Docker Hub registry: Add support for pulling images over IPv6

[thaJeztah]

Tell us about your request
A clear and concise description of what you want to happen or the change you would like to see

As described in docker/hub-feedback#1945, Docker Hub doesn't currently support pulling images over IPv6, which prevents users on an IPv6-only network from interacting with Docker Hub

Which service(s) is this request for?

Docker Hub registry

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?

See docker/hub-feedback#1945

Are you currently working around the issue?

Users can use a NAT64 Gateway, as described in docker/hub-feedback#1945 (comment)

[xfgavin]

IPV6 should've been implemented already. Thank you.

[JuniperChris929]

Should have been implemented YEARS ago... Wake up! IPv6 is here - this is not optional anymore!

[pkennedyr]

Thanks all for the feedback - the Hub team is investigating the issue and will post an update as soon as we have more details to share.

In the meantime, if there are any special considerations / unique use cases in your environments that you would like taken into account, feel free to add your comments to this issue.

[JuniperChris929]

It's July now, almost August - any update on this?

[MaciejKucia]

Seems like Docker Hub does not work with AWS Egress-only internet gateway which is IPv6 by nature.

[JuniperChris929]

At this point it’s more than obvious that the Team is ignoring this probably biggest feature request and is actively and purposely trying to block the future. We are currently evaluating other solutions because without v6 Support Docker is useless for us. And we refuse to install 6-4 Gateways just because one team is too lazy (or looks for excuses) to deploy IPv6, which is the future. Ridiculous and sad...

[altelch]

RFC2460 is from december 1998...nearly 22 years later there are still services not available from legacy free networks...

[WilliamDEdwards]

Progress?

[PavelSosin-320]

Even enforced by law in some places! Even Providers fulfill it.
nslookup aws.amazon.com
Server: OpenWrt.lan
Address: fd7d:e52e:3e3a::1

[WilliamDEdwards]

It's such a shame that "the world’s leading service for finding and sharing container images" is so ancient...

[jcyph3r]

Our cellphones pretty much all have IPv6 now. Google's worldwide traffic hits >33% IPv6 every week these days. Facebook's US traffic is >60% IPv6. Akamai's US traffic is nearly ~50% IPv6. Apple says IPv6 connection setup is 1.4x faster.

Please enable IPv6. IPv6 is here, and IPv6 is the future.

[aminvakil]

They're probably more concerned about setting limit on users who don't give money to the corporation...
https://www.docker.com/blog/scaling-docker-to-serve-millions-more-developers-network-egress/

[Martin-Luther]

Please, when are you going to support IPv6 ? This is crazy !

[WilliamDEdwards]

Could anyone from Docker explain why Docker Hub still doesn't support IPv6? IPv6 is not that hard to implement. Sure, it's a bit more complex in a production environment - but that's still no reason not to support IPv6 in 2020! Does the Docker team lack the knowledge? Or does Docker simply not care about what's good for the internet as a whole?

It's products like Docker that make IPv6 implementation grind to a halt.

[miyurusankalpa]

Even the CDN endpoint (production.cloudflare.docker.com) which is powered by cloudflare does not have IPv6 enabled.

[PavelSosin-320]

Everybody can install the Registry Docker image locally on IPV6 enabled Docker engine. JFrog Container registry supports IPV6, obviously, enterprise infrastructure! Google Internet quality test reports lack IPV6 support as an error. My Router supports IPV6 as DNS and DHCP out-of-the-box.
Lack of IPV6 support must be published as a restriction.

[WilliamDEdwards]

Everybody can install the Registry Docker image locally on IPV6 enabled Docker engine. JFrog Container registry supports IPV6, obviously, enterprise infrastructure! Google Internet quality test reports lack IPV6 support as an error. My Router supports IPV6 as DNS and DHCP out-of-the-box.
Lack of IPV6 support must be published as a restriction.

In the time it takes to write "IPv6 is not supported at the moment", they could also implement IPv6.

