get.docker.com is not available from IPv6-only network

[narqo]

As get.docker.com doesn't have IPv6 address, it's unreachable from our internal IPv6-only cloud network.

› host get.docker.com
get.docker.com is an alias for d3vuzgspmaykda.cloudfront.net.
d3vuzgspmaykda.cloudfront.net has address 54.230.96.38
d3vuzgspmaykda.cloudfront.net has address 54.230.96.43
d3vuzgspmaykda.cloudfront.net has address 54.230.96.75
d3vuzgspmaykda.cloudfront.net has address 54.230.96.108
d3vuzgspmaykda.cloudfront.net has address 54.230.96.118
d3vuzgspmaykda.cloudfront.net has address 54.230.96.119
d3vuzgspmaykda.cloudfront.net has address 54.230.96.131
d3vuzgspmaykda.cloudfront.net has address 54.230.96.34

› ping get.docker.com
PING d3vuzgspmaykda.cloudfront.net (54.230.96.131) 56(84) bytes of data.
From 169.254.4.94 icmp_seq=1 Destination Host Unreachable

› ping6 get.docker.com
unknown host

[thaJeztah]

/cc @jfrazelle

[jessfraz]

Yeah this is expected I can't really do much we don't have ipv6 for that domain sorry maybe in the future

[justincormack]

Unfortunately this is an Amazon issue that they don't support ipv6 on cloudfront, there is a forum thread since 2010 about it https://forums.aws.amazon.com/thread.jspa?threadID=48652 - please complain there and in the innumerable other threads about lack of ipv6 support on AWS. I think you have to run some kind of 6-to-4 still not ipv6 only, github is another place I have an issue with ipv6 only service who are not doing anything about it.

[thomasschaeferm]

Docker made the the decision to use aws.
So docker users blame docker not aws.

On the other hand:
User of IPv6-only-networks should know NAT64/DNS64.

For test purpose you can use:

DNS server:
2001:67c:27e4::46
2001:778::37

As long docker doesn't use IPv4-literals it should work. If docker uses IPv4-literals, then it should be fixed.

[narqo]

User of IPv6-only-networks should know NAT64/DNS64.

Yes, it works fine with our in-house NAT64/DNS64 solution. My problems have started when I tried to use docker-machine as a tool to setup a machine inside our IPv6 cloud. docker-machine uses get.docker.com as default --engine-url= value. So the only solution I've found was to fork the script from get.docker.com and place it somewhere newly created machine could reach it.

Docker made the the decision to use aws.
So docker users blame docker not aws.

I think a good starting point would be to add some mentions somewhere in the docs which'd described this current restrictions.

[jessfraz]

can you try now, it should work!

[jessfraz]

for apt.dockerproject.org and yum.dockerproject.org only

[jessfraz]

I dont have access to the other domains unfortunately

[jessfraz]

[justincormack]

Those work for me.

[jessfraz]

\o/

On Mon, Jan 25, 2016 at 1:23 PM, Justin Cormack notifications@github.com
wrote:

Those work for me.

—
Reply to this email directly or view it on GitHub
#17790 (comment).

[narqo]

Hm, no, it doesn't seem to work for me, currently:

› host apt.dockerproject.org
apt.dockerproject.org is an alias for j.global-ssl.fastly.net.
j.global-ssl.fastly.net has address 23.235.43.68

› ping6 apt.dockerproject.org
unknown host

[jessfraz]

I had to turn it off it broke something looking at other ways..

On Monday, January 25, 2016, Vladimir Varankin notifications@github.com
wrote:

Hm, no, it doesn't seem to work for me, currently:

› host apt.dockerproject.orgapt.dockerproject.org is an alias for j.global-ssl.fastly.net.j.global-ssl.fastly.net has address 23.235.43.68

› ping6 apt.dockerproject.org
unknown host

—
Reply to this email directly or view it on GitHub
#17790 (comment).

[jessfraz]

so I have turned on for yum.dockerproject.org but gnutls for apt does not like the ssl stuff w cloudflare...

[alexanderkjall]

@jfrazelle Thanks for all the work, is the apt problems logged as a bug somewhere that I can track? Or would you be willing to provide enough details so that I can file a bug against apt?

