Basic Configuration of Docker Engine with IPv6

This is the start of a blog series dedicated to enabling IPv6 for the various components in the Docker toolbox.

I am starting the series off by talking about the basic configuration for enabling IPv6 with Docker Engine.  There are some good examples that the Docker folks have put together that you will want to read through: https://docs.docker.com/engine/userguide/networking/default_network/ipv6/

Disclaimer: I am not teaching you Docker.  There are a zillion places to go learn Docker.  I am making the dangerous assumption that you already know what Docker is, how to install it and how to use it.

I am also not teaching you IPv6.  There are also a zillion places to go learn IPv6.  I am making the even more dangerous assumption that you know what IPv6 is, what the addressing details are and how to use it.

Diagram

The graphic below shows a high-level view of my setup.  I have two Docker hosts (docker-v6-1 and docker-v6-2) that are running Ubuntu 14.04.  As of this first post, I am using Docker 1.8.2. Both hosts are attached to a Layer-2 switch via their eth0 interfaces.  I am using static IPv4 addresses (not relevant here) for the host and StateLess Address AutoConfiguration (SLAAC) for IPv6 address assignment out of the Unique Local Address (ULA) FD15:4BA5:5A2B:1009::/64 range.

Blog- Docker Engine - Basic IPv6

Preparing the Docker Host for IPv6:

As I mentioned before, I am using SLAAC-based assignment for IPv6 addressing on each host.  You can use static, SLAAC, Stateful DHCPv6 or Stateless DHCPv6 if you want.  I am not covering any of that as they don’t pertain directly to Docker.

Each Docker host as an IPv6 address and can reach the outside world:

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:f3:f8:48 brd ff:ff:ff:ff:ff:ff
    inet 192.168.80.200/24 brd 192.168.80.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fd15:4ba5:5a2b:1009:cc7:2609:38b7:e6c6/64 scope global temporary dynamic
       valid_lft 86388sec preferred_lft 14388sec
    inet6 fd15:4ba5:5a2b:1009:20c:29ff:fef3:f848/64 scope global dynamic
       valid_lft 86388sec preferred_lft 14388sec
    inet6 fe80::20c:29ff:fef3:f848/64 scope link
       valid_lft forever preferred_lft forever
root@docker-v6-1:~# ping6 -n www.google.com
PING www.google.com(2607:f8b0:400f:802::2004) 56 data bytes
64 bytes from 2607:f8b0:400f:802::2004: icmp_seq=1 ttl=255 time=13.7 ms
64 bytes from 2607:f8b0:400f:802::2004: icmp_seq=2 ttl=255 time=14.5 ms

Since I am using router advertisements (RAs) for my IPv6 address assignment, it is important to force the acceptance of RAs even when forwarding is enabled:

sysctl net.ipv6.conf.eth0.accept_ra=2

Now, if you haven’t already, install Docker using whatever method you are comfortable with.  Again, this is not a primer on Docker. 🙂

Docker! Docker! Docker!

Now that the IPv6 basics are there on the host and you have Docker installed, it is time to set the IPv6 subnet for Docker.  You can do this via the ‘docker daemon’ command or you can set it in the /etc/default/docker file.  Below is the example using the ‘docker daemon’ command. Here, I am setting the fixed IPv6 prefix as FD15:4BA5:5A2B:100A::/64.

root@docker-v6-1:~# docker daemon --ipv6 --fixed-cidr-v6="fd15:4ba5:5a2b:100a::/64

Here is the same IPv6 prefix being set, but this is using the /etc/default/docker file:

DOCKER_OPTS="--dns 8.8.8.8 --dns 8.8.4.4 --ipv6 --fixed-cidr-v6=fd15:4ba5:5a2b:100a::/64"

Let’s fire up a container and see what happens. The example below shows that the container got an IPv6 address out of the prefix we set above:

root@docker-v6-1:~# docker run -it ubuntu bash
root@aea405985524:/# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
5: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:ac:11:00:01 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fd15:4ba5:5a2b:100a:0:242:ac11:1/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::42:acff:fe11:1/64 scope link
       valid_lft forever preferred_lft forever

Ping the outside world:

root@aea405985524:/# ping6 www.google.com
PING www.google.com(den03s10-in-x04.1e100.net) 56 data bytes
64 bytes from den03s10-in-x04.1e100.net: icmp_seq=1 ttl=254 time=14.6 ms
64 bytes from den03s10-in-x04.1e100.net: icmp_seq=2 ttl=254 time=12.5 ms

Fire up another container and ping the first container over IPv6:

root@docker-v6-1:~# docker run -it ubuntu bash
root@e8a8662fad76:/# ping6 fd15:4ba5:5a2b:100a:0:242:ac11:1
PING fd15:4ba5:5a2b:100a:0:242:ac11:1(fd15:4ba5:5a2b:100a:0:242:ac11:1) 56 data bytes
64 bytes from fd15:4ba5:5a2b:100a:0:242:ac11:1: icmp_seq=1 ttl=64 time=0.094 ms
64 bytes from fd15:4ba5:5a2b:100a:0:242:ac11:1: icmp_seq=2 ttl=64 time=0.057 ms
Add the 2nd Docker host

Sweet! We have one host (docker-v6-1) running with two containers that can reach each other over IPv6 and reach the outside world.  Now let’s add the second Docker host (docker-v6-2).

Repeat all of the steps from above but change the IPv6 prefix that Docker is going to use. Here is an example using FD15:4BA5:5A2B:100B::/64:

DOCKER_OPTS="--dns 8.8.8.8 --dns 8.8.4.4 --ipv6 --fixed-cidr-v6=fd15:4ba5:5a2b:100b::/64

In order to have containers on one host reach containers on another host over IPv6, we have to figure out routing. You can enable host-based routing (the example I will show below) or you can just use the Layer-3 infrastructure you likely already have in your Data Center. I would recommend the latter option. Remember that Docker is not doing NAT for IPv6 so you have to have some mechanism to allow for pure L3 reachability between the various IPv6 address spaces you are using.
Here is an example of using host-based routing on each of the two Docker hosts. First, configure a static IPv6 route on the first Docker host (i.e. docker-v6-1). The route statement below says to route all traffic destined for the fd15:4ba5:5a2b:100b::/64 prefix (the one being used on docker-v6-2) to the IPv6 address of the docker-v6-2 eth0 interface.

root@docker-v6-1:~# ip -6 route add fd15:4ba5:5a2b:100b::/64 via fd15:4ba5:5a2b:1009:20c:29ff:febb:cbf8

Now, do the same on the 2nd Docker host (docker-v6-2). This route statement says to route all traffic destined for the fd15:4ba5:5a2b:100a::/64 prefix (used on docker-v6-1) to the IPv6 address of the docker-v6-1 eth0 interface:

root@docker-v6-2:~# ip -6 route add fd15:4ba5:5a2b:100a::/64 via fd15:4ba5:5a2b:1009:20c:29ff:fef3:f848

The final test is to ping from one container on docker-v6-1 to a container on docker-v6-2:

root@e8a8662fad76:/# ping6 fd15:4ba5:5a2b:100b:0:242:ac11:1
PING fd15:4ba5:5a2b:100b:0:242:ac11:1(fd15:4ba5:5a2b:100b:0:242:ac11:1) 56 data bytes
64 bytes from fd15:4ba5:5a2b:100b:0:242:ac11:1: icmp_seq=3 ttl=62 time=0.570 ms
64 bytes from fd15:4ba5:5a2b:100b:0:242:ac11:1: icmp_seq=4 ttl=62 time=0.454 ms

It works!

We will build on this scenario in upcoming posts as we walk through enabling IPv6 functionality in a variety of Docker network scenarios and other Docker services.

Shannon

VMware Fusion 8 Pro – IPv6 NAT

I just upgraded to VMware Fusion 8 Pro and noticed that there was a new feature in there for IPv6 NAT. You all know my views on NAT, especially IPv6 NAT but we won’t get into all of that here. 🙂

It looks as though you have to be on Fusion 8 Pro to get this feature. It is super simple to enable.

Below is a basic view of my topology.  My Mac (using the en0 adapter) has an IPv6 address from my local CPE (connected to Comcast).  I have a Linux VM attached to a custom network (vmnet2) that has the IPv4 subnet of 172.16.1.0/24 and the autogenerated (by Fusion) Unique Local IPv6 prefix of FD15:4BA5:5A2B:1002::/64
diagram-fusion-v6-nat

Here is what the Linux host looks like prior to enabling IPv6 NAT:

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:2e:cf:c0 brd ff:ff:ff:ff:ff:ff
    inet 172.16.1.129/24 brd 172.16.1.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe2e:cfc0/64 scope link
       valid_lft forever preferred_lft forever

In VMware Fusion 8 Pro, you can enable IPv6 NAT for a network by going into VMware Fusion > Preferences > Network > then select the custom network that you want to enable IPv6 NAT on. The graphic shown below is what my vmnet2 network looks like:
screenshot_130

With IPv6 NAT enabled, the Linux host now has an IPv6 address:

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:2e:cf:c0 brd ff:ff:ff:ff:ff:ff
    inet 172.16.1.129/24 brd 172.16.1.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fd15:4ba5:5a2b:1002:24fd:5bf0:baba:4866/64 scope global temporary dynamic
       valid_lft 86398sec preferred_lft 14398sec
    inet6 fd15:4ba5:5a2b:1002:20c:29ff:fe2e:cfc0/64 scope global dynamic
       valid_lft 86398sec preferred_lft 14398sec
    inet6 fe80::20c:29ff:fe2e:cfc0/64 scope link
       valid_lft forever preferred_lft forever

You can see that the Linux host gets two addresses out of the ULA prefix that was autogenerated by Fusion (see the graphic). The first address is the IPv6 privacy extension address and the second is the EUI-64 derived IPv6 address.

I can now ping from the Linux host to the outside (via IPv6 NAT):

localadmin@v6-nat-demo:~$ ping6 -n www.google.com
PING www.google.com(2607:f8b0:400f:803::2004) 56 data bytes
64 bytes from 2607:f8b0:400f:803::2004: icmp_seq=1 ttl=255 time=12.7 ms
64 bytes from 2607:f8b0:400f:803::2004: icmp_seq=2 ttl=255 time=15.0 ms
64 bytes from 2607:f8b0:400f:803::2004: icmp_seq=3 ttl=255 time=14.8 ms

Ping, the ultimate test of success, works. 🙂

Thanks,
Shannon