[PavelSosin-320]

FYI: DockerHub uses AWS infrastructure:
root@MSI:# nslookup hub.docker.com
root@MSI:# nslookup hub.docker.com
Server: 172.25.208.1
Address: 172.25.208.1
hub.docker.com canonical name = elb-default.us-east-1.aws.dckr.io.
elb-default.us-east-1.aws.dckr.io canonical name = us-east-1-elbdefau-1nlhaqqbnj2z8-140214243.us-east-1.elb.amazonaws.com.
Name: us-east-1-elbdefau-1nlhaqqbnj2z8-140214243.us-east-1.elb.amazonaws.com
Address: 52.45.24.195
Name: us-east-1-elbdefau-1nlhaqqbnj2z8-140214243.us-east-1.elb.amazonaws.com
Address: 34.206.208.51
Name: us-east-1-elbdefau-1nlhaqqbnj2z8-140214243.us-east-1.elb.amazonaws.com
Address: 3.217.202.146
I
According to This announcement regarding IPV6 support DockeHub should have no problem with it.

[ingshtrom]

Hey all,

Sorry for the delay! It is not acceptable to have this ticket sit so long without any response from Docker and I apologize for that.

As for the matter at hand, we would like to add support for this, but the complexity involved along with other tasks competing for our small team’s time does not make this feasible in the near term. This may change if there are more requests for this and/or internal priorities change. Keep in mind that there are a lot of moving parts involved with enabling IPv6 for us, along with the aforementioned competing, new work that is always being added. The implementation of this is not nearly as easy as flipping a switch or putting a new public-facing Application Load Balancer with dualstack support on the Internet.

For those of you requesting this, is there a specific reason you want or need this feature? Does IPv4 not work for you in some scenario or environment?

As others have already done, please add your 👍 to the original issue comment so that we can track community interest in this.

[aminvakil]

@ingshtrom
No, it does not. I have some virtual machines which does not have ipv4, right now I've set up squid on another virtual machine which has both ipv4 and ipv6 and make my requests through that.

[ingshtrom]

@ingshtrom
No, it does not. I have some virtual machines which does not have ipv4, right now I've set up squid on another virtual machine which has both ipv4 and ipv6 and make my requests through that.

This is a naive question, but why can those virtual machines not have ipv4 on them?

[A1bi]

For those of you requesting this, is there a specific reason you want or need this feature? Does IPv4 not work for you in some scenario or environment?

For me the reason simply is the fact that for years now I have been deploying new systems without any IPv4 connectivity at all. It is just so much simpler. And most external services happily accept requests over IPv6, in my cases at least.

But in some cases I need to reach some IPv4-only services like Docker Hub for which I then have to implement transition mechanisms like NAT64+DNS64 and I absolutely want to get rid of this unnecessary complexity.

[aminvakil]

@ingshtrom
No, it does not. I have some virtual machines which does not have ipv4, right now I've set up squid on another virtual machine which has both ipv4 and ipv6 and make my requests through that.

This is a naive question, but why can those virtual machines not have ipv4 on them?

Limitation of IPs on the hypervisor.

Edit: Every other thing is fine, they can act as web server behind cloudflare, it can retrieve OS packages from mirrors with ipv6, the only problem is docker hub.

[NoxInmortus]

@ingshtrom Thanks for your answer. As the original reporter of docker/hub-feedback#1945, I was waiting for an official feedback for 10 months...

From my point of view, we are already reaching the limits of IPv4 worldwide, and it's just a matter of time before we get "Nop, sorry, no more IPv4" from ISP and cloud providers.

In my user case, I wish to reach DockerHub with IPv6 connectivity because we will need to use IPv6 on the client side soon enough. And already, Cloud providers are charging every IPv4 (and they are right to do so), and give us a free /64 IPv6 network. What's the point to continue using IPv4 ? IPv6 is finalized since 1998, and everybody knew we were going to need it.

[altelch]

We often do pure IPv6 implementations if there is no need for IPv4 just to save address space. Everytime docker is required we need to do a dual stack setup just because of the docker repo and not because of the application requiring this...

[Martin-Luther]

For those of you requesting this, is there a specific reason you want or need this feature? Does IPv4 not work for you in some scenario or environment?

Self hosted Kubernetes + Docker on VMs without ( Cloud Providers) for all the benefits that you people must already know.
Excepted for the load balancer, all of our kubernetes nodes will be IPv6 only in a near futur: for our use case at least.

How can I pull images from a source like Docker Hub/docker.io if my nodes are only talking IPv6 ?
I have tried solutions like Tayga (nice by the way) + Bind9 for NAT64+DNS64, and it si only partially working.
I am not talking about my docker images here, but those required by Kubernetes.

We are also a very small team and we have been running a dual-stack production app for 4 years now. So "being a small team" is not an excuse plus; you have by far, more money that my small business does.

