New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IPv6 is no longer proxied by default anymore #41858
Comments
In my case I'm unable to get an IPv6 only port forwarding working.
That worked with 20.10.1 but does no longer work with 20.10.2. That's a very unexpected behaviour. I guess there are many IPv6 only setups out there that are now broken. |
Having exactly the same issue. In version before 20.10.2 IPv6 port binding would "stuck" even when the container was taken down via docker-compose. And it would be released only when docker-engine was restarted. Now in 20.10.2 IPv6 binding is not working at all anymore.
This shows the port is bind in IPv4 and IPv6 but host only shows IPv4 ports binded.
|
This should be fixed by moby/libnetwork#2608 |
I give it a try testing a new Arch package release but I still have the same issue: with version 20.10.1
with a patched version 20.10.2:
|
20.10.2 recently hit the Ubuntu18 images we are using on Github Actions CI, and caused our Prisma MySQL and SQL Server database clients to fail in unexpected ways - which turned out to be bugs on our side: prisma/prisma#5499 If our investigation is right, this was caused by the behavior described above (and in linked issues). |
I have recently migrated to a new server and noticed that all my containers don't respond to ipv6 any more (docker from docker's apt repos, same daemon.json, same docker-compose files). This is the ss -tulpen output from the old server (docker version 19.03.11)
This is the ss -tulpen output from the new server (docker version 20.10.3)
As you can see, docker-proxy used to bind on ipv6 with v6only:0, but now does bind on ipv4 only, so I think we are being hit by this bug. When can we expect a release where this is fixed? |
Any idea when you will fix this? This bug has been breaking prod environments for months. Is this caused by anything that would justify the long wait? My intuition was you'd just have to bind to everything again. |
full diff: moby/libnetwork@fa125a3...b350742 - fixed IPv6 iptables rules for enabled firewalld (libnetwork#2609) - fixes "Docker uses 'iptables' instead of 'ip6tables' for IPv6 NAT rule, crashes" - Fix regression in docker-proxy - introduced in "Fix IPv6 Port Forwarding for the Bridge Driver" (libnetwork#2604) - fixes/addresses: "IPv4 and IPv6 addresses are not bound by default anymore" (libnetwork#2607) - fixes/addresses "IPv6 is no longer proxied by default anymore" (moby#41858) - Use hostIP to decide on Portmapper version - fixes docker-proxy not being stopped correctly Port mapping of containers now contain separatet mappings for IPv4 and IPv6 addresses, when listening on "any" IP address. Various tests had to be updated to take multiple mappings into account. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: moby/libnetwork@fa125a3...b350742 - fixed IPv6 iptables rules for enabled firewalld (libnetwork#2609) - fixes "Docker uses 'iptables' instead of 'ip6tables' for IPv6 NAT rule, crashes" - Fix regression in docker-proxy - introduced in "Fix IPv6 Port Forwarding for the Bridge Driver" (libnetwork#2604) - fixes/addresses: "IPv4 and IPv6 addresses are not bound by default anymore" (libnetwork#2607) - fixes/addresses "IPv6 is no longer proxied by default anymore" (moby#41858) - Use hostIP to decide on Portmapper version - fixes docker-proxy not being stopped correctly Port mapping of containers now contain separatet mappings for IPv4 and IPv6 addresses, when listening on "any" IP address. Various tests had to be updated to take multiple mappings into account. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 0450728) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This issue has been bothering me for a long time and I hope to release a fix version soon |
full diff: moby/libnetwork@fa125a3...b350742 - fixed IPv6 iptables rules for enabled firewalld (libnetwork#2609) - fixes "Docker uses 'iptables' instead of 'ip6tables' for IPv6 NAT rule, crashes" - Fix regression in docker-proxy - introduced in "Fix IPv6 Port Forwarding for the Bridge Driver" (libnetwork#2604) - fixes/addresses: "IPv4 and IPv6 addresses are not bound by default anymore" (libnetwork#2607) - fixes/addresses "IPv6 is no longer proxied by default anymore" (moby#41858) - Use hostIP to decide on Portmapper version - fixes docker-proxy not being stopped correctly Port mapping of containers now contain separatet mappings for IPv4 and IPv6 addresses, when listening on "any" IP address. Various tests had to be updated to take multiple mappings into account. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 0450728) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: moby/libnetwork@fa125a3...b350742 - fixed IPv6 iptables rules for enabled firewalld (libnetwork#2609) - fixes "Docker uses 'iptables' instead of 'ip6tables' for IPv6 NAT rule, crashes" - Fix regression in docker-proxy - introduced in "Fix IPv6 Port Forwarding for the Bridge Driver" (libnetwork#2604) - fixes/addresses: "IPv4 and IPv6 addresses are not bound by default anymore" (libnetwork#2607) - fixes/addresses "IPv6 is no longer proxied by default anymore" (moby#41858) - Use hostIP to decide on Portmapper version - fixes docker-proxy not being stopped correctly Port mapping of containers now contain separatet mappings for IPv4 and IPv6 addresses, when listening on "any" IP address. Various tests had to be updated to take multiple mappings into account. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 0450728) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Description
IPv6 is no longer proxied by default as of 20.10.2 (#41805). This is expanded in greater detail in moby/libnetwork#2607, but downgrading to 20.10.1 will restore the previous behavior. This change should be either documented or fixed to not surprise users.
Steps to reproduce the issue:
--publish 443:443
and get "IPv6 support" (proxy is just accepting any address and proxying to the container. This may be abusing the proxy, but it works.)Output of
docker version
:Output of
docker info
:The text was updated successfully, but these errors were encountered: