for-linux
for-linux copied to clipboard
docker
Localhost ipv6 mappings still get written into /etc/hosts file even when the container was started in a --ipv6=false network or dockerd has ipv6 disabled altogether
- [x] This is a bug report
- [ ] This is a feature request
- [ ] I searched existing issues before opening this one
Expected behavior
When a container is started in a network with ipv6 support disabled all /etc/hosts must not contain ipv6 mappings.
contents of /etc/hosts:
127.0.0.1 localhost
172.1.0.1 4aed2b44d95d
Actual behavior
The hosts file keeps having ipv6 mappings. contents of /etc/hosts:
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.1.0.1 4aed2b44d95d
Steps to reproduce the behavior
- create a newtwork with the --ipv6=false option.
- Start a container in that network.
- Look at the /etc/hosts file inside the container.
Output of docker version:
Client:
Version: 17.12.0-ce
API version: 1.35
Go version: go1.9.2
Git commit: c97c6d6
Built: Wed Dec 27 20:11:19 2017
OS/Arch: linux/amd64
Server:
Engine:
Version: 17.12.0-ce
API version: 1.35 (minimum version 1.12)
Go version: go1.9.2
Git commit: c97c6d6
Built: Wed Dec 27 20:09:54 2017
OS/Arch: linux/amd64
Experimental: false
Output of docker info:
Server Version: 17.12.0-ce
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 89623f28b87a6004d4b785663257362d1658a729
runc version: b2567b37d7b75eb4cf325b77297b140ea686ce8f
init version: 949e6fa
Security Options:
seccomp
Profile: default
Kernel Version: 4.10.8-std-1
Operating System: Debian GNU/Linux 9 (stretch)
OSType: linux
Architecture: x86_64
CPUs: 6
Total Memory: 7.789GiB
Name: REDACTED
ID: REDACTED
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
WARNING: No cpu cfs quota support
WARNING: No cpu cfs period support
Additional environment details (AWS, VirtualBox, physical, etc.)
Scaleway instance based on the docker image.
NOTE: If this is actually working as intended, please consider this issue as a fature request for an option for disabling ipv6 localhost mappings.
This is problematic because getaddrinfo("localhost", ..., AI_PASSIVE), which is supposed to be used to find addresses to be used with bind(), will return ::1 but bind(::1) will fail with EADDRNOTAVAIL. There's no clean way to distinguish this failure because ipv6 is disabled (which should probably pass silently) from something else like a typo in the requested address (which should raise an exception or otherwise be brought to the user's attention).
I'm not sure whether it's better to fix this by rewriting /etc/hosts to remove ipv6 addresses or for the resolver to do this filtering (or ipv6 should be enabled by default; it's 2019 after all), but either way getaddrinfo shouldn't be returning addresses that won't work.
Note that the AI_ADDRCONFIG flag looks like it might help here, but it's not quite the right thing. It's designed for connect() rather than bind() and will return ipv6 addresses only if there is a non-loopback ipv6 address configured. That means on systems with ipv6 loopback but no external ipv6 connectivity (common outside of docker), the loopback ipv6 address would be incorrectly excluded.
For reference: it seems to be a duplicate of https://github.com/moby/moby/issues/35954.