Arrêtez de nous prendre pour des cons.

The implementation of this is not nearly as easy as flipping a switch or putting a new public-facing Application Load Balancer with dualstack support on the Internet.

Ok, but at least you could try to do something right ? Do it at least gradually and publish a list of your servers or apps that already support dual-stack. Slowly is still better than nothing.
How many years did you have to complete this task ?

After this horrible waste of time, I think that I am just going to start to look for an alternative to replace the Docker engine by something else which is at least going to support IPv6 for images pulling. And the next person who is going to tell me how Docker is great will have my hand kissing is face.

[PavelSosin-320]

My ISP doesn't want to wait for DockerHub decision and sent me the announcement:
PartnerISP_IPV6_Announcement.pdf.
This ISP serves 1/2 of customers in Silicon waddy.

[unixfox]

What are the current free Docker registry on the market that support IPv6? I saw AWS ECR, but I don't find other ones. Can someone post a list of them?

[WilliamDEdwards]

@WilliamDEdwards the next two months will include work that moves us towards IPv6 support. I cannot say that you will notice anything, but since the whole thing can be done piecemeal, we can chip it off as we accomplish other work.

It's 2 months later :). Any progress?

[miyurusankalpa]

What are the current free Docker registry on the market that support IPv6? I saw AWS ECR, but I don't find other ones. Can someone post a list of them?

Here is a list I collected a while back, only Google Container registry had v6 support. Also note that some registries point to other CDN domains to deliver the image files, which may have IPv6 enabled.

Domain	IPv6
gcr.io	Y
registry-1.docker.io	N
ghcr.io	N
registry.gitlab.com	N
rg.nl-ams.scw.cloud	N
registry.digitalocean.com	N
myregistry.azurecr.io	N
137112412989.dkr.ecr.us-east-1.amazonaws.com	N
ecr-public.us-east-1.amazonaws.com	N
registry.access.redhat.com	N
registry.redhat.io	N
registry.connect.redhat.com	N

[ingshtrom]

It's 2 months later :). Any progress?

What do you know, time flies! We are actively working on a necessary piece of work involving our routing infra, but have not made direct progress on ipv6 due to priorities. The work being done right now is an absolute requirement in order to support ipv6 and we will definitely keep this thread updated.

[WilliamDEdwards]

Amazing.

[IMEVER]

Anyone suggest some ipv6 mirrors ?

[vazhnov]

@IMEVER , Google Cloud has a Docker hub mirror: mirror.gcr.io. It has IPv6 address:

 $ host mirror.gcr.io
mirror.gcr.io is an alias for googlecode.l.googleusercontent.com.
googlecode.l.googleusercontent.com has address 108.177.119.82
googlecode.l.googleusercontent.com has IPv6 address 2a00:1450:4013:c00::52

Here is a documentation how to use it: Pulling cached Docker Hub images.
For example, add into /etc/docker/daemon.json:

{
  "registry-mirrors": ["https://mirror.gcr.io"]
}

[IMEVER]

@IMEVER , Google Cloud has a Docker hub mirror: mirror.gcr.io. It has IPv6 address:

 $ host mirror.gcr.io
mirror.gcr.io is an alias for googlecode.l.googleusercontent.com.
googlecode.l.googleusercontent.com has address 108.177.119.82
googlecode.l.googleusercontent.com has IPv6 address 2a00:1450:4013:c00::52

Here is a documentation how to use it: Pulling cached Docker Hub images.
For example, add into /etc/docker/daemon.json:

{
  "registry-mirrors": ["https://mirror.gcr.io"]
}

Thanks, now I can pull image.
But when I use docker search xxx, it still goes to docker.io, any idea ?

[root@vultr ~]# docker search nginx
Error response from daemon: Get https://index.docker.io/v1/search?q=nginx&n=25: dial tcp 34.195.201.174:443: connect: network is unreachable

[ingshtrom]

@IMEVER I don't think the stuff that docker search uses was ever a part of the OCI distribution spec or the distribution. It is something that is a value add on built into the Docker CLI which works with Docker Hub.

[WilliamDEdwards]

nebuk89 moved this from Investigating to We're Writing The Code in docker-roadmap

6 months later, at last!

[thaJeztah]

@IMEVER I don't think the stuff that docker search uses was ever a part of the OCI distribution spec or the distribution. It is something that is a value add on built into the Docker CLI which works with Docker Hub.

search was part of the v1 docker registry (https://github.com/docker-archive/docker-registry), but was explicitly left out of the v2 docker registry specs (which was donated to the OCI to become the OCI distribution spec)

Search was left out of the spec, because it's orthogonal to "distributing" images, and different registries had different requirements for what they would offer w.r.t. "search" (if any).

So, although it would "technically" be possible to have docker search also switch to use the configured mirror, it would break in most (if not all) setups, unless the mirror would also provide the combination of v1 and v2 API's (not sure if there's implementations that do this).

In any case, that would be a feature request for https://github.com/moby/moby, and for the maintainers of the Moby project to decide.

[moreiras]

it is still missing...

# docker run hello-world
Unable to find image 'hello-world:latest' locally
docker: Error response from daemon: Get "https://registry-1.docker.io/v2/": net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers).
See 'docker run --help'.

only legacy IP adresses:

# host registry-1.docker.io
registry-1.docker.io has address 54.85.56.253
registry-1.docker.io has address 52.72.232.213
registry-1.docker.io has address 54.161.109.204
registry-1.docker.io has address 34.198.213.42
registry-1.docker.io has address 52.20.81.6
registry-1.docker.io has address 34.238.187.50
registry-1.docker.io has address 34.192.204.44
registry-1.docker.io has address 3.209.182.229

[fzipi]

$ host registry-1.docker.io
registry-1.docker.io has address 107.23.149.57
registry-1.docker.io has address 54.161.109.204
registry-1.docker.io has address 34.192.204.44
registry-1.docker.io has address 52.72.232.213
registry-1.docker.io has address 3.213.204.48
registry-1.docker.io has address 54.236.165.68
registry-1.docker.io has address 34.192.145.113
registry-1.docker.io has address 3.229.227.53
registry-1.docker.io has IPv6 address 2a0a:e5c0:0:1::6b17:9539
registry-1.docker.io has IPv6 address 2a0a:e5c0:0:1::3d5:cc30
registry-1.docker.io has IPv6 address 2a0a:e5c0:0:1::3e5:e335
registry-1.docker.io has IPv6 address 2a0a:e5c0:0:1::3448:e8d5
registry-1.docker.io has IPv6 address 2a0a:e5c0:0:1::22c0:9171
registry-1.docker.io has IPv6 address 2a0a:e5c0:0:1::22c0:cc2c
registry-1.docker.io has IPv6 address 2a0a:e5c0:0:1::36a1:6dcc
registry-1.docker.io has IPv6 address 2a0a:e5c0:0:1::36ec:a544

🤷

[unixfox]

$ host registry-1.docker.io
registry-1.docker.io has address 107.23.149.57
registry-1.docker.io has address 54.161.109.204
registry-1.docker.io has address 34.192.204.44
registry-1.docker.io has address 52.72.232.213
registry-1.docker.io has address 3.213.204.48
registry-1.docker.io has address 54.236.165.68
registry-1.docker.io has address 34.192.145.113
registry-1.docker.io has address 3.229.227.53
registry-1.docker.io has IPv6 address 2a0a:e5c0:0:1::6b17:9539
registry-1.docker.io has IPv6 address 2a0a:e5c0:0:1::3d5:cc30
registry-1.docker.io has IPv6 address 2a0a:e5c0:0:1::3e5:e335
registry-1.docker.io has IPv6 address 2a0a:e5c0:0:1::3448:e8d5
registry-1.docker.io has IPv6 address 2a0a:e5c0:0:1::22c0:9171
registry-1.docker.io has IPv6 address 2a0a:e5c0:0:1::22c0:cc2c
registry-1.docker.io has IPv6 address 2a0a:e5c0:0:1::36a1:6dcc
registry-1.docker.io has IPv6 address 2a0a:e5c0:0:1::36ec:a544

🤷

These are nat64 addresses, not the one from docker company.

[sgryphon]

Yeah, regstry-1.docker.io is still IPv4 only.

First query is from my local machine (dual stack); I also threw in a check of the mirror (that does have IPv6). Second query is from a host I have that is IPv6 only; it has DNS64+NAT64 configured for outgoing (to get around IPv4 only sites).

PS /home/sly> host registry-1.docker.io
registry-1.docker.io has address 54.85.56.253
registry-1.docker.io has address 3.213.204.48
registry-1.docker.io has address 3.226.210.61
registry-1.docker.io has address 52.55.168.20
registry-1.docker.io has address 107.23.149.57
registry-1.docker.io has address 54.236.165.68
registry-1.docker.io has address 52.204.76.244
registry-1.docker.io has address 54.161.109.204
PS /home/sly> host mirror.gcr.io
mirror.gcr.io is an alias for googlecode.l.googleusercontent.com.
googlecode.l.googleusercontent.com has address 172.217.194.82
googlecode.l.googleusercontent.com has IPv6 address 2404:6800:4003:c04::52
PS /home/sly> ssh root@gryphon001.vs.mythic-beasts.com 
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-84-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
Last login: Tue Sep 21 10:02:41 2021 from 2407:8800:bc61:1300:2d48:d479:af90:c61f
root@gryphon001:~# host registry-1.docker.io
registry-1.docker.io has address 34.192.145.113
registry-1.docker.io has address 3.213.204.48
registry-1.docker.io has address 34.192.204.44
registry-1.docker.io has address 3.229.227.53
registry-1.docker.io has address 3.209.182.229
registry-1.docker.io has address 54.85.56.253
registry-1.docker.io has address 3.226.210.61
registry-1.docker.io has address 52.72.232.213
registry-1.docker.io has IPv6 address 64:ff9b::3448:e8d5
registry-1.docker.io has IPv6 address 64:ff9b::3e2:d23d
registry-1.docker.io has IPv6 address 64:ff9b::3d1:b6e5
registry-1.docker.io has IPv6 address 64:ff9b::22c0:cc2c
registry-1.docker.io has IPv6 address 64:ff9b::3655:38fd
registry-1.docker.io has IPv6 address 64:ff9b::3d5:cc30
registry-1.docker.io has IPv6 address 64:ff9b::3e5:e335
registry-1.docker.io has IPv6 address 64:ff9b::22c0:9171
root@gryphon001:~# 

[binman-docker]

Hello everyone - I'm really happy to announce that we now have a beta IPv6 endpoint for Docker Hub Registry!

You can read some of the details (including implementation) on the blog: https://www.docker.com/blog/beta-ipv6-support-on-docker-hub-registry/

And please use this issue for feedback and technical discussion: docker/hub-feedback#2165

I want to note upfront that this is currently BETA - there is no guarantee of functionality, uptime, or that it will exist in the future. Please only use this for testing. What happens in the future (keeping this domain, making the main domain dualstack, etc) depends on the feedback we receive, so please let us know how it goes!

[A1bi]

Awesome! I will definitely try it out.
That blog article perfectly explains why this wasn’t as easy as just flipping a switch. Great work!

[jkroepke]

@binman-docker Since the current implementation is a BETA feature and not recommended for production, do you still in mind that this Feature is really shipped?

I personally see this issues still in 'Developer Preview/Experimental' and am interesting into a Roadmap item, when IPv6 is officially available. In terms of officially, I speak about the registry-1.docker.io endpoint.

[danopia]

@binman-docker Since the current implementation is a BETA feature and not recommended for production

Just cross posting for the sake of the thread, that the IPv6-only endpoint was apparently promoted out of beta: docker/hub-feedback#2165 (comment)

I'd still agree as another user that dual stacking the primary endpoint is what would make this "shipped"

[aliel]

;()-[-}

2023 not yet?

[wget]

@aliel It seems like registry.docker.com now both answers with IPv4/IPv6 in dual stack, so I assume this is fixed, otherwise I would have complained =)

[gramakri]

Can confirm:

$ host registry.docker.com
registry.docker.com has address 52.1.184.176
registry.docker.com has address 34.194.164.123
registry.docker.com has address 18.215.138.58
registry.docker.com has IPv6 address 2600:1f18:2148:bc01:a3b0:6734:c617:7c5c
registry.docker.com has IPv6 address 2600:1f18:2148:bc00:8334:ca86:c3d6:a507
registry.docker.com has IPv6 address 2600:1f18:2148:bc02:cfd8:db68:ea1f:277c

[ryanhristovski]

Hi everyone, just wanted to update here that we have officially rolled out dual-stack networking capabilities across all of our Docker Hub Registry, Docker Docs, and Docker Scout endpoints!

Read more about it here: https://www.docker.com/blog/docker-hub-registry-ipv6-support-now-generally-available/