Closed jthomaschewski closed 5 years ago
robbertkl
commented
7 years ago I was already wondering when this question would be coming. 😄
I assume you're talking about Docker swarm mode, and not Docker Swarm?
This project was made before Docker swarm mode, so it doesn't take it into account. I have to dive into how swarm mode's ingress network works, to see if it could work. I'm a bit busy at the moment, but I'll try to take a look soon.
jthomaschewski
commented
7 years ago Yes you are right. I'm talking about the new swarm mode (Docker 1.12+). As far as I know Swarm mode ingress networks are using the built-in kernel IPVS load balancer. Also the user land proxy is never used for swarm ingress networks.
In the best case the IPVS network is transparent for the ipv6 NAT but I worry that this might not be as easy as I hope.
robbertkl
commented
7 years ago In case you're testing before I have time to take a look, let me know the results. Of course, PR's are also very welcome!
kb1ibt
commented
7 years ago just checking to see if any progress has been made in this issue?
robbertkl
commented
6 years ago No progress on my end. I'm not using Docker swarm mode myself, so I'd have to build a test setup to see how (and if) this would be possible. Since it has a centralised ingress, it could get quite complicated, compared to the way docker-ipv6nat works now (event triggered on a single host).
It might be better to wait until IPv6 NAT is integrated into Docker, because then I'm sure it will have swarm mode support as well. This might be soon, since there's already a PR for this!
Chrislevi
commented
5 years ago Is there atleast any workaround that could work with overlay network? I used network host to achieve egress on ipv6 but cant work along with additional overlay network.
Is there anyway to mimic this NAT procedure with ip6tables to route all traffic from containers on overlay network to subnet router?
@robbertkl
robbertkl
commented
5 years ago As I said, I don't have any experience with this. You could try mimicking the iptables (IPv4) rules for ip6tables to see if you can recreate the desired behavior for IPv6.
Chrislevi
commented
5 years ago @robbertkl I've managed to make ipv6nat and swarm work.
When you run docker swarm init a default bridge for the swarm is created named docker_gwbridge which is equivalent to docker0 for standalone docker engines. the thing is that it's configured by default to prevent ip_forwarding.
The workaround that I did was to create the bridge before I initialize the swarm. running this command as an example.
docker network create \
--ipv6 \
--subnet 172.20.0.0/20 \
--gateway 172.20.0.1 \
--gateway fd00:3984:3989::1 \
--subnet fd00:3984:3989::/64 \
--opt com.docker.network.bridge.name=docker_gwbridge \
--opt com.docker.network.bridge.enable_icc=true \
--opt com.docker.network.bridge.enable_ip_forwarding=true \
--opt com.docker.network.bridge.enable_ip_masquerade=true \
docker_gwbridgeWithout these options I couldn't send outgoing traffic through. Maybe worth mentioning in the project README for the folks who are still clinging on swarm.
NOTE: The ingress network on the other hand is kinda not working because of it, but im using an ingress controller(Treafik) anyway so all traffic are running through it.
robbertkl
commented
5 years ago Hi @Chrislevi thanks for the info! If you could add a section to the README explaining this, I'd be happy to merge it 👍
robbertkl
commented
5 years ago PR of @Chrislevi added some useful information to the README (#35). I think this is as far as support for swarm mode will go, so I'm going to close this issue. I hope the suggested workaround is an acceptable solution for most of you.
This is working great so far for single-node docker services. Thanks!
Is there any chance to get this to work with Docker Swarm mode's ingress network?