Unable to modify ipv6 settings via sysctl in container

[jkms]

• This is a bug report
• This is a feature request
• I searched existing issues before opening this one

Expected behavior

with the NET_ADMIN capability, I expect to be able enable or disable ipv6 via sysctl -w net.ipv6.conf.all.disable_ipv6=0

Actual behavior

I am unable to configure ipv6 with either --cap-add NET_ADMIN or --cap-add ALL. it only works with --privileged

Steps to reproduce the behavior

# Assume this should work
$ docker run -it --rm --cap-add NET_ADMIN --entrypoint sysctl hypriot/rpi-alpine -w net.ipv6.conf.eth0.disable_ipv6=0
sysctl: error setting key 'net.ipv6.conf.eth0.disable_ipv6': Read-only file system

# Trying again with the --cap-add ALL
$ docker run -it --rm --cap-add ALL --entrypoint sysctl hypriot/rpi-alpine -w net.ipv6.conf.eth0.disable_ipv6=0
sysctl: error setting key 'net.ipv6.conf.eth0.disable_ipv6': Read-only file system

#Only works with --prilileged
$ docker run -it --rm --privileged --entrypoint sysctl hypriot/rpi-alpine -w net.ipv6.conf.eth0.disable_ipv6=0
net.ipv6.conf.eth0.disable_ipv6 = 0

Output of docker version:

$ docker version
Client:
 Version:       17.12.0-ce
 API version:   1.35
 Go version:    go1.9.2
 Git commit:    c97c6d6
 Built: Wed Dec 27 20:14:44 2017
 OS/Arch:       linux/arm

Server:
 Engine:
  Version:      17.12.0-ce
  API version:  1.35 (minimum version 1.12)
  Go version:   go1.9.2
  Git commit:   c97c6d6
  Built:        Wed Dec 27 20:10:53 2017
  OS/Arch:      linux/arm
  Experimental: false

Output of docker info:

$ docker info
Containers: 3
 Running: 2
 Paused: 0
 Stopped: 1
Images: 49
Server Version: 17.12.0-ce
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 89623f28b87a6004d4b785663257362d1658a729
runc version: b2567b37d7b75eb4cf325b77297b140ea686ce8f
init version: 949e6fa
Kernel Version: 4.4.50-hypriotos-v7+
Operating System: Raspbian GNU/Linux 8 (jessie)
OSType: linux
Architecture: armv7l
CPUs: 4
Total Memory: 861.9MiB
Name: black-pearl
ID: QE7I:RDL5:VBVX:4JKC:OMK2:U5W4:SMUF:QJYQ:WWKD:M6VC:QCCT:KDLB
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Username: jkms
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

Additional environment details (AWS, VirtualBox, physical, etc.)

raspberry pi 3b running hypriot

$ uname -a
Linux black-pearl 4.4.50-hypriotos-v7+ #1 SMP PREEMPT Sun Mar 19 14:11:54 UTC 2017 armv7l GNU/Linux

/etc/docker/daemon.json

{
  "ipv6": true,
  "fixed-cidr-v6": "2001:db8:1::/64"
}

[erikh]

Hitting this as well, haven't tried setting with sysctl yet but the host is definitely not carrying this setting to the container, which is net.ipv6.conf.eth0.disable_ipv6=0 on the host and =1 in teh container.

ipv6 is setup correctly in daemon.json similarly to above.

Info:

Linux rund-3-15 4.13.0-21-generic #24-Ubuntu SMP Mon Dec 18 17:29:16 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Ubuntu 17.10

root@rund-3-15:/etc/docker# docker info                    
Containers: 1                
 Running: 0                  
 Paused: 0                   
 Stopped: 1                  
Images: 8                    
Server Version: 17.12.0-ce   
Storage Driver: overlay2     
 Backing Filesystem: extfs   
 Supports d_type: true       
 Native Overlay Diff: true   
Logging Driver: json-file    
Cgroup Driver: cgroupfs      
Plugins:                     
 Volume: local               
 Network: bridge host macvlan null overlay                 
 Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog                                         
Swarm: inactive              
Runtimes: runc               
Default Runtime: runc        
Init Binary: docker-init     
containerd version: 89623f28b87a6004d4b785663257362d1658a729                                                           
runc version: b2567b37d7b75eb4cf325b77297b140ea686ce8f     
init version: 949e6fa        
Security Options:            
 apparmor                    
 seccomp                     
  Profile: default           
Kernel Version: 4.13.0-21-generic                          
Operating System: Ubuntu 17.10                             
OSType: linux                
Architecture: x86_64         
CPUs: 4                      
Total Memory: 7.793GiB       
Name: rund-3-15              
ID: PP4F:XGQ6:YGHG:IJJ4:L3BV:ETQZ:HJAJ:N7I3:4QHX:6IWK:YNEW:MZE7                                                        
Docker Root Dir: /var/lib/docker                           
Debug Mode (client): false   
Debug Mode (server): false   
Registry: https://index.docker.io/v1/                      
Labels:                      
Experimental: false          
Insecure Registries:                                 
 <registries elided>
 127.0.0.0/8                 
Live Restore Enabled: false  

WARNING: No swap limit support 

[erikh]

This is only partially related to my issue; ipv6 is not turning off sysctl net.ipv6.conf.all.disable_ipv6, it is in fact turning it on even when it is on in the host. I can workaround with --sysctl for now I think.

[thaJeztah]

ping @fcrisciani

[matthewdupre]

This is an issue for us too.

[selansen]

will take a look at it

[selansen]

First I am able to reproduce this issue. I did lot of digging , reading and debugging for this . So sorry for taking few days to give an update.
Conclusion : CAP-ADD is not same as privileged and hence caps wont allow to write into sysfs.
The right way to do is to use --sysctl option. example is below.
https://docs.docker.com/engine/reference/commandline/run/

Again its any of sysctl setting will work using cap-add option. so its nothing to do with ipv6 or network specific.

@thaJeztah , I think we can close this one.

[meesern]

Please don't close it without a clear solution in this thread. The link given does not answer the question for me. What is the correct approach given that

RUN sysctl -w net.ipv6.conf.all.disable_ipv6=1

results in

sysctl: setting key "net.ipv6.conf.all.disable_ipv6": Read-only file system

[thaJeztah]

The solution is to use the --sysctl option on docker run, which is documented under the "Configure namespaced kernel parameters (sysctls) at runtime" section in the documentation; https://docs.docker.com/engine/reference/commandline/run/#configure-namespaced-kernel-parameters-sysctls-at-runtime

So for example,

docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 yourimage

Note that these are runtime options, so cannot be set inside an image (so can't be set during docker build to be applied at runtime).

Closing this per the above discussion, but feel free to continue the conversation