By default, Docker assigns IPv4 addresses to containers. Does Docker support IPv6 protocol too? If yes, how complicated is to get it enabled? Can I use docker-compose to build micro services which uses IPv6 addresses? What if I work for a company where our services run natively under IPv6 only environment? How shall I build Multi-Node Cluster setup using IPv6? Does Docker 17.06 Swarm Mode support IPv6?
I have been reading numerous queries, GITHUB issues around breaking IPv6 configuration while upgrading Docker version, issues related to IPv6 changes with host configuration etc. and just thought to share few of the findings around IPv6 effort ongoing in Docker upcoming releases.
Does Docker support IPv6 Protocol?
Yes. Support for IPv6 address has been there since Docker Engine 1.5 release.As of Docker 17.06 version (which is the latest stable release as of August 2017) by default, the Docker server configures the container network for IPv4 only. You can enable IPv4/IPv6 dualstack support by adding the below entry under daemon.json file as shown below:
File: /etc/docker/daemon.json
[simterm]
{
“ipv6”: true,
“fixed-cidr-v6”: “2001:db8:1::/64”
}
[/simterm]
This is very similar to old way of running the Docker daemon with the --ipv6
flag. Docker will set up the bridge docker0
with the IPv6 link-local address fe80::1
.
Why did we add “fixed-cidr-v6”: “2001:db8:1::/64” entry?
By default, containers that are created will only get a link-local IPv6 address. To assign globally routable IPv6 addresses to your containers you have to specify an IPv6 subnet to pick the addresses from. Setting the IPv6 subnet via the --fixed-cidr-v6
parameter when starting Docker daemon will help us achieve globally routable IPv6 address.
The subnet for Docker containers should at least have a size of /80
. This way an IPv6 address can end with the container’s MAC address and you prevent NDP neighbor cache invalidation issues in the Docker layer.
With the --fixed-cidr-v6
parameter set Docker will add a new route to the routing table. Further IPv6 routing will be enabled (you may prevent this by starting dockerd with --ip-forward=false
).
Let us closely examine the changes which Docker Host undergoes before & after IPv6 Enablement:
A Typical Host Network Configuration – Before IPv6 Enablement
As shown above, before IPv6 protocol is enabled, the docker0 bridge network shows IPv4 address only.
Let us enable IPv6 on the Host system. In case you find daemon.json already created under /etc/docker directory, don’t delete the old entries, rather just add these two below entries into the file as shown:
[simterm]
{
“ipv6”: true,
“fixed-cidr-v6”: “2001:db8:1::/64”
}
[/simterm]
Restarting the docker daemon to reflect the changes:
[simterm]
$sudo systemctl restart docker
[/simterm]
A Typical Host Network Configuration – After IPv6 Enablement
Did you see anything new? Yes, the docker0 now gets populated with IPV6 configuration.(shown below)
[simterm]
docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:06:62:82:4d brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/16 scope global docker0 valid_lft forever preferred_lft forever
inet6 2001:db8:1::1/64 scope global tentative
valid_lft forever preferred_lft forever
inet6 fe80::1/64 scope link tentative valid_lft forever preferred_lft forever
[/simterm]
Not only this, the docker_gwbridge network interface too received IPV6 changes:
[simterm]
docker_gwbridge: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:bc:0b:2a:84 brd ff:ff:ff:ff:ff:ff
inet 172.18.0.1/16 scope global docker_gwbridge
valid_lft forever preferred_lft forever
inet6 fe80::42:bcff:fe0b:2a84/64 scope link
valid_lft forever preferred_lft forever
[/simterm]
PING TEST – Verifying IPv6 Functionalities For Docker Host containers
Let us try bringing up two containers on the same host and see if they can ping each using IPV6 address:
Setting up Ubuntu Container:
[simterm]
mymanager1==>sudo docker run -itd ajeetraina/ubuntu-iproute bash
[/simterm]
Setting up CentOS Container:
[simterm]
mymanager1==>sudo docker run -itd ajeetraina/centos-iproute bash
[/simterm]
[Please Note: If you are using default Ubuntu or CentOS Docker Image, you will be surprised to find that ip or ifconfig command doesn’t work. You might need to install iproute package for ip command to work & net-tools package for ifconfig to work. If you want to save time, use ajeetraina/ubuntu-iproute for Ubuntu OR ajeetraina/centos-iproute for CentOS directly.]
Now let us initiate the quick ping test:
In this example the Docker container is assigned a link-local address with the network suffix /64
(here: fe80::42:acff:fe11:3/64
) and a globally routable IPv6 address (here: 2001:db8:1:0:0:242:ac11:3/64
). The container will create connections to addresses outside of the 2001:db8:1::/64
network via the link-local gateway at fe80::1
on eth0
.
[simterm]
mymanager1==>sudo docker exec -it 907 ping6 fe80::42:acff:fe11:2
PING fe80::42:acff:fe11:2(fe80::42:acff:fe11:2) 56 data bytes
64 bytes from fe80::42:acff:fe11:2%eth0: icmp_seq=1 ttl=64 time=0.153 ms
64 bytes from fe80::42:acff:fe11:2%eth0: icmp_seq=2 ttl=64 time=0.100 ms
^C
— fe80::42:acff:fe11:2 ping statistics —2 packets transmitted, 2 received, 0% packet loss, time 999
msrtt min/avg/max/mdev = 0.100/0.126/0.153/0.028 ms
[/simterm]
So the two containers are able to reach out to each other using IPv6 address.
Does Docker Compose support IPv6 protocol?
The answer is Yes. Let us verify it using docker-compose version 1.15.0 and compose file format 2.1. I faced an issue while I use the latest 3.3 file format. As Docker Swarm Mode doesn’t support IPv6, hence it is not included under 3.3 file format. Till then, let us try to bring up container using IPv6 address using 2.1 file format:
[simterm]
$docker-compose version
version 1.15.0, build e12f3b9
docker-py version: 2.4.2
CPython version: 2.7.13
OpenSSL version: OpenSSL 1.0.1t 3 May 2016
[/simterm]
Let us first verify the network available in the host machine:
File: docker-compose.yml
[simterm]
version: ‘2.1’
services:
app:
image: busybox
command: ping www.collabnix.com
networks:
app_net:
ipv6_address: 2001:3200:3200::20
networks:
app_net:
enable_ipv6: true
driver: bridge
ipam:
driver: default
config:
– subnet: 2001:3200:3200::/64
gateway: 2001:3200:3200::1
[/simterm]
The above docker-compose file will create a new network called testping_app_net based on IPv6 network under the subnet 2001:3200:3200::/64 and container should get IPv6 address automatically assigned.
Let us bring up services using docker-compose up and see if the services communicates over IPv6 protocol:
Verifying the IPv6 address for each container:
As shown above, this new container gets IPv6 address – 2001:3200:3200::20 and hence they are able to reach other flawlessly.
What’s Next? Under the next blog post, I am going to showcase how does IPv6 works across the multiple host machine and will talk about ongoing effort to bring IPv6 support in terms of Swarm Mode.
Did you find this blog helpful? Feel free to share your experience. Get in touch @ajeetsraina.
If you are looking out for contribution/discussion, join me at Collabnix Community Slack Channel.
Comments are closed.