-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Port redirecting binding to IPv6 but not IPv4 interfaces. #2174
Comments
I believe that while IPv6 is disabled on all interfaces, it is not disabled on the whole machine. In other words, even if there is no IPv6 interface or address present at the moment, there might be one in the future. So when Docker tells to the kernel "please bind my sockets to all available addresses", it will include IPv6. When you try to connect to your IPv4 address (e.g.
Thank you! |
No I can't connect on |
OK! I was asking because on my machine, many sockets show as IPv6 even though IPv4 works fine. Thanks for the precision. We'll try to reproduce here. |
I ran all the above on Digital Ocean on their Ubuntu 13.04 x64 image (#350076). |
I was stupidly trying to attach to the port running in the container, not the port on the host OS. |
@marklit Are you still encountering this issue with a newer version of docker ? We made a lot of fixes to the networking stack. |
Still happening on 0.7.1. |
I have installed it on clean Centos 6.5. And Docker works out-of-the box (epel installs But my containers only bind on the IPv6 side, not on IPv4.
If you need extra information, or a test machine. Let me know. |
Using Docker version 0.7.1, build 8088bc1/0.7.1. I get the same, except it all works with IPv4. e.g. If I were to do 'telnet -4 localhost 80' in the example above it would connect through. It doesn't work for external connections, but I think that is a different issue. |
I have the same problem with Version 0.7.3 that after starting boot2docker only adding 0.0.0.0 works: this does not work: in both cases the result from
the funny thing is that any further process started will work with |
From https://groups.google.com/d/msg/golang-nuts/F5HE7Eqb6iM/q_um2VqT5vAJ
This is why binding to the IPv6 loopback also binds to the IPv4 loopback (though netstat won't show it). Most of the work is done by the iptables -t nat stuff anyway. |
FWIW, I found this issue trying to figure out why a port mapping wouldn't work from my host OS (host -> vagrant -> docker container). I tried another box and it worked even though I only had the tcp6 port listed in netstat. Thinking something else may be happening here but not sure what. UPDATE: yeah, just destroyed and recreated the VM and now it's fine. Yay computers ;) |
Having same issue with 0.7.6 are there any workarounds? |
It seems that you can bind to IPv4-only port with |
I'm having this issue as well (brought it up in freenode a few times today). using the host portion of the -p flag (-p ADDR:PORT:PORT) doesn't fix it for me. I'm on 0.7.6. |
like described at my blog post you could try to enable packet forwarding for ipv6 by adding the following line to your /etc/sysctl.conf: |
boot2docker#58 enable packet forwarding for ipv6 moby/moby#2174 (comment)
boot2docker#58 enable packet forwarding for ipv6 moby/moby#2174 (comment)
As @bharrisau mentioned, can someone who's running into this paste the output of I'm very interested in helping track a proper fix to this down, because setting "net.ipv6.conf.all.forwarding" is pretty much always wrong for networks that actually have IPv6. |
With net.ipv6.conf.all.forwarding=1 it works for me now and net.ipv6.bindv6only=0 on my system. netstat still shows only tcp6 bind but curl to the ipv4 ip works, so forwarding does the job. |
I think (from memory) you can force the binding to IPv4 in the proxy setup On my server the NAT rules change the target address and forwards the With net.ipv6.conf.all.forwarding=1 it works for me now and Reply to this email directly or view it on |
So, I've tried it on a clean install of CentOS with the latest docker from the epel repository (0.8.0). And it just works™. In |
@tianon for the record, this is my configuration:
|
I just ran into this problem with docker 0.9.0 on boot2docker 0.7.0. Cannot access a container (jenkins) on port 8080 using ipv4. Even from the localhost.
