Location>code7788 >text

Fixing Docker CE's inability to pull images over IPv6 in rootless mode

Popularity:153 ℃/2024-08-15 15:49:13

It's been driving me crazy all day.
Docker's IPv6 support is already bad, and rootless makes it worse!

First, we need to distinguish between the Docker Engine and the Image inside.
Pulling an image is the job of the Docker Engine, which is the Daemon itself, not a container or image.

Rootless Docker uses RootlessKit to manage user namespaces, network namespaces, etc., while RootlessKit internally uses slirp4netns to virtualize the network stack.

Enabling IPv6 Support for Virtual Networks

preliminary

Upgrade docker-ce and the rootless tools to the latest version:

sudo apt update
sudo apt install docker-ce docker-ce-cli  docker-buildx-plugin docker-compose-plugin docker-ce-rootless-extras

In particular, upgrade slirp4netns to 1.2 or higher.

If using Ubuntu 22.04 or earlier, go ahead and download theDebian Bookworm's deb packageInstallation.

Modifying Service Parameters

Edit the systemd service configuration
Write the following to~/.config/systemd/user//

[Service]
Environment=DOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS=--ipv6

Reload systemd and restart the docker service.

systemctl --user daemon-reload
systemctl --user restart docker

Adding IPv6 Routing

At this point, if you try to pull the image, it should still not go IPv6. If it does, ignore this step.

Access to virtual cyberspace

 nsenter

View Current Route
importationroute -6The routing table might look something like this

# route -6
Kernel IPv6 routing table
Destination                    Next Hop                   Flag Met Ref Use If
fd40:200::/64                  [::]                       U    256 2     0 br-3fba6095d8f6
fd80:100:1::/64                [::]                       U    256 1     0 docker0
fd80:100:1::/64                [::]                       U    1024 1     0 docker0
fe80::/64                      [::]                       U    256 2     0 tap0
ip6-localhost/128              [::]                       Un   0   2     0 lo
fe80::/128                     [::]                       Un   0   3     0 tap0
fe80::7c5b:bbff:fed4:1747/128  [::]                       Un   0   5     0 tap0
ip6-mcastprefix/8              [::]                       U    256 5     0 tap0
ip6-mcastprefix/8              [::]                       U    256 1     0 docker0
[::]/0                         [::]                       !n   -1  1     0 lo

The problem with the routing table is that none of the routing tables towards tap0[::]/0 routing, so we're going to add it out.

Before that, we're going to have toFind the default gateway

# ip -6 neigh show dev tap0
fe80::2 lladdr 52:56:00:00:00:02 router STALE

Here my default gateway isfe80::2Next, we'llAdd Route

ip -6 route add default via fe80::2 dev tap0 metric 100

via followed by the default gateway you just found.
metric is the number of leaps, the smaller the higher the priority, here I set it to the smallest value in the routing table.


caveat
The routing table needs to be re-added after restarting the docker service.