Please implement IPv6 NAT as an available alternative option when using docker with IPv6 enabled #25407
Comments
|
I tried to collect some outstanding IPv6 issue tickets which I believe would be resolved with the availability of IPv6 NAT:
While those issues would still not necessarily be resolved for anyone not using NAT, this could be clearly documented and then everyone not choosing to use NAT would have clear knowledge that they are expected to do a bit more of effort for custom routing and firewall rules with iptables if they want to choose that approach. (people with non-NAT interests are mostly those running larger datacenters with custom routing setups anyway) |
ghost
mentioned this issue
|
See also #13481 where this is discussed. On 4 Aug 2016 3:54 p.m., "Jonas Thiem" notifications@github.com wrote:
|
|
Let me say that the issue is tightly coupled to moby/libnetwork#1183 |
thaJeztah
added
kind/feature
|
Is there any progress on this? It would be nice if this was eventually added. As described above it's not really a revolutionary feature or anything that someone running a big data center setup would need, but it would really go a long way of making docker more easy to setup for beginners and small server owners. |
|
ping @docker/core-libnetwork-maintainers |
thaJeztah
added
the
status/needs-attention
|
Are there any news on that issue? This would be really a nice feature. |
|
A use-case for this feature would be for in Amazon EC2 since they have recently widely released IPv6 addressing. Unfortunately, they only allow you to assign individual IPv6 addresses (/128) to EC2 instances. You also cannot add routes for IPv6 subnets (for instance a /80 of the VPC's /56) to EC2 instances within the VPC's routing tables. These two limitations make IPv6 NAT the easiest solution for container connectivity on an EC2 instance. |
|
Hi Trying to deploy docker with IPv6, but have found a few issues. IIUC, and according to https://docs.docker.com/engine/userguide/networking/default_network/ipv6/ setting --ipv6 on docker daemon would enable IPv6 for docker. /etc/systemd/system/docker.service.d/ipv6.conf At this point, docker is able to start and containers will get valid IPv6 addresses but containers aren't able to ping outside world/beyond docker host. It seems that as IPv6 doesn't have NAT, outgoing requests would be using internal docker IP/network, but target doesn't know where that network is located, so it cant "return". So, to being able to go beyond host, ndp_proxy can be enabled
and a neighbour proxy must be declared for each specific IP
So now, we are able to ping6 www.google.com within container. Adding each container IP manually as a neighbour - IMHO - its painful, horrible and kills a few cats each time is done. To avoid that ndppd is suggested. Wouldn't it make sense docker adding and removing those neighbours automatically? Wouldn't IPv6 NAT solve this issue also? Moreover, swarm mode provides HA for docker services. ie: any docker host can answer to a request, no matter if container is running on another hosts. Is there any issue open to provide HA for docker hosts? Maybe a daemon configuration for IPVS could be a good alternative to fix this. Is anyone working on this? Anyway, setting IPv6 networks on daemon requires setting different networks on each host, and requires adding ip routes to being able to use IPv6 between docker on different containers. May this comment be a request to improve docker IPv6 and swarm mode stack, I'll happily help testing anything you may need. |
|
FYI, @CtrlZvi has an open PR for automating the ndp_proxy programming: moby/libnetwork#1316 EDIT: Oh, I just realized you were already pointing this PR out |
|
Since it has been almost a year, is anyone looking into this? It would be really neat to have, given IPv6 has now some actual real world usage... And as far as I am aware, without this there is still no neat way to easily run a docker dev environment with full IPv6 connectivity without lots of pain. You either have to manually add routing of some sort, or accept that EXPOSE doesn't work, publish doesn't work, running multiple microservices in separate containers on the same ip doesn't work... none of which is a problem in a production environment with a custom routing setup and proxies etc that make all of those things work again in various other ways, but definitely a big problem on a dev machine where you just randomly throw up services to test and work on them. |
|
Regarding swarm IPv6 connectivity, as described in https://docs.docker.com/engine/userguide/networking/default_network/ipv6/#docker-ipv6-cluster, some routes must be managed externally to docker. As a temporary workaround to improve swarm and IPv6, and making it possible docker to create host's routes automatically, couldn't it use IPv4 connectivity to retrieve host IPv6 and docker networks IPv6's and send them to the manager?
|
|
+1 for the request 1und1 servers only get one ipv6 address. I want all my dockers to use ipv6, but i don't want to start all ip6tables rules by hand (I think a "-p 443:443" at startup should do the trick). And even if i get more then one IPv6 address, i couldn't say "DNS your AAAA record is one of many xx:xx:xx/64 addresses. But i don't know which one." I consider docker ipv6 as broken, until this "feature" is implemented. |
|
I also run into problems caused by the lack of the IPv6 NAT feature. I have a postfix container running on a host. IPv6 is enabled and the SMTP port is exposed via |
|
@jojoob great finding! I just tried it out and it works like a charm. |
|
I agree with @BenediktS. Without NAT/Masquerade/port forwarding available for IPv6, Docker doesn't support IPv6. |
|
I am working on a patch for this. What kind of testing occurs to get through the Docker open source process? |
|
@wrridgwa you can propose your patch by opening a pull request where it should pass all tests. Also you should have a good test coverage as well as some documentation. Thanks for your commitment! |
|
Here is a pull request with the fix: moby/libnetwork#1992 |
|
Oh that's so neat!! Any chance this could get merged? ❤️ |
|
Are there any news? |
Signed-off-by: Billy Ridgway <wrridgwa@us.ibm.com>
|
@pznamensky Still waiting for Docker people to move the pull request along. |
|
It's a shame it's just sitting here, more or less finished. I have been waiting for this feature for years 😢 |
|
This is a really important feature for Docker and it's a shame it's not supported yet. Could the maintainers please take this on priority? A lot of people are blocked from using Docker with IPv6 in production because short of having a subnet on the host machine, all other ways seem to be temporary workarounds. |
|
Bumping this, as it's a very important feature. The world is moving to IPv6, and docker containers should be able to easily access IPv6 servers without fiddling about with manual IP assignments. I know IPv6 NAT is a problematic proposal in many ways, but for rapid prototyping and ease of use it should definitely be available, while not recommended for production use. |
|
@b01t it's already implemented, but the docker people just don't merge it, which is disappointing. (sorry if I sound a little frustrated...) |
|
+1 Can only add to that. |
|
Hi, is there any plan to implement this? It's already been 2+ years since this issue was raised and a lot of users have requested this. I understand the project maintainers have their own priority, but could we get a comment on whether this is planned and if it is, when it's targeted? |
|
@fcrisciani may I ping you on this? you indicated this would be considered for future plans, but that was many months ago (Edit: the pull request here moby/libnetwork#2023 to be specific) |
|
Hi. I have struggled for some weeks to understand why I couldn't ping the outside world with an ipv6 container. I had the exactly same issues as @mostolog 's ones. As an internship student, discovering docker by doing some tests in ipv6 containers is really painful... It feels like we can make this works only with error prone hacks at the moment... I have read some similar issues and I don't understand why two years after, this issue is still relevant and referenced. As @Jonast said, ipv6 support should be a priority and you have several companies wasting a lot of time to make it work. |
Signed-off-by: Billy Ridgway <wrridgwa@us.ibm.com>
Signed-off-by: Billy Ridgway <wrridgwa@us.ibm.com> Signed-off-by: Benjamin Böhmke <benjamin@boehmke.net>
Signed-off-by: Billy Ridgway <wrridgwa@us.ibm.com> Signed-off-by: Benjamin Böhmke <benjamin@boehmke.net>
Docker's current IPv6 behavior currently still has the following outstanding problems:
Due to those and other reasons, it would be very nice if IPv6 NAT was added as han option (not a full replacement for the current IPv6 default behavior) which could be enabled by the user if desired, to perfectly copy the current IPv4 NAT behavior and resolve all of the things listed above and provide an easy to use standard behavior that "just works".
Please note I agree NAT for IPv6 is often a terrible idea in a larger datacenter where you write custom routing and address assignments anyway - which is why NAT should be an option, not a replacement for the current behavior -, but for small servers and laptops where people just want a working default solution, it would be a big improvement.
There is a temporary implementation available from @robbertkl as a privileged container that modifies the iptables rules on the host with automated container discovery using dockergen: https://github.com/robbertkl/docker-ipv6nat . However, it would be neat if this functionality was integrated into docker itself like IPv4 NAT.
(I created this ticket out of a discussion in ticket #13481 where you can read up more details on the previous discussion)
The text was updated successfully, but these errors were encountered: