I have followed the doc, but I cant get it to work.
I am not sure what IP address I should insert into "fixed-cidr-v6".

AFAIK my VPS provider gave me a single ipv6 /128 address and no pool. So I have no real subnet to play with.

image748×105 7.92 KB

I have read, that I need an /64 address and need to add this prefix inside of the daemon.json. Am I misunderstanding ipv6? I am quite confused about docker ipv6 networks.

Why do I need to declare a fixed-cidr-v6 address and with ipv4 not?

Because with ipv4 there is a pre-configuration. The default “bridge” network has the range 172.17.0.1/16. User defined networks use a random range, from a pre-defined pool and a given netmask for the random ranges per network.

By default ipv6 is not enabled, though docker0 will still get a LLA, but no GUA.

When it commes to for a public ipv4/32 address, you could define a macvlan for it:

docker network create \
  --driver macvlan \
  -o parent=eth0 \
  --subnet=x.x.x.x/ww \
  --gateway=x.x.x.y \
  --ip-range=x.x.x.z/32 \
  failoverip

This would allow you to create a docker maclan network with a single ip, but you still need to provide the correct details from the provider for the subnet and gateway for the network the failoverip is in.

I can imagine the same should be possible for ipv6, as long es the prefix is fixed and won’t change.

But here is the caveat: if you assign this ipv6 address to one of your containers, it will create a macvlan child interface, which will not be able to communicate with the host interface…

Honestly, I don’t know how ipv6 would work with GUA’s in a private setup, where prefixes are changed every couple of hours. I assume it is ment to be used with ULAs which remain stable, but are effectivly private addresses., So you would need some sort of loadbalancer/reverse proxy that is exposed by a GUA to forward the reverse proxy to the ULAs.

Update: I see the documentation uses a fixed GUA, but it’s from a range ment for documentation - as of my knowledge it should not be routed to the internet and is more ment as a placeholder to be used in documentation. I assume it can be used the same way like I wrote with the ULAs above.

update2: I am not sure if a static GUA realy needs a mavlan after reading 3.3. Exploring IPv6 in Container Networking — ipv6 Latest documentation. You kind of made me currious about ipv6 with docker.

I dont need a GUA’s.
I just need my docker network to be aware of the LLA’s

My ip a

3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
    link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::1/64 scope link
       valid_lft forever preferred_lft forever
    inet6 fe80::42:d7ff:fe36:f08b/64 scope link
       valid_lft forever preferred_lft forever
291: br-32c97f753dca: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
    inet 172.20.0.1/16 brd 172.20.255.255 scope global br-32c97f753dca
       valid_lft forever preferred_lft forever
    inet6 fe80::42:deff:febd:d65b/64 scope link
       valid_lft forever preferred_lft forever
293: veth51720c0@if292: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-32c97f753dca state UP group default
    link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::2899:80ff:feed:f666/64 scope link
       valid_lft forever preferred_lft forever
295: vetha464a10@if294: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-32c97f753dca state UP group default
    link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff link-netnsid 1
    inet6 fe80::941a:eaff:fe4e:a2d6/64 scope link
       valid_lft forever preferred_lft forever
	   
...

I dont understand what I need to do to enable ipv6 in my created bridge network.

I create it simply via:
docker network create nginx-proxy

Inspecting the network shows that no ipv6 address are given.

"Containers": {
            "xxx": {
                "Name": "container_1",
                "EndpointID": "xxx",
                "MacAddress": "xx:xx:xx:xx:xx:xx",
                "IPv4Address": "172.20.0.8/16",
                "IPv6Address": ""
            },
            "4f84ab671ee3c25cefe5b1b75fdedbf6a019b72d70044f17db9384a8ddc46abc": {
                "Name": "container_2",
                "EndpointID": "xxx",
                "MacAddress": "xx:xx:xx:xx:xx:xx",
                "IPv4Address": "172.20.0.4/16",
                "IPv6Address": ""
            },

As you mentioned, docker0 and all my container get a LLA tho. But they have no ipv6 availability inside the container; they cant communicate via ipv6.
Docker does this without enableing ipv6 in /etc/docker/daemon.json.

I dont understand why my network doesnt automatically take over those ipv6 addresses.

I need docker container to be able to communicate via ipv6 because collabora get connections from a nextcloud container via office.example.tld, which resolves in a ipv6 address and inside the docker network this results in Network is unreachable

Edit:
I have a nginx-proxy container. I listen on 80, [::]:80 and 443, [::]:443. Do I even need a ipv6 network if the proxy_pass resolves to a ipv4 inside the docker network?

What is it, that I still dont understand?