[jessfraz]

It's a bug in gnutls I'm still digging into it tho :)

On Wednesday, January 27, 2016, Alexander Kjäll notifications@github.com
wrote:

@jfrazelle https://github.com/jfrazelle Thanks for all the work, is the
apt problems logged as a bug somewhere that I can track? Or would you be
willing to provide enough details so that I can file a bug against apt?

—
Reply to this email directly or view it on GitHub
#17790 (comment).

[jessfraz]

so i think its gnutls + ocsp stapling

[CpuID]

Any updates on this?

It's known that AWS do not support IPv6, and have not made any announcements regarding this coming soon or anything.

Is it worth Docker throwing an alternate CDN in front of apt.dockerproject.org, yum.dockerproject.org and get.docker.com respectively? One that can perform the required v6 -> v4 translation effectively.

There are quite a few CDNs with IPv6 support, Fastly, Verizon, Akamai, Cloudflare, etc just not AWS (EC2 and CloudFront).

[jessfraz]

Breaks ssl in gnu apt tools when you turn on CF proxy

On Friday, July 1, 2016, Nathan Sullivan notifications@github.com wrote:

Any updates on this?

It's known that AWS do not support IPv6, and have not made any
announcements regarding this coming soon or anything.

Is it worth Docker throwing an alternate CDN in front of
apt.dockerproject.org, yum.dockerproject.org and get.docker.com
respectively? One that can perform the required v6 -> v4 translation
effectively.

There are quite a few CDNs with IPv6 support, Fastly, Verizon, Akamai,
Cloudflare, etc just not AWS (EC2 and CloudFront).

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#17790 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/ABYNbC_34ZY2u3MXu1iwLAY7lpEjkLdbks5qRewOgaJpZM4GeCYu
.

Jessie Frazelle
4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3
pgp.mit.edu http://pgp.mit.edu/pks/lookup?op=get&search=0x18F3685C0022BFF3

[ice799]

Greetings:

We've just enabled ipv6 support for packagecloud.io, it is CDN backed (not by CF), and everything is served over TLS. We're in beta for ipv6 right now, but so far no reports of TLS breakage. LMK if there's any way I can help.

[joegross]

We have every intention and desire to support IPv6 as soon as it's practicable. As far as I'm concerned v6 is part of, "being on the internet."

The reality (as you can see in the comments) is not always straightforward. I promise we'll have it as soon as we can.

[justincormack]

Cloudfront just introduced ipv6 support https://aws.amazon.com/about-aws/whats-new/2016/10/ipv6-support-for-cloudfront-waf-and-s3-transfer-acceleration/

@joegross does tat start to make it feasible?

[stigok]

A wholeheartedly bump

We have every intention and desire to support IPv6 as soon as it's practicable. As far as I'm concerned v6 is part of, "being on the internet."
The reality (as you can see in the comments) is not always straightforward. I promise we'll have it as soon as we can.

[thaJeztah]

ping @andrewhsu ptal

[slugan]

Hi, do you think it might be possible to try to enable IPv6 support again?

Some other projects also using deb apt to access Amazon CloudFront hosted repositories with IPv6 + TLS seem to have it working for one year now: nodesource/distributions#170 (deb.nodesource.com).

Amazon indeed introduced IPv6 support in CloudFront in October 2016: https://aws.amazon.com/about-aws/whats-new/2016/10/ipv6-support-for-cloudfront-waf-and-s3-transfer-acceleration/ .

[seemethere]

@slugan IPv6 support is already available for download.docker.com and I just turned on IPv6 support for get.docker.com and test.docker.com

[cpuguy83]

Thans @seemethere!
Closing this one.

[slugan]

Thanks @seemethere !
Do you think it might be possible to enable IPv6 support for apt.dockerproject.org as well (I have actually been redirected to this issue from #18342 which was about apt.dockerproject.org, the Debian Docker repository)?

[thaJeztah]

@slugan apt.dockerproject.org is deprecated, and only kept for legacy releases; all current releases are published to https://download.docker.com (which contains both the apt and yum repositories, as well as static builds)