-
Notifications
You must be signed in to change notification settings - Fork 400
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Load module ip6_tables to make docker --ipv6 networks work #1206
Comments
I think we might be able to do this in moby itself. Assuming we can, it'll need to be in a major release, which won't be ready until the new year. |
Thanks for all the details @robmry!
This sounds great. If you're able to ping here if/when the fix is in moby, that'd be fantastic! |
Thanks @bamurtaugh, good timing! It didn't need to wait for a major release, so the change is included in moby 27.4.1, created just a few minutes ago - https://github.com/moby/moby/releases/tag/v27.4.1 |
Fantastic, thanks so much! Can we close this issue as completed then? |
Yes, sure. Although I guess it might be worth considering ...
|
Hi all - moby maintainer here ...
This is related to:
In moby 27.0 we enabled
ip6tables
by default. So, to create a Docker network with--ipv6
theip6_tables
kernel module is needed. But, in Codespaces it's not loaded on startup.In the issue/PR linked above, devcontainers option
disableIp6tables
was added to work around the problem by adding--ip6tables=false
to docker's command line. That'll restore the pre-27.0 behaviour, so docker won't try to create ip6tables rules. But, docker bridge networks won't work properly without those rules (and users have to know to set the option, or they get a complicated-looking error from docker when trying to create a network with--ipv6
).The official Docker-in-Docker image tries to load modules on the host using this unlikely-looking trick ...
ip link show ip6_tables
(as root). It produces an error about the link not existing but, in a Codespace, it does trigger the module load - thenip6tables
works normally. So, if the module is loaded before dockerd starts,--ipv6
networks should just-work.Would it be possible to add that
ip link show
trick, probably to thedocker-init.sh
script? Then, in a lot of cases, there shouldn't be any need to disable docker's use of ip6tables.The text was updated successfully, but these errors were encountered: