhttp.servicepermissions:0644owner:rootcontent:|[Unit]Description=My HTTP serviceAfter=docker.service config-firewall.serviceWants=docker.service config-firewall.service[Service]Restart=alwaysExecStart=/usr/bin/docker run --rm --name=%n --net=host nginxExecStop=-/usr/bin/docker exec %n -s quitruncmd:-systemctl daemon-reload-systemctl start myhttp.service
Menggunakan konfigurasi cloud-init ini dengan VM yang menjalankan
OS yang Dioptimalkan Container akan menghasilkan perilaku berikut pada setiap
booting:
Firewall host akan dikonfigurasi untuk mengizinkan koneksi TCP masuk di port
80.
Penampung nginx akan memproses port 80 dan merespons permintaan HTTP
yang masuk.
[[["Mudah dipahami","easyToUnderstand","thumb-up"],["Memecahkan masalah saya","solvedMyProblem","thumb-up"],["Lainnya","otherUp","thumb-up"]],[["Sulit dipahami","hardToUnderstand","thumb-down"],["Informasi atau kode contoh salah","incorrectInformationOrSampleCode","thumb-down"],["Informasi/contoh yang saya butuhkan tidak ada","missingTheInformationSamplesINeed","thumb-down"],["Masalah terjemahan","translationIssue","thumb-down"],["Lainnya","otherDown","thumb-down"]],["Terakhir diperbarui pada 2025-09-04 UTC."],[[["\u003cp\u003eBy default, Container-Optimized OS allows outgoing connections and only accepts incoming connections via SSH, as seen with the \u003ccode\u003esudo iptables -L\u003c/code\u003e command, but this might vary with other Google Cloud products.\u003c/p\u003e\n"],["\u003cp\u003eUsing Docker's \u003ccode\u003e-p\u003c/code\u003e option automatically configures the host firewall for network accessibility when deploying a container on Container-Optimized OS without \u003ccode\u003e--net=host\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eFor IPv6 accessibility, the host firewall must be manually configured using \u003ccode\u003eip6tables\u003c/code\u003e commands because Docker does not automatically configure the IPv6 rules.\u003c/p\u003e\n"],["\u003cp\u003eWhen deploying a container on Container-Optimized OS with Docker's \u003ccode\u003e--net=host\u003c/code\u003e option, you must manually configure the host firewall with \u003ccode\u003eiptables\u003c/code\u003e commands.\u003c/p\u003e\n"],["\u003cp\u003eTo ensure persistent host firewall configurations across reboots when using \u003ccode\u003eiptables\u003c/code\u003e commands, utilize \u003ccode\u003ecloud-init\u003c/code\u003e to set up the firewall rules, such as allowing incoming TCP connections on port 80.\u003c/p\u003e\n"]]],[],null,["# Configuring the host firewall\n\nBy default, the Container-Optimized OS host firewall allows outgoing\nconnections and accepts incoming connections only through the SSH service. You\ncan see the exact host firewall configuration by running `sudo iptables -L` on a\nVM instance running Container-Optimized OS.\n| **Warning:** The default firewall configuration might be different if you are using Container-Optimized OS through another Google Cloud product like [Containers on Compute Engine](/compute/docs/containers/deploying-containers) or Google Kubernetes Engine. Refer to the product specific documentation for more details.\n\nKeep in mind that the host firewall is different from Virtual Private Cloud firewall\nrules, which must also be configured for your applications to work correctly.\nSee the [Firewall Rules Overview](/vpc/docs/firewalls) to learn more about\nVirtual Private Cloud firewall rules.\n\nRunning containers in Docker's default network namespace\n--------------------------------------------------------\n\nIf you are deploying a container on Container-Optimized OS that must be\naccessible over the network and you are not using Docker's `--net=host` option,\nrun your container with Docker's `-p` option. With this option, Docker will\nautomatically configure the host firewall to expose your application on the\nnetwork. See the\n[Docker run reference](https://docs.docker.com/engine/reference/run/) to learn\nmore about Docker run options.\n\nIn the following example, the `nginx` container will be accessible on the\nnetwork on port 80: \n\n docker run --rm -d -p 80:80 --name=nginx nginx\n\n| **Note:** If IPv6 address is used for accessing the deployed container over the network, you must explicitly configure the host firewall using `ip6tables` commands like `\"ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT\"`.This is because Docker does not automatically configure the IPv6 rules for host firewall to expose your application on the network due to [known limitation](https://github.com/moby/moby/issues/21951).\n\nRunning containers in the host's network namespace\n--------------------------------------------------\n\nIf you are deploying a container on Container-Optimized OS that must be\naccessible over the network and you are using Docker's `--net=host` option, you\nmust explicitly configure the host firewall yourself.\n\nYou can configure the host firewall with standard `iptables` commands. As with\nmost GNU/Linux distributions, firewall rules configured with `iptables` commands\nwill not persist across reboots. To ensure that the host firewall is correctly\nconfigured on every boot, configure the host firewall in your `cloud-init`\nconfiguration. Consider the following `cloud-init` example: \n\n #cloud-config\n\n write_files:\n - path: /etc/systemd/system/config-firewall.service\n permissions: 0644\n owner: root\n content: |\n [Unit]\n Description=Configures the host firewall\n\n [Service]\n Type=oneshot\n RemainAfterExit=true\n ExecStart=/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT\n - path: /etc/systemd/system/myhttp.service\n permissions: 0644\n owner: root\n content: |\n [Unit]\n Description=My HTTP service\n After=docker.service config-firewall.service\n Wants=docker.service config-firewall.service\n\n [Service]\n Restart=always\n ExecStart=/usr/bin/docker run --rm --name=%n --net=host nginx\n ExecStop=-/usr/bin/docker exec %n -s quit\n\n runcmd:\n - systemctl daemon-reload\n - systemctl start myhttp.service\n\nUsing this `cloud-init` configuration with a VM running\nContainer-Optimized OS will result in the following behaviors on every\nboot:\n\n- The host firewall will be configured to allow incoming TCP connections on port 80.\n- An `nginx` container will listen on port 80 and respond to incoming HTTP requests.\n\nRefer to\n[Creating and configuring instances](/container-optimized-os/docs/how-to/create-configure-instance)\nto learn more about using `cloud-init` on Container-Optimized OS."]]