Linode and Docker and IPv6 connectivity
Hello,
I'm attempting to set up IPv6 connectivity for some docker containers on my linode instance, which has a /64 IPv6 subnet assigned to it.
When I assign a /80 from this space to the docker engine, and a docker container receives a corresponding address, I'm able to ping the linode host itself, but nothing beyond that:
root@4136c857d0d7:/# ping6 2607:f8b0:4000:80f::200e # internet host
PING 2607:f8b0:4000:80f::200e(2607:f8b0:4000:80f::200e) 56 data bytes
^C
--- 2607:f8b0:4000:80f::200e ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4055ms
By sniffing from the linode host, I can see outbound ICMP ping requests from the container, but no responses:
tcpdump -i any -nn -vv ip6
tcpdump: listening on any, link-type LINUXSLL (Linux cooked), capture size 262144 bytes 20:02:49.949874 IP6 (flowlabel 0x681e7, hlim 64, next-header ICMPv6 (58) payload length: 64) containerip > 2607:f8b0:4000:80f::200e: [icmp6 sum ok] ICMP6, echo request, seq 4
20:02:49.949874 IP6 (flowlabel 0x681e7, hlim 64, next-header ICMPv6 (58) payload length: 64) containerip > 2607:f8b0:4000:80f::200e: [icmp6 sum ok] ICMP6, echo request, seq 4 20:02:49.949916 IP6 (flowlabel 0x681e7, hlim 63, next-header ICMPv6 (58) payload length: 64) containerip > 2607:f8b0:4000:80f::200e: [icmp6 sum ok] ICMP6, echo request, seq 4
20:02:50.963006 IP6 (flowlabel 0x681e7, hlim 64, next-header ICMPv6 (58) payload length: 64) containerip > 2607:f8b0:4000:80f::200e: [icmp6 sum ok] ICMP6, echo request, seq 5 20:02:50.963006 IP6 (flowlabel 0x681e7, hlim 64, next-header ICMPv6 (58) payload length: 64) containerip > 2607:f8b0:4000:80f::200e: [icmp6 sum ok] ICMP6, echo request, seq 5
20:02:50.963060 IP6 (flowlabel 0x681e7, hlim 63, next-header ICMPv6 (58) payload length: 64) container_ip > 2607:f8b0:4000:80f::200e: [icmp6 sum ok] ICMP6, echo request, seq 5
(I've confirmed the targeted IP does respond to pings by running the same command from the linode host:
ping6 2607:f8b0:4000:80f::200e
PING 2607:f8b0:4000:80f::200e(2607:f8b0:4000:80f::200e) 56 data bytes
64 bytes from 2607:f8b0:4000:80f::200e: icmpseq=1 ttl=58 time=1.23 ms 64 bytes from 2607:f8b0:4000:80f::200e: icmpseq=2 ttl=58 time=1.40 ms
^C
--- 2607:f8b0:4000:80f::200e ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 1.233/1.320/1.408/0.094 ms)
I've also assigned the IPv6 address used for the docker container to the Linode hosts's /etc/network/interfaces, as per https://www.linode.com/docs/networking/linux-static-ip-configuration
As well as set up NDP proxy (per https://docs.docker.com/v17.09/engine/userguide/networking/default_network/ipv6/).
ip6tables is set up to ACCEPT all on both the host and container, so I'm currently stumped…
Greatly appreciate any assistance!
6 Replies
I'm able to ping the linode host itself, but nothing beyond that
Does the linode host have IPv6 forwarding enabled?
I've also assigned the IPv6 address used for the docker container to the Linode hosts's /etc/network/interfaces
Why are you doing that? Making the linode host think the address belongs the itself is the opposite of what you need: it will just consume the packets itself instead of forwarding them to the container.
As well as set up NDP proxy
Why are you doing that? Your /64 subnet is directly routed to your linode (to its main address) and NDP is not used for it.
Thanks for your response [@grawity] (/community/user/grawity).
The host has IPv6 forwarding enabled, assuming this is the correct setting to do so:
❯❯❯ cat /proc/sys/net/ipv6/conf/all/forwarding > 1
Regarding IPv6 address in the host's /etc/network/interfaces, and NDP proxy - I added those steps after Linode Support suggested them - with the caveat they don't generally advise on such issues, and I'd be better off posting a question here… ; )
Sorry, clarification regarding /etc/network/interfaces on the host:
I added the container's IPv6 address to the docker network interface ('br-fc9c7e29fa0b' in this case) - not the host's primary network interface.
Not to suggest that is necessarily correct - but less scatterbrained than it may have seemed when I first posted it.
Fyi, the docker network interface was created as follows:
docker network create -d bridge --subnet=172.24.0.0/24 --ipv6 --subnet="<the_subnet>/80" ip6bridge</the_subnet>
Last post for now - just to reiterate:
Sniffing from the Linode host, I can see outbound ICMP ping requests from the container, but no responses - does this suggest that there is somehow an upstream issue preventing the responses from arriving at the host at all?
I have the same exact problem ad rd, whenever i started running the docker container my ipv6 stopped working