ipv6 docker

DOCKER, IPV6

BASIC CONFIGURATION OF DOCKER ENGINE WITH IPV6

SEPTEMBER 21, 2015 EYEPV6(AT)GMAIL(DOT)COM 4 COMMENTS

This is the start of a blog series dedicated to enabling IPv6 for the various components in the Docker toolbox.

I am starting the series off by talking about the basic configuration for enabling IPv6 with Docker Engine.  There are some good examples that the Docker folks have put together that you will want to read through: https://docs.docker.com/engine/userguide/networking/default_network/ipv6/

Disclaimer: I am not teaching you Docker.  There are a zillion places to go learn Docker.  I am making the dangerous assumption that you already know what Docker is, how to install it and how to use it.

I am also not teaching you IPv6.  There are also a zillion places to go learn IPv6.  I am making the even more dangerous assumption that you know what IPv6 is, what the addressing details are and how to use it.

Diagram

The graphic below shows a high-level view of my setup.  I have two Docker hosts (docker-v6-1 and docker-v6-2) that are running Ubuntu 14.04.  As of this first post, I am using Docker 1.8.2. Both hosts are attached to a Layer-2 switch via their eth0 interfaces.  I am using static IPv4 addresses (not relevant here) for the host and StateLess Address AutoConfiguration (SLAAC) for IPv6 address assignment out of the Unique Local Address (ULA)FD15:4BA5:5A2B:1009::/64 range.

Preparing the Docker Host for IPv6:

As I mentioned before, I am using SLAAC-based assignment for IPv6 addressing on each host.  You can use static, SLAAC, Stateful DHCPv6 or Stateless DHCPv6 if you want.  I am not covering any of that as they don’t pertain directly to Docker.

Each Docker host as an IPv6 address and can reach the outside world:

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:f3:f8:48 brd ff:ff:ff:ff:ff:ff
    inet 192.168.80.200/24 brd 192.168.80.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fd15:4ba5:5a2b:1009:cc7:2609:38b7:e6c6/64 scope global temporary dynamic
       valid_lft 86388sec preferred_lft 14388sec
    inet6 fd15:4ba5:5a2b:1009:20c:29ff:fef3:f848/64 scope global dynamic
       valid_lft 86388sec preferred_lft 14388sec
    inet6 fe80::20c:29ff:fef3:f848/64 scope link
       valid_lft forever preferred_lft forever

root@docker-v6-1:~# ping6 -n www.google.com
PING www.google.com(2607:f8b0:400f:802::2004) 56 data bytes
64 bytes from 2607:f8b0:400f:802::2004: icmp_seq=1 ttl=255 time=13.7 ms
64 bytes from 2607:f8b0:400f:802::2004: icmp_seq=2 ttl=255 time=14.5 ms

Since I am using router advertisements (RAs) for my IPv6 address assignment, it is important to force the acceptance of RAs even when forwarding is enabled:

sysctl net.ipv6.conf.eth0.accept_ra=2

Now, if you haven’t already, install Docker using whatever method you are comfortable with.  Again, this is not a primer on Docker. 

Docker! Docker! Docker!

Now that the IPv6 basics are there on the host and you have Docker installed, it is time to set the IPv6 subnet for Docker.  You can do this via the ‘docker daemon’ command or you can set it in the /etc/default/docker file.  Below is the example using the ‘docker daemon’ command. Here, I am setting the fixed IPv6 prefix as FD15:4BA5:5A2B:100A::/64.

root@docker-v6-1:~# docker daemon --ipv6 --fixed-cidr-v6="fd15:4ba5:5a2b:100a::/64

Here is the same IPv6 prefix being set, but this is using the /etc/default/docker file:

DOCKER_OPTS="--dns 8.8.8.8 --dns 8.8.4.4 --ipv6 --fixed-cidr-v6=fd15:4ba5:5a2b:100a::/64"

Let’s fire up a container and see what happens. The example below shows that the container got an IPv6 address out of the prefix we set above:

root@docker-v6-1:~# docker run -it ubuntu bash
root@aea405985524:/# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
5: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:ac:11:00:01 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fd15:4ba5:5a2b:100a:0:242:ac11:1/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::42:acff:fe11:1/64 scope link
       valid_lft forever preferred_lft forever

Ping the outside world:

root@aea405985524:/# ping6 www.google.com
PING www.google.com(den03s10-in-x04.1e100.net) 56 data bytes
64 bytes from den03s10-in-x04.1e100.net: icmp_seq=1 ttl=254 time=14.6 ms
64 bytes from den03s10-in-x04.1e100.net: icmp_seq=2 ttl=254 time=12.5 ms

Fire up another container and ping the first container over IPv6:

root@docker-v6-1:~# docker run -it ubuntu bash
root@e8a8662fad76:/# ping6 fd15:4ba5:5a2b:100a:0:242:ac11:1
PING fd15:4ba5:5a2b:100a:0:242:ac11:1(fd15:4ba5:5a2b:100a:0:242:ac11:1) 56 data bytes
64 bytes from fd15:4ba5:5a2b:100a:0:242:ac11:1: icmp_seq=1 ttl=64 time=0.094 ms
64 bytes from fd15:4ba5:5a2b:100a:0:242:ac11:1: icmp_seq=2 ttl=64 time=0.057 ms

Add the 2nd Docker host

Sweet! We have one host (docker-v6-1) running with two containers that can reach each other over IPv6 and reach the outside world.  Now let’s add the second Docker host (docker-v6-2).

