matrix-docker-ansible-deploy
matrix-docker-ansible-deploy copied to clipboard
spantaleev
IPv6 support
matrix_docker_ipv6_enabled is true by default. I think IPv6 should be everywhere by now.
Nginx now always listens on ipv6.
When the setting is true, the matrix_docker_network gets created with ipv6 enabled. Because we are basically doing NATv6 between the host and the containers there is a service that sets up the ip6tables rule.
I also moved the matrix-certbot into the matrix_docker_network because in my ipv6-only tests it couldn't validate in the default bridge network.
You are running NAT6 in one direction, but I can't see ~~FORWARD~~ DNAT rules for the exposed sockets in the other. How does this even work? Or does it rely on the userland proxy?
You are running NAT6 in one direction, but I can't see FORWARD rules for the exposed sockets in the other. How does this even work? Or does it rely on the userland proxy?
Yes, it uses the userland proxy for incoming traffic, and it uses NAT6 for outgoing traffic.
As of a few minutes ago I am running this setup on glitch.im, so you see it working when you see @peetz0r:glitch.im talking anywhere.
Last time I tried this, the nginx/coturn logs from IPv6 users and federated servers contained nothing but the userland proxy address, which is the same as the gateway. Is it still like that?
Last time I tried this, the nginx/coturn logs from IPv6 users and federated servers contained nothing but the userland proxy address, which is the same as the gateway. Is it still like that?
Correct, they all get reported as fd00::1.
Also I did some more testing, and it's still not fully working. When I go inside a container I can reach only v4 servers on the internet somehow. This worked earlier and I have no clue what I am doing...
Last time I tried this, the nginx/coturn logs from IPv6 users and federated servers contained nothing but the userland proxy address, which is the same as the gateway. Is it still like that?
Correct, they all get reported as
fd00::1.
That's kind of a bummer
@aaronraimist your ip6tables rules should now work.
Also I did some more testing, and it's still not fully working. When I go inside a container I can reach only v4 servers on the internet somehow. This worked earlier and I have no clue what I am doing...
This should also be fixed now
Last time I tried this, the nginx/coturn logs from IPv6 users and federated servers contained nothing but the userland proxy address, which is the same as the gateway. Is it still like that?
Correct, they all get reported as
fd00::1.That's kind of a bummer
I might spend some time next week on trying out https://github.com/robbertkl/docker-ipv6nat to fix this.
No guarantees, obviously.
Is there anything else that needs to happen here to merge this? It's been working for me. Seems like using https://github.com/robbertkl/docker-ipv6nat could happen in the future.
matrix_host_command_iptables seems to be unused, so we can remove it.
I was wondering if we need to install iptables explicitly to ensure it's there, but it seems like it's pulled as a dependency for various things on various distros. On Archlinux, even systemd requires iptables to be there. On CentOS 7, iptables is also required by docker-ce one way or another. On Debian (well, Raspbian), iptables is some dependency for containerd.io. I guess we can safely assume that it's available.
I guess I'm not gonna do the proper fix for the "everything is fd00::1" issue. But some support might still be better than none. Especially if it's disabled by default.
Having IPv6 disabled by default doesn't sit well with me, but having this PR sitting dormant for months is definitely worse.
Lemme mark as non-a-draft-anymore and get it into a state without conflicts.
Any news about this topic? I'm not good enough with docker and ansible to configure IPv6 support on my own.
I added this part into my vars.yaml to most likely only have to set enable ipv6 for the network creation part. But i'm not sure which dockernetworks need it and if it will work.
docker_daemon_options:
experimental: true
ip6tables: true
ipv6: true
fixed-cidr-v6: "fc01:1:1:1::/64"
default-address-pools: [
{ "base": "172.17.0.0/16", "size": 16 },
{ "base": "172.18.0.0/16", "size": 16 },
{ "base": "172.19.0.0/16", "size": 16 },
{ "base": "172.20.0.0/14", "size": 16 },
{ "base": "172.24.0.0/14", "size": 16 },
{ "base": "172.28.0.0/14", "size": 16 },
{ "base": "192.168.0.0/16", "size": 20 },
{ "base": "fc01:1:1:2:1::/104", "size": 112 },
{ "base": "fc01:1:1:2:2::/104", "size": 112 },
{ "base": "fc01:1:1:2:3::/104", "size": 112 },
{ "base": "fc01:1:1:2:4::/104", "size": 112 },
{ "base": "fc01:1:1:2:5::/104", "size": 112 }
]
Any news about this topic? I'm not good enough with docker and ansible to configure IPv6 support on my own.
I added this part into my vars.yaml to most likely only have to set enable ipv6 for the network creation part. But i'm not sure which dockernetworks need it and if it will work.
docker_daemon_options: experimental: true ip6tables: true ipv6: true fixed-cidr-v6: "fc01:1:1:1::/64" default-address-pools: [ { "base": "172.17.0.0/16", "size": 16 }, { "base": "172.18.0.0/16", "size": 16 }, { "base": "172.19.0.0/16", "size": 16 }, { "base": "172.20.0.0/14", "size": 16 }, { "base": "172.24.0.0/14", "size": 16 }, { "base": "172.28.0.0/14", "size": 16 }, { "base": "192.168.0.0/16", "size": 20 }, { "base": "fc01:1:1:2:1::/104", "size": 112 }, { "base": "fc01:1:1:2:2::/104", "size": 112 }, { "base": "fc01:1:1:2:3::/104", "size": 112 }, { "base": "fc01:1:1:2:4::/104", "size": 112 }, { "base": "fc01:1:1:2:5::/104", "size": 112 } ]
I used ipv6nat to make the server work on my IPv6 VPS. According to my practice, the federation function works well. For more details, please refer to my repo ipv6 support.
