Univention Bugzilla – Bug 56817
Recipe for allowing IPv6 in docker containers
Last modified: 2023-11-10 21:07:12 CET
On an IPv6-only UCS system, docker containers are usually unusable. Docker provides only a IPv4 transfer network and the host has only IPv6 connectivity. Docker containers automatically get 8.8.8.8 resp. 8.8.4.4 as DNS servers from the docker daemon. Both are not reachable → no DNS lookups. And even if DNS lookups would work: to connect to the UCS LDAP server, we usually configure the FQDN of the host within the docker containers. The only DNS entry that would be returned is a AAAA record (IPv6). The service within the docker container gets a "network unreachable" when trying to connect via IPv6. E.g. I was not able to authenticate against the admin-dashboard. After fiddling around a while, I extracted the following steps to make it work. (WARNING: not tested thoroughly!) 1) Enable IPv6 in the docker daemon and configure a unique local IPv6 subnet prefix for transfer networks with the docker containers: ucr set docker/daemon/default/json='{"ipv6": true, "fixed-cidr-v6": "fd00::/80"}' Hint: maybe we should make the network smaller: fd00:1234:5678:abcd::/64 2) Add IPv6-NAT (yes!) echo 'ip6tables -L POSTROUTING -n -v -t nat | grep "fd00::" || ip6tables -t nat -A POSTROUTING -s fd00::/80 ! -o docker0 -j MASQUERADE' >> /etc/security/packetfilter.d/50_local.sh 3) Restart the firewall /etc/init.d/univention-firewall restart 4) Stop all apps and the docker service. Otherwise the network changes will not be taken over. For each running app call: univention-app stop APPNAME and then: systemctl stop docker.service 5) Next, start all services systemctl start docker.service univention-app start APPNAME