Docker will only bind forwarded ports to IPv6 interfaces

linux ubuntu networking ipv6 ipv4

20,294

Solution 1

I ran through the same issue:

Edit /etc/modprobe.d/blacklist.conf with:

blacklist ipv6

And /etc/default/grub with:

GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1 console=ttyS0"

Then update-grub and reboot.

Solution 2

Actually, docker uses the netfilter firewall to make sure the service is available. lsof wouldn't tell you anything. Try running

iptables -L -t nat
ip6tables -L -t nat

It is possible that the container doesn't listen to the specified port however.

You can look into your container to make sure your service is listening to the expected ports using nsenter:

nsenter --net -t PID netstat -ltpn

PID must be the PID of a process running inside the container, most probably your service. --net is to enter the network namespace. Then the netstat options -ltpn is to list listening (-l) TCP (-t) sockets. Show the process (-p), and show port numbers in numeric format (-n).

20,294

Mark L

LAMP developers with 7 years of experience. Worked as a Developer, Technical Manager and Technical Director in the UK, Germany, Estonia and India. Currently working as a developer for a company that researches investment in clean energy.

Updated on September 18, 2022

Comments

Mark L over 1 year

Is there a way I can tell docker to only bind forwarded ports to IPv4 interfaces?

I have a machine running on Digital Ocean with IPv6 disabled:

# echo '1' > /proc/sys/net/ipv6/conf/lo/disable_ipv6  
# echo '1' > /proc/sys/net/ipv6/conf/lo/disable_ipv6  
# echo '1' > /proc/sys/net/ipv6/conf/all/disable_ipv6  
# echo '1' > /proc/sys/net/ipv6/conf/default/disable_ipv6
# /etc/init.d/networking restart

ifconfig reports there are no IPv6-enabled interfaces:

# ifconfig
docker0   Link encap:Ethernet  HWaddr 00:00:00:00:00:00  
          inet addr:172.17.42.1  Bcast:0.0.0.0  Mask:255.255.0.0
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:1372 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7221 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:88091 (88.0 KB)  TX bytes:10655750 (10.6 MB)

eth0      Link encap:Ethernet  HWaddr 04:01:08:c1:b1:01  
          inet addr:198.XXX.XXX.XXX  Bcast:198.199.90.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:97602 errors:0 dropped:4 overruns:0 frame:0
          TX packets:15362 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:141867997 (141.8 MB)  TX bytes:1376970 (1.3 MB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lxcbr0    Link encap:Ethernet  HWaddr 9e:51:04:ed:13:d4  
          inet addr:10.0.3.1  Bcast:10.0.3.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

When I launch a new docker container and ask it to port forward 8000 to 8000 in the container it does so only on IPv6 interfaces. Is there a way to make it only bind to IPv4 interfaces?

# docker run -p 8000:8000 -i -t colinsurprenant/ubuntu-raring-amd64 /bin/bash

# lsof -OnP | grep LISTEN
sshd      1275             root    3u     IPv4 ... TCP *:22 (LISTEN)
sshd      1275             root    4u     IPv6 ... TCP *:22 (LISTEN)
dnsmasq   2975      lxc-dnsmasq    7u     IPv4 ... TCP 10.0.3.1:53 (LISTEN)
docker    9629             root    7u     IPv6 ... TCP *:8000 (LISTEN)
docker    9629 9630        root    7u     IPv6 ... TCP *:8000 (LISTEN)
docker    9629 9631        root    7u     IPv6 ... TCP *:8000 (LISTEN)
docker    9629 9632        root    7u     IPv6 ... TCP *:8000 (LISTEN)
docker    9629 9633        root    7u     IPv6 ... TCP *:8000 (LISTEN)
docker    9629 9634        root    7u     IPv6 ... TCP *:8000 (LISTEN)
docker    9629 9698        root    7u     IPv6 ... TCP *:8000 (LISTEN)

Mark L over 10 years

I've raised a ticket on the docker github repo: github.com/dotcloud/docker/issues/2174
sciurus over 10 years

Are you sure it's only listening on IPv6? What is the output of lsof -i 4tcp:8000

Mark L over 10 years

I did that and after reboot ifconfig | grep inet6 | wc -l returns 5. Docker still only binds to those ipv6 interfaces and not ipv4. The Flask app I'm running only speaks on ipv4 so I can't connect with it.
Michael Hampton over 10 years

You can't change the boot options this way on Digital Ocean thanks to their bizarre boot process.