Docker 1.5 在仅 IPv6 主机上
Docker 1.5 on IPv6 only host
我在仅 IPv6 主机上路由来自 Docker(版本 1.5.0)容器的流量时遇到问题。 nc -w 10 2a00:1450:4010:c07::71 80 输出 nc: connect to 2a00:1450:4010:c07::71 port 80 (tcp) timed out: Operation now in progress。
以下 this documentation ifconfig eth0; ifconfig docker0; ip -6 route show 显示:
eth0 Link encap:Ethernet HWaddr fa:16:3e:74:4a:b9
inet6 addr: fe80::f816:3eff:fe74:4ab9/64 Scope:Link
inet6 addr: 2a02:6b8:0:1a71::2329/64 Scope:Global
inet6 addr: 2a02:6b8:0:1a71:f816:3eff:fe74:4ab9/64 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:78994 errors:0 dropped:0 overruns:0 frame:0
TX packets:20269 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:55503363 (55.5 MB) TX bytes:1945660 (1.9 MB)
docker0 Link encap:Ethernet HWaddr 56:84:7a:fe:97:99
inet addr:172.17.42.1 Bcast:0.0.0.0 Mask:255.255.0.0
inet6 addr: fe80::5484:7aff:fefe:9799/64 Scope:Link
inet6 addr: fe80::1/64 Scope:Link
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:90 errors:0 dropped:0 overruns:0 frame:0
TX packets:28 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:6528 (6.5 KB) TX bytes:2840 (2.8 KB)
2001:db8:0:2::/64 dev docker0 metric 1024
2a02:6b8:0:1a71::/64 dev eth0 proto kernel metric 256
fe80::/64 dev eth0 proto kernel metric 256
fe80::/64 dev docker0 proto kernel metric 256
default via 2a02:6b8:0:1a71::1 dev eth0 metric 2048 mtu 1450 advmss 1390
default via fe80::1 dev eth0 metric 2049 mtu 1450 advmss 1390
并且 ifconfig eth0; ip -6 route show 在容器内:
eth0 Link encap:Ethernet HWaddr 02:42:ac:11:00:09
inet addr:172.17.0.9 Bcast:0.0.0.0 Mask:255.255.0.0
inet6 addr: fe80::42:acff:fe11:9/64 Scope:Link
inet6 addr: 2001:db8:0:2:0:242:ac11:9/64 Scope:Global
UP BROADCAST MTU:1500 Metric:1
RX packets:1 errors:0 dropped:0 overruns:0 frame:0
TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:110 (110.0 B) TX bytes:90 (90.0 B)
2001:db8:0:2::/64 dev eth0 proto kernel metric 256
fe80::/64 dev eth0 proto kernel metric 256
default via fe80::1 dev eth0 metric 1024
IPv6 和 IPv4 路由已启用(cat /proc/sys/net/ipv6/conf/default/forwarding 给出 1,cat /proc/sys/net/ipv6/conf/all/forwarding 给出 1)。
似乎我需要添加从 docker0 桥接 IPv6 流量到 eth0 的路由,但不知道具体要做什么。
请暂停!
这是 NAT 的解决方案:
ip6tables -t nat -A POSTROUTING -s 2001:db8:0:2::/64 ! -o docker0 -j MASQUERADE
这将启用从 docker 子网到广阔世界的路由。
不建议在 IPv6 环境中进行任何类型的 NAT,这违背了 IPv6 的目的。
您可以使用管道通过 IPv6 完成对容器的访问。
管道允许更灵活的网络配置:
sudo docker run -t -i --name myimage <image id from `sudo docker images`> /bin/bash
sudo pipework br4 -i eth1 <container id from `sudo docker ps`> 2001:db8:44::1/24@2001:db8:44::ff
sudo ip a a 2001:db8:44::FF/64 dev br4
为了能够从 Internet 访问您的容器,您需要从 public IPv6 的子网中分配一个 IPv6 地址。
通过为容器中的新接口 (eth1) 分配 IPv6 地址,IPv4 默认路由被删除,新的 IPv6 默认路由将通过 eth1 指向新的 IPv6 默认网关。
应用管道之前的容器接口:
root@a0b5f4937c42:/# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
494: eth0: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:49 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.73/16 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::42:acff:fe11:49/64 scope link
valid_lft forever preferred_lft forever
root@a0b5f4937c42:/#
容器接口应用管道后:(eth1)
root@9c8372c70ddc:/# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
498: eth0: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:4a brd ff:ff:ff:ff:ff:ff
inet 172.17.0.74/16 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::42:acff:fe11:4a/64 scope link
valid_lft forever preferred_lft forever
500: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 1e:0a:3f:b3:15:43 brd ff:ff:ff:ff:ff:ff
inet6 2001:db8:44:0:1c0a:3fff:feb3:1543/64 scope global dynamic
valid_lft 2591994sec preferred_lft 604794sec
inet6 2001:db8:44::1/24 scope global
valid_lft forever preferred_lft forever
inet6 fe80::1c0a:3fff:feb3:1543/64 scope link
valid_lft forever preferred_lft forever
root@9c8372c70ddc:/# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
172.17.0.0 * 255.255.0.0 U 0 0 0 eth0
root@9c8372c70ddc:/# route -6
Kernel IPv6 routing table
Destination Next Hop Flag Met Ref Use If
2001:db8:44::/64 :: UAe 256 0 0 eth1
2001:d00::/24 :: U 256 0 0 eth1
fe80::/64 :: U 256 0 0 eth0
fe80::/64 :: U 256 0 0 eth1
::/0 2001:db8:44::ff UG 1024 0 0 eth1
::/0 fe80::a8bb:ccff:fe00:100 UGDAe 1024 0 0 eth1
::/0 :: !n -1 1 3 lo
::1/128 :: Un 0 1 0 lo
2001:db8:44::1/128 :: Un 0 1 0 lo
2001:db8:44:0:1c0a:3fff:feb3:1543/128 :: Un 0 1 0 lo
fe80::42:acff:fe11:4a/128 :: Un 0 1 0 lo
fe80::1c0a:3fff:feb3:1543/128 :: Un 0 1 0 lo
ff00::/8 :: U 256 2 0 eth0
ff00::/8 :: U 256 6 0 eth1
::/0 :: !n -1 1 3 lo
root@9c8372c70ddc:/#
从容器到 docker 主机::
root@9c8372c70ddc:/# ping6 2001:db8:44::ff
PING 2001:db8:44::ff(2001:db8:44::ff) 56 data bytes
64 bytes from 2001:db8:44::ff: icmp_seq=1 ttl=64 time=0.134 ms
64 bytes from 2001:db8:44::ff: icmp_seq=2 ttl=64 time=0.062 ms
64 bytes from 2001:db8:44::ff: icmp_seq=3 ttl=64 time=0.061 ms
^C
--- 2001:db8:44::ff ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1998ms
rtt min/avg/max/mdev = 0.061/0.085/0.134/0.035 ms
root@9c8372c70ddc:/#
从 docker 主机到容器:
ping6 2001:db8:44::1
PING 2001:db8:44::1(2001:db8:44::1) 56 data bytes
64 bytes from 2001:db8:44::1: icmp_seq=1 ttl=64 time=0.092 ms
64 bytes from 2001:db8:44::1: icmp_seq=2 ttl=64 time=0.072 ms
64 bytes from 2001:db8:44::1: icmp_seq=3 ttl=64 time=0.074 ms
64 bytes from 2001:db8:44::1: icmp_seq=4 ttl=64 time=0.075 ms
^C
--- 2001:db8:44::1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2997ms
rtt min/avg/max/mdev = 0.072/0.078/0.092/0.010 ms
ajn:~/docker/dockergit$
我在仅 IPv6 主机上路由来自 Docker(版本 1.5.0)容器的流量时遇到问题。 nc -w 10 2a00:1450:4010:c07::71 80 输出 nc: connect to 2a00:1450:4010:c07::71 port 80 (tcp) timed out: Operation now in progress。
以下 this documentation ifconfig eth0; ifconfig docker0; ip -6 route show 显示:
eth0 Link encap:Ethernet HWaddr fa:16:3e:74:4a:b9
inet6 addr: fe80::f816:3eff:fe74:4ab9/64 Scope:Link
inet6 addr: 2a02:6b8:0:1a71::2329/64 Scope:Global
inet6 addr: 2a02:6b8:0:1a71:f816:3eff:fe74:4ab9/64 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:78994 errors:0 dropped:0 overruns:0 frame:0
TX packets:20269 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:55503363 (55.5 MB) TX bytes:1945660 (1.9 MB)
docker0 Link encap:Ethernet HWaddr 56:84:7a:fe:97:99
inet addr:172.17.42.1 Bcast:0.0.0.0 Mask:255.255.0.0
inet6 addr: fe80::5484:7aff:fefe:9799/64 Scope:Link
inet6 addr: fe80::1/64 Scope:Link
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:90 errors:0 dropped:0 overruns:0 frame:0
TX packets:28 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:6528 (6.5 KB) TX bytes:2840 (2.8 KB)
2001:db8:0:2::/64 dev docker0 metric 1024
2a02:6b8:0:1a71::/64 dev eth0 proto kernel metric 256
fe80::/64 dev eth0 proto kernel metric 256
fe80::/64 dev docker0 proto kernel metric 256
default via 2a02:6b8:0:1a71::1 dev eth0 metric 2048 mtu 1450 advmss 1390
default via fe80::1 dev eth0 metric 2049 mtu 1450 advmss 1390
并且 ifconfig eth0; ip -6 route show 在容器内:
eth0 Link encap:Ethernet HWaddr 02:42:ac:11:00:09
inet addr:172.17.0.9 Bcast:0.0.0.0 Mask:255.255.0.0
inet6 addr: fe80::42:acff:fe11:9/64 Scope:Link
inet6 addr: 2001:db8:0:2:0:242:ac11:9/64 Scope:Global
UP BROADCAST MTU:1500 Metric:1
RX packets:1 errors:0 dropped:0 overruns:0 frame:0
TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:110 (110.0 B) TX bytes:90 (90.0 B)
2001:db8:0:2::/64 dev eth0 proto kernel metric 256
fe80::/64 dev eth0 proto kernel metric 256
default via fe80::1 dev eth0 metric 1024
IPv6 和 IPv4 路由已启用(cat /proc/sys/net/ipv6/conf/default/forwarding 给出 1,cat /proc/sys/net/ipv6/conf/all/forwarding 给出 1)。
似乎我需要添加从 docker0 桥接 IPv6 流量到 eth0 的路由,但不知道具体要做什么。
请暂停!
