Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docker --ipv6=false not disable ipv6 for container #20569

Closed
netroby opened this issue Feb 22, 2016 · 28 comments · Fixed by #29891
Closed

docker --ipv6=false not disable ipv6 for container #20569

netroby opened this issue Feb 22, 2016 · 28 comments · Fixed by #29891

Comments

@netroby
Copy link

@netroby netroby commented Feb 22, 2016

I run docker daemon with ipv6 false , but it not disable ipv6 for me.

w ~ # docker exec -it php-fpm /bin/bash
root@6fe88f0f2b68:/var/www/html# ip addres
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
52: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ac:12:00:05 brd ff:ff:ff:ff:ff:ff
    inet 172.18.0.5/16 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:acff:fe12:5/64 scope link 
       valid_lft forever preferred_lft forever

I already disabled ipv6 on host machine

huzhifeng@w ~ $ ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether ac:22:0b:4f:b3:32 brd ff:ff:ff:ff:ff:ff
    inet 10.0.12.231/24 brd 10.0.12.255 scope global eth0
       valid_lft forever preferred_lft forever

here is the command i run docker daemon

root      7287  0.2  0.2 1240636 34500 ?       Ssl  16:23   0:00 /usr/bin/docker daemon --ipv6=false --dns 208.67.222.222 --dns 208.67.220.220

and here is my docker version

huzhifeng@w ~ $ docker version
Client:
 Version:      1.10.1
 API version:  1.22
 Go version:   go1.5.3
 Git commit:   9e83765
 Built:        Thu Feb 11 19:27:08 2016
 OS/Arch:      linux/amd64

Server:
 Version:      1.10.1
 API version:  1.22
 Go version:   go1.5.3
 Git commit:   9e83765
 Built:        Thu Feb 11 19:27:08 2016
 OS/Arch:      linux/amd64

@aboch

This comment has been minimized.

Copy link
Contributor

@aboch aboch commented Feb 22, 2016

I will look into it.

@aboch

This comment has been minimized.

Copy link
Contributor

@aboch aboch commented Feb 23, 2016

@netroby
The --ipv6 flag for docker daemon, and now also for docker network create (see #17513), is really a network option not a container option.

Consider the case where a container is connected to two networks, one that was created with --ipv6=false and one that was created with --ipv6=true.

In this case, I am thinking we should disable the ipv6 on per-interface basis, based on whether the network to which the interface is connecting has --ipv6=false.

If you think this makes sense, we can move on with the needed changes in libnetwork. Let me know.

@netroby

This comment has been minimized.

Copy link
Author

@netroby netroby commented Feb 23, 2016

I need a way to let docker disable ipv6 for all our machines. we do not using ipv6 at all. and mixed ipv6 and ipv4 cause more network problem . we decide to have a way to disable it. inside container. we do not expected any ipv6 address or route .

At this point , a global flag to disable ipv6 should be fine for me.

@netroby

This comment has been minimized.

Copy link
Author

@netroby netroby commented Feb 23, 2016

when we call docker network create we want to create ipv4 network ,not ipv6 .

@aanm

This comment has been minimized.

Copy link
Contributor

@aanm aanm commented Feb 25, 2016

@netroby out of curiosity, why are you forcefully using IPv4?

@netroby

This comment has been minimized.

Copy link
Author

@netroby netroby commented Feb 25, 2016

In our country, (China), No ipv6 ip address and network at all. so we use only ipv4 ip address

@netroby

This comment has been minimized.

Copy link
Author

@netroby netroby commented Jun 30, 2016

The dns resolution so slow , if disable ipv6 may let docker quickly to response dns query.

@FelikZ

This comment has been minimized.

Copy link

@FelikZ FelikZ commented Jul 7, 2016

Docker is always using ipv6, regardless --ipv6=false option. Fixed after adding --ip=xxx.xxx.xxx.xx

Docker info:

Containers: 6
 Running: 6
 Paused: 0
 Stopped: 0
Images: 23
Server Version: 1.11.2
Storage Driver: devicemapper
 Pool Name: docker-253:0-2755193-pool
 Pool Blocksize: 65.54 kB
 Base Device Size: 107.4 GB
 Backing Filesystem: ext4
 Data file: /dev/loop0
 Metadata file: /dev/loop1
 Data Space Used: 8.557 GB
 Data Space Total: 107.4 GB
 Data Space Available: 30.58 GB
 Metadata Space Used: 10.12 MB
 Metadata Space Total: 2.147 GB
 Metadata Space Available: 2.137 GB
 Udev Sync Supported: true
 Deferred Removal Enabled: false
 Deferred Deletion Enabled: false
 Deferred Deleted Device Count: 0
 Data loop file: /var/lib/docker/devicemapper/devicemapper/data
 WARNING: Usage of loopback devices is strongly discouraged for production use. Either use `--storage-opt dm.thinpooldev` or use `--storage-opt dm.no_warn_on_loop_devices=true` to suppress this warning.
 Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata
 Library Version: 1.02.107-RHEL7 (2015-12-01)
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: host bridge null
Kernel Version: 3.10.0-327.18.2.el7.x86_64
Operating System: Scientific Linux 7.2 (Nitrogen)
OSType: linux
Architecture: x86_64
CPUs: 6
Total Memory: 23.39 GiB
Name: infojobs-demo.textkernel.local
ID: K6YF:5O62:SQHV:JBWG:BY3Z:TWOO:KRR3:MBFC:JXXP:IYSL:W5VK:NZMU
Docker Root Dir: /var/lib/docker
Debug mode (client): false
Debug mode (server): false
Registry: https://index.docker.io/v1/
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled

docker.service

$ sudo cat /usr/lib/systemd/system/docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network.target docker.socket
Requires=docker.socket

[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/docker daemon -H fd://  --insecure-registry some-domain:5000 --ipv6=false --ip=localip
MountFlags=slave
LimitNOFILE=1048576
LimitNPROC=1048576
LimitCORE=infinity
TimeoutStartSec=0
# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes

[Install]
WantedBy=multi-user.target
@Aitozi

This comment has been minimized.

Copy link

@Aitozi Aitozi commented Jul 21, 2016

@netroby have you solved the problem,i met the same problem as you. i want to start docker with the ipv6.disabled=1

@zerthimon

This comment has been minimized.

Copy link

@zerthimon zerthimon commented Jul 22, 2016

+1
Let users disble ipv6 for their own reasons!

@leopay

This comment has been minimized.

Copy link

@leopay leopay commented Jul 27, 2016

+1

@mliker

This comment has been minimized.

Copy link

@mliker mliker commented Aug 15, 2016

Are there any instructions to disable this manually? I am also facing long dns resolutions due to ipv6.

My host (CentOS) has ipv6 disabled, however, docker run always creates ipv6 stack inside a container.

How can I prevent/disable/revert this behaviour?

Docker Server Version: 1.10.3

@mato

This comment has been minimized.

Copy link

@mato mato commented Sep 21, 2016

@aboch I've spent some time looking into this due to running into a benign variant of #5618 on my dev machines.

We currently state in the documentation that the daemon must be run with the --ipv6 option in order to enable IPv6. However, the daemon does not disable default IPv6 behaviour (link-local addresses, DAD) in containers when run without the --ipv6 option. This is a bug.

Correcting the behaviour of the daemon / libnetwork to disable IPv6 globally (i.e. in libnetwork terms for all sandboxes, endpoints and associated host interfaces) by default would give the following benefits to the majority of users not using IPv6 in containers:

  • Fix for #5618 for those users who cannot upgrade to a newer kernel.
  • Eliminate unnecessary DAD and router solicitation traffic on container networks. Currently, even when starting a container without IPv6 the kernel will attempt both on each container interface. For users starting many containers this traffic will add up rapidly.

WDYT?

@mato

This comment has been minimized.

Copy link

@mato mato commented Sep 21, 2016

@mliker Unfortunately it's not possible to completely disable IPv6 on the container side manually. This is due to the Linux kernel setting net.ipv6.conf.*.disable_ipv6 to 0 when creating a network namespace regardless of any settings on the host.

@justincormack

This comment has been minimized.

Copy link
Contributor

@justincormack justincormack commented Sep 21, 2016

You can add the --sysctl option to docker run to disable. Not sure if this
is applied before or after interface creation though.

On 21 Sep 2016 1:17 p.m., "Martin Lucina" notifications@github.com wrote:

@mliker https://github.com/mliker Unfortunately it's not possible to
completely disable IPv6 on the container side manually. This is due to the
Linux kernel setting net.ipv6.conf.*.disable_ipv6 to 0 when creating a
network namespace regardless of any settings on the host.


You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#20569 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAdcPPEz15l5cZjYYQRAMv5w8g-NjfmEks5qsSBDgaJpZM4HfVTf
.

@mliker

This comment has been minimized.

Copy link

@mliker mliker commented Sep 21, 2016

Thanks. I have had success with using —sysctl option to disable ipv6 in a container with a fairly recent docker client.

