Docker will only bind forwarded ports to IPv6 interfaces
Solution 1
I ran through the same issue:
Edit /etc/modprobe.d/blacklist.conf
with:
blacklist ipv6
And /etc/default/grub
with:
GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1 console=ttyS0"
Then update-grub
and reboot
.
Solution 2
Actually, docker uses the netfilter firewall to make sure the service is available. lsof
wouldn't tell you anything. Try running
iptables -L -t nat
ip6tables -L -t nat
It is possible that the container doesn't listen to the specified port however.
You can look into your container to make sure your service is listening to the expected ports using nsenter:
nsenter --net -t PID netstat -ltpn
PID
must be the PID of a process running inside the container, most probably your service. --net
is to enter the network namespace. Then the netstat options -ltpn
is to list listening (-l
) TCP (-t
) sockets. Show the process (-p
), and show port numbers in numeric format (-n
).
Related videos on Youtube
Mark L
LAMP developers with 7 years of experience. Worked as a Developer, Technical Manager and Technical Director in the UK, Germany, Estonia and India. Currently working as a developer for a company that researches investment in clean energy.
Updated on September 18, 2022Comments
-
Mark L over 1 year
Is there a way I can tell docker to only bind forwarded ports to IPv4 interfaces?
I have a machine running on Digital Ocean with IPv6 disabled:
# echo '1' > /proc/sys/net/ipv6/conf/lo/disable_ipv6 # echo '1' > /proc/sys/net/ipv6/conf/lo/disable_ipv6 # echo '1' > /proc/sys/net/ipv6/conf/all/disable_ipv6 # echo '1' > /proc/sys/net/ipv6/conf/default/disable_ipv6 # /etc/init.d/networking restart
ifconfig
reports there are no IPv6-enabled interfaces:# ifconfig docker0 Link encap:Ethernet HWaddr 00:00:00:00:00:00 inet addr:172.17.42.1 Bcast:0.0.0.0 Mask:255.255.0.0 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:1372 errors:0 dropped:0 overruns:0 frame:0 TX packets:7221 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:88091 (88.0 KB) TX bytes:10655750 (10.6 MB) eth0 Link encap:Ethernet HWaddr 04:01:08:c1:b1:01 inet addr:198.XXX.XXX.XXX Bcast:198.199.90.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:97602 errors:0 dropped:4 overruns:0 frame:0 TX packets:15362 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:141867997 (141.8 MB) TX bytes:1376970 (1.3 MB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) lxcbr0 Link encap:Ethernet HWaddr 9e:51:04:ed:13:d4 inet addr:10.0.3.1 Bcast:10.0.3.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
When I launch a new docker container and ask it to port forward 8000 to 8000 in the container it does so only on IPv6 interfaces. Is there a way to make it only bind to IPv4 interfaces?
# docker run -p 8000:8000 -i -t colinsurprenant/ubuntu-raring-amd64 /bin/bash # lsof -OnP | grep LISTEN sshd 1275 root 3u IPv4 ... TCP *:22 (LISTEN) sshd 1275 root 4u IPv6 ... TCP *:22 (LISTEN) dnsmasq 2975 lxc-dnsmasq 7u IPv4 ... TCP 10.0.3.1:53 (LISTEN) docker 9629 root 7u IPv6 ... TCP *:8000 (LISTEN) docker 9629 9630 root 7u IPv6 ... TCP *:8000 (LISTEN) docker 9629 9631 root 7u IPv6 ... TCP *:8000 (LISTEN) docker 9629 9632 root 7u IPv6 ... TCP *:8000 (LISTEN) docker 9629 9633 root 7u IPv6 ... TCP *:8000 (LISTEN) docker 9629 9634 root 7u IPv6 ... TCP *:8000 (LISTEN) docker 9629 9698 root 7u IPv6 ... TCP *:8000 (LISTEN)
-
Mark L over 10 yearsI've raised a ticket on the docker github repo: github.com/dotcloud/docker/issues/2174
-
sciurus over 10 yearsAre you sure it's only listening on IPv6? What is the output of lsof -i 4tcp:8000
-
-
Mark L over 10 yearsI did that and after reboot
ifconfig | grep inet6 | wc -l
returns 5. Docker still only binds to those ipv6 interfaces and not ipv4. The Flask app I'm running only speaks on ipv4 so I can't connect with it. -
Michael Hampton over 10 yearsYou can't change the boot options this way on Digital Ocean thanks to their bizarre boot process.