IPv6 with Docker

Estimated reading time: 10 minutes

The information in this section explains IPv6 with the Docker default bridge. This is a bridgenetwork named bridge created automatically when you install Docker.

As we are running out of IPv4 addresses the IETF has standardized an IPv4 successor, Internet Protocol Version 6 , in RFC 2460. Both protocols, IPv4 and IPv6, reside on layer 3 of the OSI model.

How IPv6 works on Docker

By default, the Docker daemon configures the container network for IPv4 only. You can enable IPv4/IPv6 dualstack support by running the Docker daemon with the --ipv6 flag. Docker will set up the bridge docker0 with the IPv6 link-local address fe80::1.

By default, containers that are created will only get a link-local IPv6 address. To assign globally routable IPv6 addresses to your containers you have to specify an IPv6 subnet to pick the addresses from. Set the IPv6 subnet via the --fixed-cidr-v6 parameter when starting Docker daemon:

You can run dockerd with these flags directly, but it is recommended that you set them in thedaemon.json configuration file instead. The following example daemon.json enables IPv6 and sets the IPv6 subnet to 2001:db8:1::/64.

"ipv6": true,
"fixed-cidr-v6": "2001:db8:1::/64"

The subnet for Docker containers should at least have a size of /80, so that an IPv6 address can end with the container’s MAC address and you prevent NDP neighbor cache invalidation issues in the Docker layer.

By default, --fixed-cidr-v6 parameter causes Docker to add a new route to the routing table, by basically running the three commands below on your behalf. To prevent the automatic routing, set ip-forward to false in the daemon.json file or start the Docker daemon with the --ip-forward=false flag. Then, to get the same routing table that Docker would create automatically for you, issue the following commands:

$ ip -6 route add 2001:db8:1::/64 dev docker0
$ sysctl net.ipv6.conf.default.forwarding=1
$ sysctl net.ipv6.conf.all.forwarding=1

All traffic to the subnet 2001:db8:1::/64 will now be routed via the docker0 interface.

Note: IPv6 forwarding may interfere with your existing IPv6 configuration: If you are using Router Advertisements to get IPv6 settings for your host’s interfaces, set accept_ra to 2 using the following command. Otherwise IPv6 enabled forwarding will result in rejecting Router Advertisements.

$ sysctl net.ipv6.conf.eth0.accept_ra=2

Every new container will get an IPv6 address from the defined subnet, and a default route will be added on eth0 in the container via the address specified by the daemon option --default-gateway-v6 (or default-gateway-v6 in daemon.json) if present. The default gateway defaults to fe80::1.

This example provides a way to examine the IPv6 network settings within a running container.

docker run -it alpine ash -c "ip -6 addr show dev eth0; ip -6 route show"
15: eth0: <BROADCAST,UP,LOWER_UP> mtu 1500
inet6 2001:db8:1:0:0:242:ac11:3/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::42:acff:fe11:3/64 scope link
valid_lft forever preferred_lft forever 2001:db8:1::/64 dev eth0 proto kernel metric 256
fe80::/64 dev eth0 proto kernel metric 256
default via fe80::1 dev eth0 metric 1024

In this example, the container is assigned a link-local address with the subnet /64(fe80::42:acff:fe11:3/64) and a globally routable IPv6 address (2001:db8:1:0:0:242:ac11:3/64). The container will create connections to addresses outside of the 2001:db8:1::/64 network via the link-local gateway at fe80::1 on eth0.

Often servers or virtual machines get a /64 IPv6 subnet assigned (e.g.2001:db8:23:42::/64). In this case you can split it up further and provide Docker a /80subnet while using a separate /80 subnet for other applications on the host:

In this setup the subnet 2001:db8:23:42::/64 with a range from 2001:db8:23:42:0:0:0:0to 2001:db8:23:42:ffff:ffff:ffff:ffff is attached to eth0, with the host listening at 2001:db8:23:42::1. The subnet 2001:db8:23:42:1::/80 with an address range from 2001:db8:23:42:1:0:0:0 to 2001:db8:23:42:1:ffff:ffff:ffff is attached to docker0and will be used by containers.

Using NDP proxying

If your Docker host is the only part of an IPv6 subnet but does not have an IPv6 subnet assigned, you can use NDP proxying to connect your containers to the internet via IPv6. If the host with IPv6 address 2001:db8::c001 is part of the subnet 2001:db8::/64 and your IaaS provider allows you to configure the IPv6 addresses 2001:db8::c000 to 2001:db8::c00f, your network configuration may look like the following:

$ ip -6 addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
inet6 2001:db8::c001/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::601:3fff:fea1:9c01/64 scope link
valid_lft forever preferred_lft forever

To slit up the configurable address range into two subnets 2001:db8::c000/125 and 2001:db8::c008/125, use the following daemon.json settings. The first subnet will be used by non-Docker processes on the host, and the second will be used by Docker.

"ipv6": true,
"fixed-cidr-v6": "2001:db8::c008/125"

The Docker subnet is within the subnet managed by your router and connected to eth0. All containers with addresses assigned by Docker are expected to be found within the router subnet, and the router can communicate with these containers directly.

When the router wants to send an IPv6 packet to the first container, it transmits a neighbor solicitation request, asking “Who has 2001:db8::c009?” However, no host on the subnet has the address; the container with the address is hidden behind the Docker host. The Docker host therefore must listen for neighbor solicitation requests and respond that it is the device with the address. This functionality is called the NDP Proxy and is handled by the kernel on the host machine. To enable the NDP proxy, execute the following command:

$ sysctl net.ipv6.conf.eth0.proxy_ndp=1

Next, add the container’s IPv6 address to the NDP proxy table:

$ ip -6 neigh add proxy 2001:db8::c009 dev eth0

From now on, the kernel answers neighbor solicitation addresses for this address on the device eth0. All traffic to this IPv6 address is routed through the Docker host, which will forward it to the container’s network according to its routing table via the docker0 device:

$ ip -6 route show
2001:db8::c008/125 dev docker0 metric 1
2001:db8::/64 dev eth0 proto kernel metric 256

You have to execute the ip -6 neigh add proxy ... command for every IPv6 address in your Docker subnet. Unfortunately there is no functionality for adding a whole subnet by executing one command. An alternative approach would be to use an NDP proxy daemon such as ndppd.

docker Support ipv6 ( The core point is ndp Need to put docker Internal ip Add all to ndplist In the to ) More articles about

  1. Advanced network features (Docker Supported network customization configuration )

    Advanced knowledge of the Internet , Including network startup and configuration parameters .DNS Use configuration of . Implementation of container access and port mapping . In some specific scenarios ,Docker Supported network customization configuration , adopt Linux Command to adjust . Add . Even replace Docker default ...

  2. Java Fresh e-commerce platform -SpringCloud The core points and implementation principles of microservice architecture

    Java Fresh e-commerce platform -SpringCloud The core points and implementation principles of microservice architecture explain :Java Fresh e-commerce platform , We will further understand the core points and implementation principles of microservice architecture , Design pattern of providing micro service for readers' practice , In order to make micro service ...

  3. Best practices : Alibaba cloud VPC、ECS Support IPv6 La !

    12 month 6 Japan , Alibaba cloud announced to provide full stack for enterprises IPv6 Solution . Alibaba cloud proprietary network VPC. Cloud server ECS, As the core product of alicloud , Also in the 2018 year 11 Double stack will be launched at the end of the month VPC. Double stack ECS, At present, it is in public beta . So how to be in a ...

  4. Android Four key points in the application framework

    Android Four key points in the application framework : Activities (Activity). news (Intent). View (View). Mission (Task) ( One ) Activities Activity Android Inside the system there are special Activity Pile up ...

  5. nfs Support ipv6

    mount One ipv6 nfs The project in docker in mount One nfs Read and write , And now we need support ipv6, So I wrote down the details first demo, Finally, success mount, Here is a record of #include <sys/ ...

  6. iOS Support IPv6

    Apple's rules :2016 year 6 month 1 Submitted to App Store Must support IPv6-only The Internet . Official documents :https://developer.apple.com/library/mac/documentati ...

  7. linux centos6.5 Support ipv6

    1. use ifconfig Check for inet6 addr, My one has been supported , If not, please see the second step . 2.vim /etc/sysconfig/network Change this sentence to :NETWORKING_IPV6= ...

  8. iOS Application support IPV6, That's it

    Original link   Sure enough, the apple yawned ,iOS There will be a storm in the industry . since 5 At the beginning of Apple It's written that all developers are 6 month 1 New versions need to be supported after IPV6-Only Network of , We began to study how to support IPV6 ...

  9. iOS Application support IPV6

    One .IPV6-Only What is support ? First IPV6, It's right IPV4 Expansion of address space . Now when we use iOS The device is connected to Wifi.4G.3G When it comes to the Internet , The addresses assigned to the devices are IPV4 Address , But with the gradual deployment of operators and enterprises IP ...

Random recommendation

  1. easy_install - pip

    easy_install Download address decompression , install . python ez_setup.py pip Download address decompression , install . python setup.py install Pay attention to configure environment variables . Instal ...

  2. SqlServer Determine if the table exists

    . Determine whether the data table exists Method 1 : use yourdb; go if object_id(N'tablename',N'U') is not null print ' There is ' else print ' Do not save ...

  3. php Generating static files

    1, General generation method // Get file content $content=file_get_contents("http://www.google.com/" ); $id=110; $filenam ...

  4. Sina Weibo data capture (java Realization )

    Don't say more , Directly post the relevant part of the implementation code The encryption part implements : package token.exe; import java.math.BigInteger; import java.util.Random; ...

  5. To reassure :NFC How to read bank card information easily by mobile phone ?

    From Alipay wallet 8.0 Launched NFC new function , As long as you will support NFC The mobile phone is close to the bus card . Bank cards with chips IC obstruct , Can quickly read card balance . Card information , You can also recharge the card , Very thoughtful and practical . But many netizens are worried , If someone else ...

  6. HackDemo.java

    import java.io.*; import java.awt.*; public class HackDemo{ public static void main(String args[]) t ...

  7. How to solve SogouIinput not enough space for thread data ?? Virtual memory

    problem : Always prompt that there is not enough space to read and write data Upper figure : reason : Maybe the virtual memory is set too large [ I don't know if it's the same , I have this problem because I set the virtual memory to 4G, My physical memory is 2G Of ] Specific analysis of specific problems , ...

  8. javaTemplates- Study note 4

    Understand the calling order of the application This place is very weak , browser  http://localhost:9000/index.html  ->  conf/routes  ->  app/controllers/A ...

  9. ASP_Login

    === The first one is ============================================================================================== ...

  10. windows server git

    I have an alicloud ,windows server, I want to put the code in alicloud I'll do it git, Just install copssh download git https://git-for-windows.github.io/ download Copss ...