这是 NAT 的解决方案:
ip6tables -t nat -A POSTROUTING -s 2001:db8:0:2::/64 ! -o docker0 -j MASQUERADE
这将启用从 docker 子网到广阔世界的路由。
不建议在 IPv6 环境中进行任何类型的 NAT,这违背了 IPv6 的目的。
您可以使用管道通过 IPv6 完成对容器的访问。 管道允许更灵活的网络配置:
sudo docker run -t -i --name myimage <image id from `sudo docker images`> /bin/bash
sudo pipework br4 -i eth1 <container id from `sudo docker ps`> 2001:db8:44::1/24@2001:db8:44::ff
sudo ip a a 2001:db8:44::FF/64 dev br4
为了能够从 Internet 访问您的容器,您需要从 public IPv6 的子网中分配一个 IPv6 地址。
通过为容器中的新接口 (eth1) 分配 IPv6 地址,IPv4 默认路由被删除,新的 IPv6 默认路由将通过 eth1 指向新的 IPv6 默认网关。
应用管道之前的容器接口:
root@a0b5f4937c42:/# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
494: eth0: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:49 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.73/16 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::42:acff:fe11:49/64 scope link
valid_lft forever preferred_lft forever
root@a0b5f4937c42:/#
容器接口应用管道后:(eth1)
root@9c8372c70ddc:/# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
498: eth0: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:4a brd ff:ff:ff:ff:ff:ff
inet 172.17.0.74/16 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::42:acff:fe11:4a/64 scope link
valid_lft forever preferred_lft forever
500: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 1e:0a:3f:b3:15:43 brd ff:ff:ff:ff:ff:ff
inet6 2001:db8:44:0:1c0a:3fff:feb3:1543/64 scope global dynamic
valid_lft 2591994sec preferred_lft 604794sec
inet6 2001:db8:44::1/24 scope global
valid_lft forever preferred_lft forever
inet6 fe80::1c0a:3fff:feb3:1543/64 scope link
valid_lft forever preferred_lft forever
root@9c8372c70ddc:/# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
172.17.0.0 * 255.255.0.0 U 0 0 0 eth0
root@9c8372c70ddc:/# route -6
Kernel IPv6 routing table
Destination Next Hop Flag Met Ref Use If
2001:db8:44::/64 :: UAe 256 0 0 eth1
2001:d00::/24 :: U 256 0 0 eth1
fe80::/64 :: U 256 0 0 eth0
fe80::/64 :: U 256 0 0 eth1
::/0 2001:db8:44::ff UG 1024 0 0 eth1
::/0 fe80::a8bb:ccff:fe00:100 UGDAe 1024 0 0 eth1
::/0 :: !n -1 1 3 lo
::1/128 :: Un 0 1 0 lo
2001:db8:44::1/128 :: Un 0 1 0 lo
2001:db8:44:0:1c0a:3fff:feb3:1543/128 :: Un 0 1 0 lo
fe80::42:acff:fe11:4a/128 :: Un 0 1 0 lo
fe80::1c0a:3fff:feb3:1543/128 :: Un 0 1 0 lo
ff00::/8 :: U 256 2 0 eth0
ff00::/8 :: U 256 6 0 eth1
::/0 :: !n -1 1 3 lo
root@9c8372c70ddc:/#
从容器到 docker 主机::
root@9c8372c70ddc:/# ping6 2001:db8:44::ff
PING 2001:db8:44::ff(2001:db8:44::ff) 56 data bytes
64 bytes from 2001:db8:44::ff: icmp_seq=1 ttl=64 time=0.134 ms
64 bytes from 2001:db8:44::ff: icmp_seq=2 ttl=64 time=0.062 ms
64 bytes from 2001:db8:44::ff: icmp_seq=3 ttl=64 time=0.061 ms
^C
--- 2001:db8:44::ff ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1998ms
rtt min/avg/max/mdev = 0.061/0.085/0.134/0.035 ms
root@9c8372c70ddc:/#
从 docker 主机到容器:
ping6 2001:db8:44::1
PING 2001:db8:44::1(2001:db8:44::1) 56 data bytes
64 bytes from 2001:db8:44::1: icmp_seq=1 ttl=64 time=0.092 ms
64 bytes from 2001:db8:44::1: icmp_seq=2 ttl=64 time=0.072 ms
64 bytes from 2001:db8:44::1: icmp_seq=3 ttl=64 time=0.074 ms
64 bytes from 2001:db8:44::1: icmp_seq=4 ttl=64 time=0.075 ms
^C
--- 2001:db8:44::1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2997ms
rtt min/avg/max/mdev = 0.072/0.078/0.092/0.010 ms
ajn:~/docker/dockergit$