Hi all - moby maintainer here ...

This is related to:

• docker-in-docker feature breaks with Codespaces+Kind and docker v27+ (docker's ipv6 breaking changes) #1023
• [docker-in-docker] - toggle ip6tables settings value as option #1068
• dockerd now requires ip6tables to startup moby/moby#47895

In moby 27.0 we enabled ip6tables by default. So, to create a Docker network with --ipv6 the ip6_tables kernel module is needed. But, in Codespaces it's not loaded on startup.

In the issue/PR linked above, devcontainers option disableIp6tables was added to work around the problem by adding --ip6tables=false to docker's command line. That'll restore the pre-27.0 behaviour, so docker won't try to create ip6tables rules. But, docker bridge networks won't work properly without those rules (and users have to know to set the option, or they get a complicated-looking error from docker when trying to create a network with --ipv6).

The official Docker-in-Docker image tries to load modules on the host using this unlikely-looking trick ... ip link show ip6_tables (as root). It produces an error about the link not existing but, in a Codespace, it does trigger the module load - then ip6tables works normally. So, if the module is loaded before dockerd starts, --ipv6 networks should just-work.

Would it be possible to add that ip link show trick, probably to the docker-init.sh script? Then, in a lot of cases, there shouldn't be any need to disable docker's use of ip6tables.