for-linux icon indicating copy to clipboard operation
for-linux copied to clipboard
verified publisher icon docker

Unable to ping ipv6 address from docker

Open mustang14 opened this issue 6 years ago • 7 comments

Im trying to ping ipv6 address from a docker container using sudo docker run -it centos:7 bash and ping6 google.com.. it gives me no result but when I spun up an existing container user docker exec -it containerID bash I was able to ping an ipv6 address.. Can someone help me why Im not able to ping when doing sudo docker run -it centos:7 bash

mustang14 avatar Apr 15 '19 17:04 mustang14

Please enable IPv6 using the instructions mentioned in https://docs.docker.com/v17.09/engine/userguide/networking/default_network/ipv6/#how-ipv6-works-on-docker

arkodg avatar Apr 15 '19 18:04 arkodg

Following those instructions allow us to have containers with IPv6 addresses, and to ping those containers from the outside, but you will still not be able to ping a public (e.g. 2607:f8b0:4007:80d::200e) IPv6 from within the container.

M-Pixel avatar Feb 05 '21 22:02 M-Pixel

I found a workaround, but I think it should be done by docker automatically and I would consider that as a bug.

This is citation from that article:

To enable IPv6 internet access from containers, enable NAT for the private Docker subnet on the host:

ip6tables -t nat -A POSTROUTING -s 2001:db8:1::/64 ! -o docker0 -j MASQUERADE

Note that this configuration does not survive a reboot of the host, so you might want to persist it once you confirmed it is working as expected.

Just as addition, that could be useful for someone: I decided for myself that I would use fd00::/64 private subnet for docker networks where fd00::/80 would be for the default one and fd00::1-ffff:0:0:0/80 would be for the user-defined networks. Then I can make just one masquerade rule for the whole /64 subnet.

Ovsyanka avatar Feb 14 '21 15:02 Ovsyanka

The workaround found by @Ovsyanka worked for me too, but I also think it should be done by Docker.

mhalano avatar Mar 24 '21 16:03 mhalano

Maybe of interest: https://github.com/b-data/docker-swarm-ipv6-nftables

benz0li avatar Nov 26 '21 16:11 benz0li

I came across this issue and found out that ipv6tables only works if experimental flag is set in /etc/docker/damon.json. So this config works for me:

{
  "ipv6": true,
  "fixed-cidr-v6": "2001:000:1::/64",
  "experimental": true,
  "ip6tables": true
}

Desnoo avatar Jul 12 '24 12:07 Desnoo

I came across this issue and found out that ipv6tables only works if experimental flag is set in /etc/docker/damon.json. So this config works for me:

{
  "ipv6": true,
  "fixed-cidr-v6": "2001:000:1::/64",
  "experimental": true,
  "ip6tables": true
}

@Desnoo ip6tables is no longer experimental.

IPv6

[...] You may remove the experimental configuration option and continue to use IPv6, if it is not required by any other features.

– https://github.com/moby/moby/releases/tag/v27.0.1

But the update from v26 to v27 breaks IPv6 overlay networks with custom/static IPv6 subnets:

  • https://github.com/moby/moby/issues/48116

ℹ️ Everything works fine with bridge networks, though.

benz0li avatar Jul 12 '24 13:07 benz0li