Open beamerblvd opened 5 years ago
Maybe the problem is the docker-proxy
being a L4 proxy, it can only handle ipv4-to-ipv4 or ipv6-to-ipv6 proxy.
So, it can't forward your ipv6 request to a ipv4 backend.
That might be the case—I don't know. If that's the case, then 1) the documentation should say so and say how to configure it properly, and 2) docker-proxy
should fail to start if you don't have it configured properly.
Proxying ipv4-to-ipv6 and vise versa is useful functionality and it should not be hard to implement.
Currently I use nginx which listens on IPv6 address and forwards request to IPv4 address used by docker-proxy (to proxy traffic inside IPv4 container), but it would be nice to have ability to do the same without additional proxy layer (and accept v6 connections directly by docker-proxy).
I've hat to work around this using haproxy.
Having same issue
I think, at least docker proxy should not listen on ipv6 (should not bind to both v4 and v6) when in dockerd global configuration "ipv6" set to "false" and should only bind ipv4. When you have these two lines in /etc/hosts on the host machine (which is default for almost any IPv6-enabled linux system):
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
gethostbyname defaults to resolve to IPv6, so then curl http://localhost:8080/ (for container with proxy port 8080) will be timed out.
I apologize if I'm reporting this against the wrong project. There are lots of different projects to report against, and it's possible I got it wrong. Event though I'm using Compose, I'm certain this is not a Compose bug. Compose appears to be doing all the right things. The bug appears to be in the
docker-proxy
process.I'm using Docker Compose to run a DNS server (PowerDNS) within a container. Here is the config:
The virtual machine is assigned the IPv4 address
x.x.x.x
and the IPv6 addressaaaa::ffff
.I can ping both
x.x.x.x
andaaaa::ffff
from another machine in the same datacenter (~1.5ms round trip) and another machine in a different datacenter (~70ms round trip), so the addresses are unquestionably routable.Expected behavior
I should be able to
dig @x.x.x.x
anddig @aaaa::ffff
and receive responses without issue from any machine in the world that is connected with both IPv4 and IPv6.Actual behavior
From the host machine (running on Ubuntu 18.04 on DigitalOcean), I can
dig @x.x.x.x
anddig @aaaa::ffff
without issue. From the other machine (bbbb::ffff
) in the same datacenter, I can stilldig @x.x.x.x
, butdig @aaaa::ffff
times out. The behavior is the same from a machine in a different datacenter.The first thing I checked was
lsof
:That all looks correct. So next I checked a
tcpdump
, first of aping
:And now of a
dig
:So there doesn't appear to be a reply and, importantly, the host machine DOES receive the packets (no external firewall issues) but the
docker-proxy
process never forwards the packets on to the container. Note that adig
to the IPv4 address shows up as expected in the dump:I also tried doing the ports differently:
This resulted in a different (and expected)
lsof
output but the same behavior andtcpdump
results.Steps to reproduce the behavior
I believe everything I've provided above already establishes replication processes, but I'm happy to provide more information if needed.
Output of
docker version
:Output of
docker info
:Additional environment details (AWS, VirtualBox, physical, etc.)
DigitalOcean droplet, Ubuntu 18.04 base system, 2 CPUs, 2GB RAM (I know this is tiny, but I'm only running two tiny containers right now. I will resize this larger as I need more containers)
I have worked around this bug by taking a different approach: Enabling IPv6 with a subnet in
/etc/docker/daemon.json
, assigning a subnet to thednsnet
network, assigning a static public IPv6 address to the container, enablingproxy_ndp
oneth0
, and adding IPv6 neighbor proxying (ip -6 neigh add proxy
) toeth0
for the static IPv6 address, but this is arduous, fragile, and not an ideal solution. Just a workaround.