Debian10配置Docker容器访问IPv6问题

打开Docker的IPv6支持

若想要容器能够监听IPv6的接口，那么首先容器内部需要自己有个IPv6的接口。

修改/etc/docker/daemon.json，合并以下JSON配置

{
  "ipv6": true,
  "fixed-cidr-v6": "2001:db8:1::/64"
}

然后自行systemctl restart docker之类重启docker daemon。

其中第一项会开启默认的bridge network的IPv6支持，下一个会在IPv6的地址池里添加对应的网段。

不过很奇怪的是，这一个网段的全部地址都会分给全局默认的bridge network，所以如果自己的docker-compose文件里有网络需要IPv6支持的，得手动分配一个网段，或者直接改用默认的全局bridge。

设置ip6tables转发流量

搞定上面一步之后，理论上你容器内expose出的端口都可以监听IPv6的接口了。但若是想让容器内部访问IPv6的外网，还需要配置ip6tables转发流量。

参见这个issue

使用如下命令转发收到的对应地址的流量。

ip6tables -t nat -A POSTROUTING -s 2001:db8:1::/64 ! -o docker0 -j MASQUERADE

但总感觉这个方案还不够完美，只能说暂时够用了。

Enable IPv6 Support in Docker

For containers to listen on IPv6 interfaces, they need an IPv6 interface of their own.

See the Docker documentation.

Edit /etc/docker/daemon.json and merge the following configuration:

{
  "ipv6": true,
  "fixed-cidr-v6": "2001:db8:1::/64"
}

Then restart the Docker daemon:

systemctl restart docker

The first option enables IPv6 on the default bridge network; the second adds a subnet to the IPv6 address pool.

Note that all addresses in this subnet are allocated to the default global bridge network. If your docker-compose file defines custom networks that need IPv6, you must assign subnets manually, or switch to the default global bridge.

Forward Traffic with ip6tables

After the step above, exposed container ports should be reachable over IPv6. However, for containers to access external IPv6 networks, you also need to configure ip6tables forwarding.

See this issue.

Forward traffic from the assigned subnet:

ip6tables -t nat -A POSTROUTING -s 2001:db8:1::/64 ! -o docker0 -j MASQUERADE

This works for now, though it doesn’t feel like a complete solution.