request: scrub IPv6 nameservers from resolv.conf in container #5811
Comments
|
I understand the issue, but have you an easy way to reproduce ? |
|
I can reproduce easily with |
|
I just ran into this problem on DigitalOcean with an IPv6 enabled droplet. See, |
|
@vieux @tianon This is a real problem, just ran into it as well. And it's pretty obvious, isn't it? If you have IPv6 nameservers in your resolv.conf (because you have IPv6 connectivity on the host) you can't reach them from inside the container because we have no IPv6 support there. |
|
I just spent a couple of days tracking this down. Would be great to have some kind of warning when the container is using IPv6 nameserver's in it's |
|
You can enable ipv6 in docker manually. :) Below is just an example. Note that it is neither complete nor perfect. It just lets outgoing ipv6 from the docker (no port forwarding etc although adding it should be quite straightforward). Having ipv6 in place I would design docker networking differently but that's a different story. :) In the example I will use 2001:db8::/32 for local networking, note that this is just IPv6 example network and you should use you real IPv6 prefix preferably (you have one, right?) or something like fd00::/8. (I blindly assume all below commands on host and docker are run as root so I omit calls to sudo for clarity). Imagine yo do: docker run -ti --dns 2001:4860:4860::8888 --name=ipv6-debian debian /bin/bash
root@50f64227e342:/# ping6 -n 2001:4860:4860::8888
PING 2001:4860:4860::8888 (2001:4860:4860::8888): 48 data bytes
ping6: sending packet: Network is unreachableNow on the docker host you have to enable ipv6 forwarding, and masquerading. docker#
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
ip6tables -t nat -A POSTROUTING \! -o docker0 -j MASQUERADEThen we need to configure the networking inside container but first we need to identify its namespace (netns). docker#
mkdir -p /var/run/netns
pid=`docker inspect -f '{{.State.Pid}}' ipv6-debian`
ln -s /proc/$pid/ns/net /var/run/netns/$pidNow we can access the container networkijng from docker host: docker#
ip netns exec $pid ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
84: eth0: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 02:42:ac:11:00:0f brd ff:ff:ff:ff:ff:ff
inet 172.17.0.15/16 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::42:acff:fe11:f/64 scope link
valid_lft forever preferred_lft foreverAbove trickery is required because you cannot change the networking from withing the container (unless it's run with --privileged or otherwise disabled the security). Now we can configure networking among docker host and container(s). docker#
ip -6 addr add 2001:db8::1/48 dev docker0
ip netns exec $pid ip -6 addr add 2001:db8::2/48 dev eth0
ip netns exec $pid ip -6 ro add default via 2001:db8::1 dev eth0And that's it. Now you should be able to use ipv6 from within your container: root@50f64227e342:/# ping6 -n 2001:4860:4860::8888
PING 2001:4860:4860::8888 (2001:4860:4860::8888): 48 data bytes
56 bytes from google-public-dns-a.google.com: icmp_seq=0 ttl=52 time=38.408 ms
56 bytes from google-public-dns-a.google.com: icmp_seq=1 ttl=52 time=38.534 ms
56 bytes from google-public-dns-a.google.com: icmp_seq=2 ttl=52 time=38.696 ms
56 bytes from google-public-dns-a.google.com: icmp_seq=3 ttl=52 time=38.488 msp.s. 2001:4860:4860::8888 is google public ipv6 DNS akin to 8.8.8.8 |
Addresses moby#5811 This cleans up an error in the logic which removes localhost resolvers from the host resolv.conf at container creation start time. Specifically when the determination is made if any nameservers are left after removing localhost resolvers, it was using a string match on the word "nameserver", which could have been anywhere (including commented out) leading to incorrect situations where no nameservers were left but the default ones were not added. This also adds some complexity to the regular expressions for finding nameservers in general, as well as matching on localhost resolvers due to the recent addition of IPv6 support. Because of IPv6 support now available in the Docker daemon, the resolvconf code is now aware of IPv6 enable/disable state and uses that for both filter/cleaning of nameservers as well as adding default Google DNS (IPv4 only vs. IPv4 and IPv6 if IPv6 enabled). For all these changes, tests have been added/strengthened to test these additional capabilities. Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
|
closing we have ipv6 support :D |
It'd be nice if IPv6 nameservers could be scrubbed from containers' resolv.conf until we get IPv6 support in docker.
Normally this wouldn't be a problem, but:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=748179
It breaks Debian apt-get :(
The text was updated successfully, but these errors were encountered: