New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docs: Rewrite of IPv6 page #3244
Conversation
see #1438 and #3057 (with #3057 (comment)) for reference. Superseeds #3061
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
WIP - Just submitting progress to ensure it's not lost by a random system crash overnight (happens 😅 )
FWIW, I followed these instructions and I have yet to successfully send or receive an e-mail via IPv6. I have confirmed my mail server is reachable over IPv6. On the plus side, there are no rejections either. |
Probably because most people still use IPv4 and it is the preferred protocol.
This is actually our main concern. |
I will report back as as soon as I get a successful sending, reception, or even a rejection on either side. So far, I only got one greylisting from a non-major provider server, so it doesn't prove anything. |
Thank's a lot for the feedback - very much appreciated! ❤️ |
Are you using a public IPv6 address assigned to your Docker container, or are you using private ULA address with NAT ( There's been a few reports of unsuccessful IPv6 container setups, can you try with a simple web container? I have a 3 step example detailed here. If you can get that to work, it should translate to the mail-server too. Make sure you use Once that is working, if you're not happy with ULA + NAT (which honestly should be fine?), then what are you working with? Is it a |
I'm using private ULA address in Docker Compose, if that was the question.
That's roughly what I have for Docker Mailserver. I can try traefik/whoami.
I don't have another IPv6 enabled host.
I have a |
I have just tried traefik/whoami and seems to work as expected. Keeping my fingers crossed Docker Mailserver will work just as well. I will report back when I have more info. |
How did you verify? On the same host only? I used two VPS on Vultr.
I've only used ULA with NAT myself. Vultr issues a I have found this article which might explain it with an NDP proxy, but I need to sleep now. |
I marked this for v12.1.0, but I think we do not require this to be in a special version. What's your opinion @polarathene? I can resolve the conflicts, and we can apply your suggestions and merge this. If you still want to work in this, please let me know :) |
I am coming back to this after PR reviews, delaying until v13 is fine 👍 |
Sorry for the delay, missed the original notification.
Connected from Scaleway VPS to Hetzner VPS.
Ditto. Anyhow, great improvement! |
I have had success with IPv6 container not using NAT. I still need to verify a few things, but I think the below documents the steps most would encounter to get this working. I've not yet tried to test it with DMS containers between hosts. After a bit more work, I'll come back and revise this information into the docs. This is for a VPS (Vultr, Ubuntu 23.04) that is providing a single My understanding is that Docker can create network interfaces that are subnets of that IPv6 public IP (GUA)This is a bit more complicated to setup compared to NAT6 with internal IPv6 ULA addresses for containers (where port management is a bit simpler to keep private/portable).
Firewall - UFW
Dockers port publishing with
Firewall - FirewalldNot looked into what equivalent configuration is required for this alternative firewall frontend. Additional Notes for IPv6 GUA setupInstead of manually adding each container IP to the NDP proxy table, you can have a daemon service configured for proxying the IPs from the docker interface to the main NIC
If you are not affected by
Proxy table is lost upon reboot AFAIK (but should be a non-issue with a background service like above automating the proxy table updates for you).
IPv6 Router Advertisements (
|
@vedranmiletic I found some time to investigate this again :) If you have the time to go over the instructions above, it would be good to know if you have success with the container being reachable now 👍 @AlperShal @ki9us @super9mega tagging you from related discussions. Your input would be appreciated as well if you can confirm the IPv6 GUA setup steps work for you too, or if I'm missing something else 😅 |
@polarathene Tested and can confirm it works! Looks like only thing that's left to be done was adding userland-proxy for me. (I've had everything you documented already done also a few other things) Thanks for taking your time and writing the docs. It's pretty clear. 👍🏻 |
That is enabled by default I think (although considered for being disabled in future), many old guides talk about disabling IIRC, so thanks for pointing that out, I'll make sure that's mentioned too :)
Update: Remote client IP (
Summary:
|
Apologies, I don't have time to tinker with this anytime soon as my mail server needs to keep working. I am glad to have IPv6 working properly via NAT and don't want to break my current setup. |
Almost there. I need to double-check, but I think it should work fine with IPv6 host and IPv4 only docker networks if I'm linking to an earlier comment for firewall / NDP proxy info regarding IPv6 GUA setup. If I find time to, I'll open a follow-up PR to migrate that into actual docs. |
Now I have a machine that only has public IPv6 and only private IPv4. If
that would be useful, I can try the steps you described there on that
machine.
…On 22. 06. 2023. 05:57, Brennan Kinney wrote:
Almost there. I need to double-check, but I think it should work fine
with IPv6 host and IPv4 only docker networks if |ip6tables: true| is
configured.
I'm linking to an earlier comment for firewall / NDP proxy info
regarding IPv6 GUA setup. If I find time to, I'll open a follow-up PR to
migrate that into actual docs.
—
Reply to this email directly, view it on GitHub
<#3244 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAB4CLNB2YGRNLPOOCW4BYTXMO7DFANCNFSM6AAAAAAWY5TTTU>.
You are receiving this because you were mentioned.Message ID:
***@***.***>
--
Vedran Miletić
vedran.miletic.net
|
That'd be good thanks! EDIT: I've looked into it and shared results below. If your experience differs do share :) Results - Importance of container having an IPv6 addressTL;DR: Required to preserve the remote client IP address when connecting to host via public IPv6 address (with published container port). A firewall frontend prevents the misleading gateway IP connections from being established. Test Environment:
Container has no IPv6 address assigned:
Container has IPv6 address assigned:
With Firewall frontends active:
Additionally, local connections within the same host (UFW/firewalld don't affect these):
I've looked into
Additionally with |
Documentation preview for this PR is ready! 🎉 Built with commit: c89eec7 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My PC died a few days ago, I am still looking to get a replacement. I may have lost some WIP changes 😅
I believe this had reached a point that I was quite happy with it and can merge. I helped revise / improve the current upstream Docker IPv6 docs as well.
Thanks everyone for your input/feedback!
Sorry that I can't find time to include the IPv6 GUA (no NAT variant), that'll take too much time for me right now to adapt for docs and verify/test. IPv6 ULA should work well for the majority.
For future reference, Docker devs have been focusing on improving both IPv6 and networking in general this year, while nftables support is a ways off, iptables may become legacy in favour of a newer IPVS / plugin approach being worked on. That transition will take time and the current iptables networking will remain around for some time (and as default I think) for legacy compatibility reasons IIRC.
Hey there! I have a question and a suggestion. My question is what is the difference between this (Method User-defined networks via docker network create or compose.yaml:
and this (Method Default network for a compose.yaml)
If we change the name "ip6net" to "default" or "default" to "ip6net", what difference is left (also the daemon.json is the same if we follow the DMS docs)? Are there any performance differences or is one better than other? I couldn't understand why or when choose one to another. And my suggestion is to write these methods (in the photo) into the docs as text instead of forwarding to external sites since they are the important parts. (Like method 1, method 2 etc.) It's obviously not necessary but would be better I think. (I may create a pull request but I guess it is clear I am no professional at Docker networking :) ) |
The main difference from choosing TL;DR: Preferring
You only need
If you don't enable IPv6 but your host can be reached via IPv6, then use
Sure! I have been short on time, and don't have a proper computer at the moment so I wanted to merge what I have as it was already a big improvement. Original message (Misunderstanding on my part)You'll find that there is already an example for IPv6 ULA. I would just reference that. You could indent these into the lists and collapse them by default (use I still think the links are good to keep around though. EDIT: I thought it was more about documenting how to configure IPv6 GUA better 😅
My preference is to keep it simple and focused for users, but still provide enough information/resources for more advanced users. We've had users attempt IPv6 GUA in the past but fail, I've put in extra effort to provide more info on that for them to troubleshoot, but there is quite a bit of environment influence that complicates it and very little advantage offered. I'd prefer we focus support and encourage IPv6 ULA subnets, at least until Docker improves IPv6 networking further (there's still quite a bit of GUA features an IPv6 enthusiast probably will have problems with). I do acknowledge that third-party resources can change (in fact the official Docker IPv6 docs were much worse until recently). I tried to discourage mixing the documentation only IPv6 subnet with IPv4 private range addresses in their docs, but they didn't agree hence my warning in our docs about it as I don't trust inexperienced IPv6 users to know better otherwise (I've seen it abused when their actual problem was with I think the example that is shown directly below your screenshot for those links is sufficient and should lead users (and any support requests) to be focused around IPv6 ULA, preferably with The example might not be as clear with the CLI snippet. It's meant to be for using with |
Actually, since you've referenced both config snippets from the links, and not the one I showed in the screenshot, I can see how that could be a bit more confusing to compare. I'd be happy to take a content tabs approach (like shown here in the DNS example) that keeps the reference link, but has an inline snippet directly below to compare against the other tabs. Would that be better? |
Sorry about my late response. Was a busy day. First of all thank you for taking your time and writing such a long explanation. Appreciate it. About the first paragraph, I already know the difference between naming the network to "default" or something else. I just wondered what effect does it have configuring it like "ipam:\config:\subnet:" instead of just "subnet:". From my understanding they do the same thing but they are placed under different titles and have different syntax so couldn't be sure about that. You being misleaded to tell the difference between default network or else is probably caused by my English skills so sorry about that. This was what I wanted to ask. About the latter paragraphs, thanks for the information. Made things clearer. And the last paragraph, yeah having the methods under tab views would be really nice. Also, I would suggest instead of just directly copying from reference site a little bit of re-write would be cool. For example the instructions in the purple box (title: "User-defined IPv6 ULA subnet") is a mix of method one and method three. Read method 3, you will see a part saying "Alternatively use a custom bridge network instead:". That's just the same thing with method 1 (if IPAM doesn't make any difference) but just using the default network instead of creating a new one. I think anyone would know the difference between default network and creating a new one since that's just a pure basic of using Docker Compose. If I understood the things right method 1, method 3's "alternatively..." part and the purple are just the same thing (again, thinking IPAM doesn't make any difference) but with really minor differences. If you think they are worth a mention no problem it's again obvious you are experienced in docs writing and the topic but they just look like repeating the same thing to my eyes. |
Yeah sorry I don't know about that one. It might be that only ipam nested config options was supported in the past and perhaps with Compose v2 (CLI not schema) or potentially earlier they added some top-level config that presumably maps to the same settings. Mine was from v3 compose schema docs at the time I believe.
It took me a while to get comfortable with network config in compose / docker when I started learning it. I don't think I even bothered much until I got into DNS a few years ago and I had been using Docker since 2015 or so? The Knowing how to add a service to a different network than the implicitly generated
I don't see any text for "Alternatively" or "custom" that you're referencing sorry? But you're right and we could remove the third bullet point, instead making it a tip to inform the user the benefit of naming the user-defined network as |
Looks like I have forgotten to hit the "Comment" button. Sorry for making you wait again.
Absolutely that would be the best I think.
I just checked again the Docker Docs but couldn't find any definition of what it's doing, just how to use it. Having something we don't understand in the docs would not make sense I guess but having it mentioned would not hurt too. Your decision.
This was the very first thing I have needed to learn when using Docker Compose so I thought it would be something known by most of the users. If you say that it could be something people may miss then yeah another tab or some comment/note would not hurt too. Would you like me to make a rewrite/PR according to these or would you like to do it yourself? |
Oh that screenshot is about a link to my Github comment from Jan 2023 with earlier IPv6 advice on a different project 😅 That explains why I couldn't find it in our docs and got a little confused with what you were saying 😛 We could probably remove that link. I've covered the content fairly well in the docs now and have a section on testing IPv6 is configured properly.
The I assume at some point the Compose schema made common keys available to some extent available beside If the less verbose config still implicitly adds an IPv4 subnet (I think it does), that's simpler to demonstrate in docs then.
Before that I was just doing simple frontend/backend network names or external reference with no other customization, then assigning them to different services. That was common to see in the wild for me and quite simple to grok.
Just a tip admonition about
I'm quite busy lately and still have other PR work I need to catch up on. If you're willing to take a shot at making these improvements and raising a new PR that'd be very much appreciated ❤️ Otherwise opening an issue to request it would be fine so it can be better tracked as a todo item 😅 |
Okay I couldn't manage to do it lol. I am opening an issue then. Thanks for taking your time! |
Description
See #1438 and #3057 (with #3057 (comment)) for reference. @polarathene please also apply further findings. I took a comment from #3057 from you and basically copy-pasted it with minor adjustments; please change if you deem that inappropriate, but I found it to be very good advice.
Closes #3061 (superseeds)
Type of change
Checklist: