-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
/etc/hosts contains IPv6 entries even when IPv6 is not enabled #35954
Comments
you are very great you help me a lot in Ipv6 entities . Bundle of Thanks |
Hi @swmuck from https://docs.docker.com/engine/userguide/networking/default_network/ipv6/
It seems like this is not a bug but an expected behavior. Thanks a lot. |
Hi @ripcurld0 When IPv6 is not enabled
I have a different interpretation of the paragraph from the documenation you quoted:
Only if IPv6 is enabled docker will set up the bridge docker0 with the IPv6 link-local address fe80::1. All the other paragraphs on https://docs.docker.com/engine/userguide/networking/default_network/ipv6/ would also only apply when IPv6 is enabled. Stefan |
@fcrisciani @mavenugo can you look at this ticket and determine whether it's a bug? Thanks a lot. |
I came across the same issue today. IPV6 is disabled on the host machine but still, I see the IPV6 entries in the /etc/hosts file inside the docker container. My tests were breaking due to below issue: Had to enable IPV6 on host to unblock myself for now. |
Bump. IMHO, this behavior makes no sense. |
@singhsurjeet at the moment a workaround is to give precedence to IPv4 https://community.rackspace.com/products/f/public-cloud-forum/5110/how-to-prefer-ipv4-over-ipv6-in-ubuntu-and-centos |
It seems like Docker has an IPv6 localhost even when IPv6 is disabled. Use an explicit IPv4 address instead. See the GitHub issue moby/moby#35954 for more details.
The real problem here is that IPv6 should not be disabled and should be enabled by default. Interfaces should have their default IPv6 addresses assigned, even if you're not doing anything else with IPv6. lo should have ::1/128 and Ethernet interfaces should have their link local addresses, just like normal hosts. Then everything would just work, just like normal hosts, and your configuration wouldn't be on this trajectory of divergence from standard Linux distributions. |
I'm facing this issue. I can't just leave ipv6 addresses in localhost because one of my frameworks gets confused when localhost resolved to ipv6. Any ideas on how to handle it? |
Fix the framework so it handles IPv6. |
This is a known pain when developers forget about v6 ie a lot of mainstream Python stuff tries to bind on just |
IPv6 is a large increase in the attack surface of a network (ie: http://netpatterns.blogspot.com/2016/01/the-rising-sophistication-of-network.html ), and for overworked admins it's still not worth deploying for many. |
This is a real PIA.. if dockerd is not configured to enable IP6 support it should not be populating IPv6 addresses to the host file inside the container.. ESPECIALLY overlapping on the name 'localhost' because a lot of software uses this to determine which interfaces to bind to and it will try binding to a non existent ipv6 interface and fail.. one example is postfix on rhel/centos7 it's config inet_intefaces = localhost causes it to fail to start. Yes one can edit the config file to fix this but if your purpose for using containers is testing ansible playbooks for use on various OS distros it's self defeating to make changes to enable testing that don't need to be made in real systems. My Centos 7 container on docker without IPv6 enabled:
My ubuntu hosts file:
It is possible to hack around this with sloppy entrypoint scripts that sed out the entires it shouldn't be necessary. This is especially frustrating as there doesn't seem to be support in the dockerd for enabling ipv6 only on the localhost interface (despite what the docs said you are required to provide a cidr for ip allocation on the non-local interface). The real question here is what is the purpose of adding these ipv6 host file entries when docker has no intention of enabing IPv6 on the interfaces? This is incorrect behaviour and should be prioritised. Simply removing the localhost attachment to ::1 (as ubuntu does) would basically resolve this as the other entries would only be used if explicitly referenced as ip6-localhost in which case there is no grey area as to ownerhip as the software has explicitly requested ip6 and not been fooled by the host file. |
@skyscooby, you should be testing with IPv6 enabled, not trying to work around the problems resulting from it being incorrectly disabled. |
@kenyon that's a fine opinion if you are passionate about IPv6 but it is not a reason for injecting breaking behaviour into an infrastructure project that serves the masses for no good reason.. I'd suggest that you stop providing useless feedback on this thread so we can get a real fix going . For those that are looking for a workaround to this until this gets addressed by professionals, this is working for me. Though if you already have an entrypoint you will need to merge into that or do a similar thing in your language of choice. COPY docker-host-file-fix.sh /
|
@skyscooby, IPv6 is enabled by default on every operating system. That's not an opinion, simply a fact. The breaking behavior is the disabling of it in docker. What we definitely do not need is more broken software because developers like you are testing in legacy-only environments. |
@kenyon Why is docker shipping with ipv6 disabled by default in all distro then? I'll agree that this would largely be a mute point if is was just enabled by default (at minimum on the localhost interface) if detected in the underlying OS.. But it also doesn't change the fact that the current implementation is wrong and this is a bug that shouldn't be used to extort people into using IPv6 in environments where it is not necessary. |
By many of @kenyon’s comments, he is simply biased and toxic. Simple point: if a thing can be enabled and/or disabled, it should therefore work correctly and equally in both states. If not, fix it or remove the option. Very simple. We don’t use use ipv6 internally and don’t need it internally. As such, we disable it. If we aren’t using something, no need to increase our surface for attack. Basic security principal. We do this with many things. |
excuse my limited understanding, i am somewhat new to docker. i have ipv6 disabled. i am trying to use a 3rd party software in docker and apparently it stumbles over the ipv6 localhost entry made upon runtime. if ipv6 is disabled, it makes zero sense to have ipv6 entries in /etc/hosts, correct? so all things considered, ideally it would only add ipv6 entries to /etc/hosts when ipv6 is enabled, correct? i am just wondering, maybe someone can eli5, why is this issue still a thing when what i wrote above is a simple no-brainer? |
It's a shame that this has somehow sparked some holy war over IPv6. It's really nothing to do with IPv6 or not... it's about docker adding hosts entries for non-existent addresses. it cannot be correct for docker to create a hosts entry for
But not also setup ::1 on the loopback device. It should be neither or both. |
How is this still not addressed after all this time? |
Docker writes both "::1 localhost" and "127.0.0.1 localhost" in /etc/hosts even when not enabling IPv6 [1], causing glibc to resolve "localhost" to two identical IP addresses 127.0.0.1 and 127.0.0.1 [2], causing nginx to error out on "listen localhost:45123;" [3]: [emerg] a duplicate listen 127.0.0.1:45123 in /tmp/nginx.conf:29 [1] moby/moby#35954 (comment) ("you should be testing with IPv6 enabled") [1] https://sourceware.org/bugzilla/show_bug.cgi?id=14969 (open since 2012-12-17) [2] https://trac.nginx.org/nginx/ticket/2400 (workaround added 2022-11-23) Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom@curii.com>
Description
/etc/hosts contains IPv6 entries when IPv6 is not enabled in daemon.json
The container interfaces do not have IPv6 addresses assigned:
Steps to reproduce the issue:
$ docker run debian:jessie cat /etc/hosts
Describe the results you received:
Describe the results you expected:
Output of
docker version
:Output of
docker info
:Additional environment details (AWS, VirtualBox, physical, etc.):
Running in RancherOS v1.1.2
The text was updated successfully, but these errors were encountered: