Difficulty getting IPv6 working in a container

cmurf · December 14, 2018, 11:02pm

Fedora 29 Server on Intel NUC, running docker-1.13.1-62.git9cb56fd.fc29.x86_64
Containers are pihole:latest (the end goal) and debian:latest (as a sanity check).

Summary: The pihole container fails to start with errors about the autodetected host IP address being invalid; if I remove the injected environment variable for IPv6 the container starts.

Detail:

First I posted and issue in the pihole forum [1] the question I was asked is if docker daemon is setup for IPv6. And I can’t yet answer that question definitively.
I’ve read this …
https://docs.docker.com/config/daemon/ipv6/
… which says I need to both modify /etc/docker/daemon.json and also add --ipv6 to /usr/lib/systemd/system/docker.service and then reload and restart. But after doing that, the pihole isn’t working. So to sanity check, the following is based on host (intel nuc) and the container is actually the generic debian container.

Host:

$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether b8:ae:ed:77:ea:51 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.250/24 brd 10.0.0.255 scope global dynamic noprefixroute enp3s0
       valid_lft 604187sec preferred_lft 604187sec
    inet6 2601:282:700:8c78:3cef:4672:2da9:af30/64 scope global dynamic noprefixroute 
       valid_lft 228262sec preferred_lft 228262sec
    inet6 fe80::91f1:7594:6bae:99ea/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: wlp2s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 8a:91:2d:9c:69:3e brd ff:ff:ff:ff:ff:ff
36: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:c4:b0:b5:60 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 scope global docker0
       valid_lft forever preferred_lft forever

For connection 36, I’m expecting to see some kind of inet6 connection. It seems like there’s no inet6 bridge in place between host and container, where there is for IPv4 as inet 172.17.0.1

This documen suggests I should have an inet6 listing in the docker0 bridge link shown by ip a but it’s not there. So I don’t actually know if the daemon really is correctly using daemon.json configuration file; or if --ipv6 is being honored when the daemon is starting up.

Inside of the docker container:

$ sudo docker run debian ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
37: eth0@if38: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.17.0.2/16 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:acff:fe11:2/64 scope link tentative 
       valid_lft forever preferred_lft forever

Looks like the container’s lo and eth0 devices have ipv4 and ipv6. But if the docker0 bridge on the host has no inet6 address at all, it seems this is not getting bridged correctly. Anyway I’m totally lost at this point. Thanks.

cmurf · December 14, 2018, 11:03pm

The two containers are from docker.io and the pihole thread is at https://discourse.pi-hole.net/t/error-serveripv6-environment-variable-doesnt-appear-to-be-a-valid-ipv6-address/14949/3

Only two URLS for new users so I was prevented from including them in the original post.

cmurf · December 15, 2018, 1:56am

This is not exactly surprising, but I think it further suggests the daemon itself really isn’t enabling IPv6. I just can’t figure out why not.

$ sudo docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
65a37ba45572        bridge              bridge              local
6ff4b8292e0a        host                host                local
3cfd2e6b77bc        none                null                local
$ sudo docker network inspect 65a37ba45572
[
    {
        "Name": "bridge",
        "Id": "65a37ba45572770a56243343a02d118797a09ae10a5cae0a2a80a2a01687342a",
        "Created": "2018-12-13T18:48:30.321557843-07:00",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "172.17.0.0/16",
                    "Gateway": "172.17.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Containers": {
            "75ebd4868f4c9e079677e54e2de45732b712aac9fc0865569d15689aeb1a6829": {
                "Name": "festive_kare",
                "EndpointID": "388196c7002b8c8c114add3a74193fd7a3b6f346c06192ae62fbf5a0127a8589",
                "MacAddress": "02:42:ac:11:00:03",
                "IPv4Address": "172.17.0.3/16",
                "IPv6Address": ""
            },
            "af86b2eb2583016090e98e95202a2d24da6d232efb47097ce86b72319ac93106": {
                "Name": "pihole",
                "EndpointID": "c1bfe30bd43d34c9d92171e3377bb71d3841b42ab7c795c28df0952c36ea4bfb",
                "MacAddress": "02:42:ac:11:00:02",
                "IPv4Address": "172.17.0.2/16",
                "IPv6Address": ""
            }
        },
        "Options": {
            "com.docker.network.bridge.default_bridge": "true",
            "com.docker.network.bridge.enable_icc": "true",
            "com.docker.network.bridge.enable_ip_masquerade": "true",
            "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
            "com.docker.network.bridge.name": "docker0",
            "com.docker.network.driver.mtu": "1500"
        },
        "Labels": {}
    }
]

$ sudo docker network inspect 6ff4b8292e0a
[
    {
        "Name": "host",
        "Id": "6ff4b8292e0aba1516484007b5190d7c1ad8d8578e3c036556f51ac0e4584944",
        "Created": "2018-12-07T18:26:24.306965799-07:00",
        "Scope": "local",
        "Driver": "host",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": []
        },
        "Internal": false,
        "Attachable": false,
        "Containers": {},
        "Options": {},
        "Labels": {}
    }
]

mikma · December 15, 2018, 7:22pm

I think you also need to specify which IPv6 network to use in daemon.json, at least if you want to use IPv6 on the default bridge (docker0). The IPv6 network should be routed to the docker host and specified in daemon.json as “fixed-cidr-v6”.

/etc/docker/daemon.json example:

{
    "ipv6": true,
    "fixed-cidr-v6": "2001:0db8:1234:5678:9abc::1/80"
}

BTW busybox is a small image that supports IPv6, which I use for troubleshooting.