Docker rootless and outgoing IPv6 #48257
Description
Description
When using IPv6 in rootless mode in containers to reach any IPv6 address, this does not work.
Running ping6 fails, curl too:
docker@pcserver2023:~> docker run -it --rm bash:4.4
bash-4.4# ping6 -c 3 www.heise.de
PING www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85): 56 data bytes
--- www.heise.de ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
bash-4.4# wget --no-check-certificate --spider https://[2a02:2e0:3fe:1001:7777:772e:2:85]/index.html
Connecting to [2a02:2e0:3fe:1001:7777:772e:2:85] ([2a02:2e0:3fe:1001:7777:772e:2:85]:443)
wget: can't connect to remote host: Network unreachable
No matter what i have tried so far, i was not able to make outgoing ipv6 work (Think i have followed all instructions to make firewalls and docker work).
Strange but with slirp4netns at least connecting to my IPv6 from the internet (to my ipv6 adress of the hosts nic) is working perfectly.
Unfortunatelly my service is relying on the described functionality (Nextcloud AIO) - and i do only have IPv6 available.
Does anyone know any way to make outgoing IPv6 work on rootless?
btw. didn't get pasta, bypass4netns working, maybe some advice how to work around problems with slirp4netns and ipv6?
Reproduce
- fresh linux, enabled cgroupsv2. Set up Docker rootless as user docker.
Here using Network Pasta/implicit for testing, but its the same with slirp4netns:
docker@pcserver2023:~> curl -fsSL https://get.docker.com/rootless | sh
# Installing stable version 27.1.0
# Executing docker rootless install script, commit: 1ce4e39
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 70.4M 100 70.4M 0 0 2314k 0 0:00:31 0:00:31 --:--:-- 1052k
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 19.7M 100 19.7M 0 0 2292k 0 0:00:08 0:00:08 --:--:-- 2759k
+ PATH=/home/docker/bin:/home/docker/bin:/home/docker/bin:/home/docker/bin:/usr/local/bin:/usr/bin:/bin
+ /home/docker/bin/dockerd-rootless-setuptool.sh install
[INFO] Creating /home/docker/.config/systemd/user/docker.service
[INFO] starting systemd service docker.service
+ systemctl --user start docker.service
+ sleep 3
+ systemctl --user --no-pager --full status docker.service
● docker.service - Docker Application Container Engine (Rootless)
Loaded: loaded (/home/docker/.config/systemd/user/docker.service; enabled; vendor preset: disabled)
Drop-In: /home/docker/.config/systemd/user/docker.service.d
└─override.conf
Active: active (running) since Tue 2024-07-23 14:36:02 CEST; 3s ago
Docs: https://docs.docker.com/go/rootless/
Main PID: 934 (rootlesskit)
Tasks: 45
Memory: 67.1M
CPU: 385ms
CGroup: /user.slice/user-1001.slice/[email protected]/app.slice/docker.service
├─ 934 rootlesskit --state-dir=/run/user/1001/dockerd-rootless --net=pasta --mtu=1500 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=implicit --copy-up=/etc --copy-up=/run --propagation=rslave --ipv6 /home/docker/bin/dockerd-rootless.sh
├─ 940 /proc/self/exe --state-dir=/run/user/1001/dockerd-rootless --net=pasta --mtu=1500 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=implicit --copy-up=/etc --copy-up=/run --propagation=rslave --ipv6 /home/docker/bin/dockerd-rootless.sh
├─ 955 pasta --foreground --stderr --ns-ifname=tap0 --mtu=1500 --no-dhcp --no-ra --address=10.0.2.100 --netmask=24 --gateway=10.0.2.2 --dns-forward=10.0.2.3 --no-map-gw --tcp-ports=auto --udp-ports=auto 940
├─ 967 dockerd
└─ 992 containerd --config /run/user/1001/docker/containerd/containerd.toml
+ DOCKER_HOST=unix:///run/user/1001/docker.sock
+ /home/docker/bin/docker version
Client:
Version: 27.1.0
API version: 1.46
Go version: go1.21.12
Git commit: 6312585
Built: Fri Jul 19 17:41:56 2024
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 27.1.0
API version: 1.46 (minimum version 1.24)
Go version: go1.21.12
Git commit: a21b1a2
Built: Fri Jul 19 17:43:33 2024
OS/Arch: linux/amd64
Experimental: true
containerd:
Version: v1.7.20
GitCommit: 8fc6bcff51318944179630522a095cc9dbf9f353
runc:
Version: 1.1.13
GitCommit: v1.1.13-0-g58aa920
docker-init:
Version: 0.19.0
GitCommit: de40ad0
rootlesskit:
Version: 2.0.2
ApiVersion: 1.1.1
NetworkDriver: pasta
StateDir: /run/user/1001/dockerd-rootless
+ systemctl --user enable docker.service
[INFO] Installed docker.service successfully.
[INFO] To control docker.service, run: `systemctl --user (start|stop|restart) docker.service`
[INFO] To run docker.service on system startup, run: `sudo loginctl enable-linger docker`
[INFO] CLI context "rootless" already exists
[INFO] Using CLI context "rootless"
Current context is now "rootless"
Warning: DOCKER_HOST environment variable overrides the active context. To use "rootless", either set the global --context flag, or unset DOCKER_HOST environment variable.
[INFO] Make sure the following environment variable(s) are set (or add them to ~/.bashrc):
export PATH=/home/docker/bin:$PATH
[INFO] Some applications may require the following environment variable too:
export DOCKER_HOST=unix:///run/user/1001/docker.sock
daemon.json:
{
"experimental": true,
"ipv6": true,
"fixed-cidr-v6": "fdff:6785:1::/48",
"iptables": true,
"ip6tables": true,
"log-opts": {
"max-size": "10m",
"max-file": "5"
}
}
network:
docker@pcserver2023:~> docker network inspect bridge
[
{
"Name": "bridge",
"Id": "61278e5b24b18a0b6897834cdad253851e5133389928e82a9fe1ebb9debda930",
"Created": "2024-07-23T14:45:08.276573789+02:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": true,
"IPAM": {
"Driver": "default",
"Options": null,
"Config": [
{
"Subnet": "172.17.0.0/16",
"Gateway": "172.17.0.1"
},
{
"Subnet": "fdff:6785:1::/48",
"Gateway": "fdff:6785:1::1"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {},
"Options": {
"com.docker.network.bridge.default_bridge": "true",
"com.docker.network.bridge.enable_icc": "true",
"com.docker.network.bridge.enable_ip_masquerade": "true",
"com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
"com.docker.network.bridge.name": "docker0",
"com.docker.network.driver.mtu": "1500"
},
"Labels": {}
}
]
Expected behavior
should work as ipv4 does
docker run -it --rm bash:4.4
bash-4.4# ping -c 3 www.heise.de
PING www.heise.de (193.99.144.85): 56 data bytes
64 bytes from 193.99.144.85: seq=0 ttl=254 time=326.905 ms
64 bytes from 193.99.144.85: seq=1 ttl=254 time=14.479 ms
64 bytes from 193.99.144.85: seq=2 ttl=254 time=14.441 ms
--- www.heise.de ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 14.441/118.608/326.905 ms
docker version
Client:
Version: 27.1.0
API version: 1.46
Go version: go1.21.12
Git commit: 6312585
Built: Fri Jul 19 17:41:56 2024
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 27.1.0
API version: 1.46 (minimum version 1.24)
Go version: go1.21.12
Git commit: a21b1a2
Built: Fri Jul 19 17:43:33 2024
OS/Arch: linux/amd64
Experimental: true
containerd:
Version: v1.7.20
GitCommit: 8fc6bcff51318944179630522a095cc9dbf9f353
runc:
Version: 1.1.13
GitCommit: v1.1.13-0-g58aa920
docker-init:
Version: 0.19.0
GitCommit: de40ad0
rootlesskit:
Version: 2.0.2
ApiVersion: 1.1.1
NetworkDriver: pasta
StateDir: /run/user/1001/dockerd-rootlessdocker info
Client:
Version: 27.1.0
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: 0.16.2
Path: /usr/lib/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v2.27.0
Path: /home/docker/.docker/cli-plugins/docker-compose
Server:
Containers: 1
Running: 1
Paused: 0
Stopped: 0
Images: 35
Server Version: 27.1.0
Storage Driver: overlay2
Backing Filesystem: xfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: true
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 8fc6bcff51318944179630522a095cc9dbf9f353
runc version: v1.1.13-0-g58aa920
init version: de40ad0
Security Options:
seccomp
Profile: builtin
rootless
cgroupns
Kernel Version: 5.14.21-150500.55.68-default
Operating System: openSUSE Leap 15.5
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 30.79GiB
Name: pcserver2023
ID: 45699224-ea9c-4865-8dea-a53bb20b788c
Docker Root Dir: /home/docker/.local/share/docker
Debug Mode: false
Experimental: true
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Product License: Community EngineAdditional Info
Same setup with rootful works as expected, but has very different network devices (docker0), which are not existent on the host in rootless.