4

I want to build IPv6-ready services with Docker that can reach v6 hosts on the external network and can be reached from the external v6 network. I'm really confused with all that right now, so I want to hear about best practices in using IPv6 with Docker. Here is what I have in my mind now:

By default Docker configuration comes with IPv6 disabled and all containers created uses IPv4 only. With v4 addresses we assume that:

  • All containers are NATted and have random IP addresses from private subnets. No traffic comes to the container from the outside.

  • If we need some service to be available on the external network, we do a port mapping via -p flag. To reach the service from the outside we need to connect to the external Docker server address.

Now, what about v6? Well, with v6 we assume that every IP address is publicly routable. That means containers are not NATted anymore and directly exposed to the outside network. Everything as it should be. But I have more and more questions with that...

  1. If we talk about server with fixed IPv6 address, we can allocate some v6 block to use in containers. In my case I have a /64, I've allocated it for docker. It works, containers can reach IPv6 targets, containers can be reached from the external directly. But what about laptop where I actually develop this services and then deploy them to the server? This laptop moves from network to network, from one v6 subnet to another and most importantly to the places where v6 not reachable. Should I use ULA block for that and somehow do NAT-like configuration to make them reach external IPv6 targets? Of course in this case I care only about container-to-external communication, I don't need them to be reachable outside my laptop.
  2. Should end-user reach container directly by it's IPv6 address? If so, I must define static IP address in docker-compose.yml and tune ip6tables FORWARD chain to open needed container ports to the external. In this case should I maintain different docker-compose.yml for server and laptop to use different static addresses? If I decide to share my services with someone who doesn't really care about v6 and who uses default docker setup, should I maintain the third compose configuration without v6? There is no such problem with v4 as we just map needed ports and let Docker do it's magic.
  3. If I use static v6 addresses then I assume that I should use predefined networks? Something like:
networks:
  app_net:
    external:
      name: appnet

  1. Maybe I should look into IP autoconfiguration and dynamic DNS, something like letting DNS update if internal IP address changed? nsupdate for example.

  2. Or should I even scrap all this idea with direct IPv6 communication and just continue port mapping?

What is your experience with that?

raxp
  • 41
  • 3
  • 2
    I think this is an aspect of Docker that hasn't been completely thought out yet. Thank you for asking this question, I hope people come up with some good ways forward! – Sander Steffann Sep 17 '19 at 09:01
  • Same [dimenhydrinate](https://en.wikipedia.org/wiki/Dimenhydrinate) pills should be unavoidably on the checklist... – peterh Sep 17 '19 at 10:40
  • 1
    Docker wasn't designed with IPv6 in mind. You can't even disable IPv4. You should ditch it and wait for a container solution that fully embraces IPv6 like it should be nowadays. – TJJ Jan 14 '20 at 14:53

0 Answers0