Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Load module ip6_tables to make docker --ipv6 networks work #1206

Open
robmry opened this issue Nov 29, 2024 · 5 comments
Open

Load module ip6_tables to make docker --ipv6 networks work #1206

robmry opened this issue Nov 29, 2024 · 5 comments

Comments

@robmry
Copy link

robmry commented Nov 29, 2024

Hi all - moby maintainer here ...

This is related to:

In moby 27.0 we enabled ip6tables by default. So, to create a Docker network with --ipv6 the ip6_tables kernel module is needed. But, in Codespaces it's not loaded on startup.

In the issue/PR linked above, devcontainers option disableIp6tables was added to work around the problem by adding --ip6tables=false to docker's command line. That'll restore the pre-27.0 behaviour, so docker won't try to create ip6tables rules. But, docker bridge networks won't work properly without those rules (and users have to know to set the option, or they get a complicated-looking error from docker when trying to create a network with --ipv6).

The official Docker-in-Docker image tries to load modules on the host using this unlikely-looking trick ... ip link show ip6_tables (as root). It produces an error about the link not existing but, in a Codespace, it does trigger the module load - then ip6tables works normally. So, if the module is loaded before dockerd starts, --ipv6 networks should just-work.

Would it be possible to add that ip link show trick, probably to the docker-init.sh script? Then, in a lot of cases, there shouldn't be any need to disable docker's use of ip6tables.

@robmry
Copy link
Author

robmry commented Dec 2, 2024

I think we might be able to do this in moby itself. Assuming we can, it'll need to be in a major release, which won't be ready until the new year.

@bamurtaugh
Copy link
Member

Thanks for all the details @robmry!

I think we might be able to do this in moby itself. Assuming we can, it'll need to be in a major release, which won't be ready until the new year.

This sounds great. If you're able to ping here if/when the fix is in moby, that'd be fantastic!

@robmry
Copy link
Author

robmry commented Dec 18, 2024

Thanks @bamurtaugh, good timing! It didn't need to wait for a major release, so the change is included in moby 27.4.1, created just a few minutes ago - https://github.com/moby/moby/releases/tag/v27.4.1

@bamurtaugh
Copy link
Member

Fantastic, thanks so much! Can we close this issue as completed then?

@robmry
Copy link
Author

robmry commented Dec 18, 2024

Fantastic, thanks so much! Can we close this issue as completed then?

Yes, sure. Although I guess it might be worth considering ...

  • confirming the fix
  • making ip6tables work for older versions of Docker by adding the ip link show ip6_tables trick to docker-init.sh
  • removing/deprecating the toggle ip6tables settings value as option workaround
  • updating docs, if it's mentioned anywhere.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants