Description Sönke Schwardt-Krummrich 2023-11-10 18:25:47 CET

On an IPv6-only UCS system, docker containers are usually unusable. Docker provides only a IPv4 transfer network and the host has only IPv6 connectivity. Docker containers automatically get 8.8.8.8 resp. 8.8.4.4 as DNS servers from the docker daemon. Both are not reachable → no DNS lookups.
And even if DNS lookups would work: to connect to the UCS LDAP server, we usually configure the FQDN of the host within the docker containers. The only DNS entry that would be returned is a AAAA record (IPv6). The service within the docker container gets a "network unreachable" when trying to connect via IPv6.

E.g. I was not able to authenticate against the admin-dashboard.

After fiddling around a while, I extracted the following steps to make it work.
(WARNING: not tested thoroughly!)

1) Enable IPv6 in the docker daemon and configure a unique local IPv6 subnet prefix for transfer networks with the docker containers:

ucr set docker/daemon/default/json='{"ipv6": true, "fixed-cidr-v6": "fd00::/80"}'

Hint: maybe we should make the network smaller: fd00:1234:5678:abcd::/64

2) Add IPv6-NAT (yes!)

echo 'ip6tables -L POSTROUTING -n -v -t nat | grep "fd00::" || ip6tables -t nat -A POSTROUTING -s fd00::/80 ! -o docker0 -j MASQUERADE' >> /etc/security/packetfilter.d/50_local.sh

3) Restart the firewall

/etc/init.d/univention-firewall restart

4) Stop all apps and the docker service. Otherwise the network changes will not be taken over.
For each running app call: univention-app stop APPNAME
and then: systemctl stop docker.service

5) Next, start all services
systemctl start docker.service
univention-app start APPNAME