On 21 Sep 2016, at 14:23, Justin Cormack notifications@github.com wrote:

You can add the --sysctl option to docker run to disable. Not sure if this
is applied before or after interface creation though.

On 21 Sep 2016 1:17 p.m., "Martin Lucina" notifications@github.com wrote:

@mliker https://github.com/mliker Unfortunately it's not possible to
completely disable IPv6 on the container side manually. This is due to the
Linux kernel setting net.ipv6.conf.*.disable_ipv6 to 0 when creating a
network namespace regardless of any settings on the host.


You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#20569 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAdcPPEz15l5cZjYYQRAMv5w8g-NjfmEks5qsSBDgaJpZM4HfVTf
.


You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub #20569 (comment), or mute the thread https://github.com/notifications/unsubscribe-auth/ABmp5YazPHlhcBe9IClg8WxPUBx0Xw-nks5qsSG2gaJpZM4HfVTf.

@mato

This comment has been minimized.

Copy link

@mato mato commented Sep 21, 2016

Right, I just tested with --sysctl net.ipv6.conf.all.disable_ipv6=1 and that does the right thing on the container side, however it's unlikely to fix all cases of #5618 for two reasons:

  • A newly created namespace already has an lo interface, so the underlying refcount issue stands. This will need a fix on the libnetwork side to explicity apply the sysctl to lo before bringing up the interface which should will be enough to stop triggering the refcount bug for lo.
  • I can see the first DAD packet still hitting docker0, therefore the sysctl is getting applied after interface creation.

Edit: The refcount bug is in the DAD code, so disabling IPv6 on an interface before bringup is safe.

@thaJeztah

This comment has been minimized.

Copy link
Member

@thaJeztah thaJeztah commented Sep 21, 2016

@aboch

This comment has been minimized.

Copy link
Contributor

@aboch aboch commented Sep 21, 2016

I will try to get the current libnetwork PR moving.

@mato

This comment has been minimized.

Copy link

@mato mato commented Sep 21, 2016

@aboch Which PR is that?

@aboch

This comment has been minimized.

Copy link
Contributor

@aboch aboch commented Sep 21, 2016

@lyenking

This comment has been minimized.

Copy link

@lyenking lyenking commented Oct 18, 2016

@netroby hi , I beg yours pardon ,.....saying Chinese , 哥们你的问题解决了吗???

@aboch aboch self-assigned this Nov 1, 2016
@aliasmee

This comment has been minimized.

Copy link

@aliasmee aliasmee commented Nov 9, 2016

Thank you. net.ipv6.conf.all.disable_ipv6 = 1 is ok!

@Deshke

This comment has been minimized.

Copy link

@Deshke Deshke commented Apr 26, 2017

hey, would be nice if that would be in the changelog, because if you start with docker-compose

services: 
  thing1:
    build: ./ 
    image: "thing1"
    restart: always
    network_mode: "host"
    environment:

the host system kills his IPv6 Network on a reboot - also with this fix there is no IPv6 Loopback device inside the container

    sysctls:
      net.ipv6.conf.all.disable_ipv6: 0

works

@SpComb

This comment has been minimized.

Copy link

@SpComb SpComb commented Apr 27, 2017

hey, would be nice if that would be in the changelog, [...] also with this fix there is no IPv6 Loopback device inside the container

This is a regression that breaks services that default to binding on ::1. After a Docker 1.12 -> 17.04 upgrade, they now fail to start because the lo interface ::1 address is missing:

[2017-04-27 07:51:39.649] nsd[13]: error: can't bind tcp socket: Cannot assign requested address
[2017-04-27 07:51:39.649] nsd[13]: error: cannot open control interface ::1 8952
[2017-04-27 07:51:39.649] nsd[13]: error: could not open remote control port
[2017-04-27 07:51:39.649] nsd[13]: error: could not perform remote control setup
@thaJeztah

This comment has been minimized.

Copy link
Member

@thaJeztah thaJeztah commented Apr 28, 2017

@SpComb see #32433, and #32447

@fffffreedom

This comment has been minimized.

Copy link

@fffffreedom fffffreedom commented Nov 28, 2017

@mato hi, is disabling ipv6 in docker container can solve the #5618? thanks

@rishiloyola

This comment has been minimized.

Copy link

@rishiloyola rishiloyola commented Nov 8, 2018

No --sysctl net.ipv6.conf.all.disable_ipv6=1 option is not working for me.
Is there any alternative approach?

Docker version: Docker version 18.06.1-ce, build e68fc7a215d7133c34aa18e3b72b4a21fd0c6136

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.