Repeat all of the steps from above but change the IPv6 prefix that Docker is going to use. Here is an example using FD15:4BA5:5A2B:100B::/64:

DOCKER_OPTS="--dns 8.8.8.8 --dns 8.8.4.4 --ipv6 --fixed-cidr-v6=fd15:4ba5:5a2b:100b::/64”

In order to have containers on one host reach containers on another host over IPv6, we have to figure out routing. You can enable host-based routing (the example I will show below) or you can just use the Layer-3 infrastructure you likely already have in your Data Center. I would recommend the latter option. Remember that Docker is not doing NAT for IPv6 so you have to have some mechanism to allow for pure L3 reachability between the various IPv6 address spaces you are using.
Here is an example of using host-based routing on each of the two Docker hosts. First, configure a static IPv6 route on the first Docker host (i.e. docker-v6-1). The route statement below says to route all traffic destined for the fd15:4ba5:5a2b:100b::/64 prefix (the one being used on docker-v6-2) to the IPv6 address of the docker-v6-2 eth0 interface.

root@docker-v6-1:~# ip -6 route add fd15:4ba5:5a2b:100b::/64 via fd15:4ba5:5a2b:1009:20c:29ff:febb:cbf8

Now, do the same on the 2nd Docker host (docker-v6-2). This route statement says to route all traffic destined for the fd15:4ba5:5a2b:100a::/64 prefix (used on docker-v6-1) to the IPv6 address of the docker-v6-1 eth0 interface:

root@docker-v6-2:~# ip -6 route add fd15:4ba5:5a2b:100a::/64 via fd15:4ba5:5a2b:1009:20c:29ff:fef3:f848

The final test is to ping from one container on docker-v6-1 to a container on docker-v6-2:

root@e8a8662fad76:/# ping6 fd15:4ba5:5a2b:100b:0:242:ac11:1
PING fd15:4ba5:5a2b:100b:0:242:ac11:1(fd15:4ba5:5a2b:100b:0:242:ac11:1) 56 data bytes
64 bytes from fd15:4ba5:5a2b:100b:0:242:ac11:1: icmp_seq=3 ttl=62 time=0.570 ms
64 bytes from fd15:4ba5:5a2b:100b:0:242:ac11:1: icmp_seq=4 ttl=62 time=0.454 ms

It works!

We will build on this scenario in upcoming posts as we walk through enabling IPv6 functionality in a variety of Docker network scenarios and other Docker services.

Shannon

Post navigation

PREVIOUS POSTVMware Fusion 8 Pro – IPv6 NATNEXT POSTDocker Hub – We don’t need no stinking IPv6!

4 THOUGHTS ON “BASIC CONFIGURATION OF DOCKER ENGINE WITH IPV6”

1. John Mann
   SEPTEMBER 21, 2015 AT 19:50

   I can’t see how you managed to do
   “root@docker-v6-1:~# ping6 -n http://www.google.com”
   when docker-v6-1 has a ULA address.

   Also, how does this work?
   ” root@aea405985524:/# ping6 http://www.google.com”
   Doesn’t the upstream router need to be told a route to the docker-v6-1 internal network:
   route fd15:4ba5:5a2b:100a::/64 via fd15:4ba5:5a2b:1009:20c:29ff:fef3:f848

   PS. Why use ULA addresses while also wanting global reach (to http://www.google.com)?
   Why not use GUA addresses everywhere?

   REPLY
   1. eyepv6(at)gmail(dot)com
      SEPTEMBER 22, 2015 AT 07:32

      Hey John!

      Thanks for the comment. I am doing all of this on VMware Fusion 8 Pro which doesn’t do native IPv6 routing between interfaces. It only supports NAT with ULA addresses. You can see my previous post on this topic:http://www.debug-all.com/?p=123. Yes, you would want to use real GUA addresses in a production environment but my current setup is running in Fusion. 

      REPLY
2. Pingback: Docker Hub – We don’t need no stinking IPv6! | Debug-All
3. Pingback: Docker Registry with IPv6 | Debug-All

LEAVE A REPLY

Your email address will not be published. Required fields are marked *