I threw the ssh attempt to show that accessing a local service works if it binds on ipv4. |
@mik3y, you mean jenkins is binding to 127.0.0.1 within the container? This is not the case. I can run the jenkins container on my Arch Linux system and the same test succeeds. I also ran
The fact that the same container works on Arch Linux, but not on boot2docker Linux indicates that something may not be configured correctly in boot2docker. What that misconfiguration is, I don't know. The few relevant google results I find indicate that |
@mrjana actually docker-proxy don't listen on ipv4 if you specify wildcard (0.0.0.0). |
@RushOnline Are you sure?
|
@mrjana not sure for now. 2 weeks before the same sequence as in you example was result "connection reset", for now is ok. |
So what do we do with this issue? Should we close this? I am not sure what more we can get out of this issue. It is pretty clear the issues various folks are having with port publish is probably not related to docker-proxy listening issues as it is actually listening to both ipv4 and ipv6 addresses if the host is dual-stacked. It is probably due to some other issue involving may be iptable rules. |
@mrjana I think there are many ways to get this issue, but if user do all right he will not get it. So I think this is not docker bug, but signal to make more diagnosis messages or improve docs. IMHO - you can close it. |
Just chiming in that I'm suffering from this as well when I try to run a Gogs container on Fedora. The container was running fine, I upgraded the system including docker, restarted the container and now when I check the system the following is what's happening:
Happy to run tests as people instruct, it's not production or anything it's just a silly git repo I play with. |
I have the same problem on centos 7. I have disabled ipv6 via sysctl. but |
My problem when I encountered this issue was that my firewall was blocking the network that the container was a member of. The firewall had a rule at the bottom of the firewall rules that denied all of the ports and IP addresses that wasn't defined in the list above it. My container was part of the subnet 172.17.0.0/16 so after adding it to the Allow-list in the firewall, all was well. |
this fix the problem: nano /etc/default/grub |
I believe I have found part of the problem - FirewallD, I have posted a workaround - see #27491 (comment) |
I also have this issue, tried most of the solutions above but it didn't help. $docker run -p 8080:80 -itd swagger-ui-builder My system information: |
@ricemouse Have you tried the command I posted at #27491 (comment) which uses the full IPv4 address you want the container to bind to on the host system? |
Folks, the service in the container must be listening on something other than localhost for port forwarding to work. Please do not post things like " |
@cpuguy83 please see this:
Using unmodified official ubuntu cloud image. Setting net.ipv6.conf.all.forwarding=1 will fix the issue. Didn't try other things, but willing to test anything you might want. |
Same problem on Ubuntu 16.04.2
Fixed by
|
This ticket is a beast. It's one (or a variation of one) symptom, but multiple possible causes. This needs to be definitively addressed in the documentation. And are there also some circumstances where people still cannot solve the issue for themselves even with this vast array of possible solutions? |
Hi. CC @cpuguy83
IPv6 was previously installed on system, but not anymore (if that could have something to do). Should I use interface to publish as @xcellardoor suggested? Regards UPDATE: Seems the service is working/listening on IPv4 but is not shown on netstat. Maybe that is what's expected? (cause host is not listening, but container) |
@mostolog The host is listening since it runs a proxy process for local traffic (hairpinning in particular) and to occupy the port. |
@cpuguy83 If interested in fixing this, I could run whatever you may need... |
@mostolog I don't think there's something to fix in such a case.
In the current default config, traffic routing to published ports has can follow two paths depending on if it's local traffic or external traffic. Let's take the following container:
This yields the following iptables NAT rules:
This says, all traffic where the destination is local needs to go the the Once it hits the You'll notice the As you can see, doing a Meanwhile here's my netstat output:
TCP6 only... but...
Even
I'm going to go ahead and close this issue since there does not seem to be anything to actually fix here. |
seems still binding on ipv6 only. netstat -anp | grep docker-proxy | grep LISTEN reports:
|
It usually works correct even though it looks like it's binding on ipv6 only. I have this scenario on one Docker serve right now, it works just fine. On another one it doesn't, but that's because the service isn't listening on the port inside the container in my case. The tcp6 thing is a side track, unfortunately. @cpuguy83, I suggest the issue be locked to avoid further noise. If people find new problems, a new issue had better be created anyway. |
Agreed; locking the conversation on this issue. |
Is there a way I can tell docker to only bind redirected ports to IPv4 interfaces?
I have a machine running with IPv6 disabled:
ifconfig
reports there are no IPv6-enabled interfaces:When I launch a new docker container and ask it to port forward 8000 to 8000 in the container it does so only on IPv6 interfaces. Is there a way to make it only bind to IPv4 interfaces?
When I check with
lsof
it says that only IPv6-related bindings have been made:The text was updated successfully, but these errors were encountered: