IPv6 container woes

robertallbright · June 2, 2020, 4:31am

Because I am a new user I can only post two links.

I followed this tutorial to make a traefik docker setup for a home theater. Everything works great for ipv4 space, and the host OS has no problems with IPv6 space. If I set a container to host network driver the container can happily ping ipv6 space without issue. If I set a container to default bridge, it cannot. The shared network all the containers have in docker-compose called t2_proxy allows the containers themselves to communicate together via http appname port versus a ip address that can change over time, like when containers are taken up and down.

I have tried remaking the network with the ipv6 flag, setting cidr in my docker daemon, setting subnet, and several other things. I am at a loss on what to do so I can communicate directly over ipv6 space. My server only has one uplink, hurricane electric, on ipv6 space: this uplink is significantly faster than the mix of uplinks like china telecom I have on ipv4 space where my transit turns to dust. I do not know what to do, and I assume that I "should" be able to use ipv6 space inside containers?

Does anyone have any suggestions, thanks in advance.

Now this is not 100% traefiks problem. I can see the port is open (externally using nmap) from another ipv6 aware server. So traefik is listening or at least occupying the port. However, the container cannot respond to any requests whatsoever because of a docker issue I have. I am not sure if this is the right place to ask, but here entire traefik yml from docker compose


version: "2.4"

########################### NETWORKS
networks:
  t2_proxy:
    external:
      name: t2_proxy
  default:
    driver: bridge
    driver_opts:
      com.docker.network.enable_ipv6: "true"

########################### SERVICES
services:
# All services / apps go below this line
# Traefik 2 - Reverse Proxy
  traefik:
    container_name: traefik
    image: traefik:chevrotin # the chevrotin tag refers to v2.2.x
    restart: unless-stopped
    command: # CLI arguments
      - --global.checkNewVersion=true
      - --global.sendAnonymousUsage=true
      - --entryPoints.http.address=:80
      - --entryPoints.https.address=:443
        # Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
#      - --entrypoints.https.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/12,172.64.0.0/13,131.0.72.0/22
      - --entryPoints.traefik.address=:8080
      - --api=true
#      - --api.insecure=true
#      - --serversTransport.insecureSkipVerify=true
      - --log=true
      - --log.level=ERROR # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
      - --accessLog=true
      - --accessLog.filePath=/traefik.log
      - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
      - --accessLog.filters.statusCodes=400-499
      - --providers.docker=true
      - --providers.docker.endpoint=unix:///var/run/docker.sock
      - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME`)
      - --providers.docker.exposedByDefault=false
      - --providers.docker.network=t2_proxy
      - --providers.docker.swarmMode=false
      - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory.
#      - --providers.file.filename=/path/to/file # Load dynamic configuration from a file.
      - --providers.file.watch=true # Only works on top level files in the rules folder
#      - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
      - --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL
      - --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
#    networks:
#      t2_proxy:
#        ipv4_address: 192.168.90.254 # You can specify a static IP
    networks:
      - t2_proxy
    security_opt:
      - no-new-privileges:true
    ports:
#      - target: 80
#        published: 80
#        protocol: tcp
#        mode: host
#      - target: 443
#        published: 443
#        protocol: tcp
#        mode: host
#      - target: 8080
#        published: 8080
#        protocol: tcp
#        mode: host
       - 8080:8080
       - 443:443
       - 80:80
    volumes:
      - $USERDIR/docker/traefik2/rules:/rules
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - $USERDIR/docker/traefik2/acme/acme.json:/acme.json
      - $USERDIR/docker/traefik2/traefik.log:/traefik.log
      - $USERDIR/docker/shared:/shared
    environment:
      - CF_API_EMAIL=$CLOUDFLARE_EMAIL
      - CF_API_KEY=$CLOUDFLARE_API_KEY
    labels:
      - "traefik.enable=true"
      # HTTP-to-HTTPS Redirect
      - "traefik.http.routers.http-catchall.entrypoints=http"
      - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      # HTTP Routers
      - "traefik.http.routers.traefik-rtr.entrypoints=https"
      - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME`)"
      - "traefik.http.routers.traefik-rtr.tls=true"
      - "traefik.http.routers.traefik-rtr.tls.certresolver=dns-cloudflare" # Comment out this line after first run of traefik to force the use of wildcard certs
#      - "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME"
      - "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME"
#      - "traefik.http.routers.traefik-rtr.tls.domains[1].main=$SECONDDOMAINNAME" # Pulls main cert for second domain
#      - "traefik.http.routers.traefik-rtr.tls.domains[1].sans=*.$SECONDDOMAINNAME" # Pulls wildcard cert for second domain
      ## Services - API
      - "traefik.http.routers.traefik-rtr.service=api@internal"
      ## Middlewares
      - "traefik.http.routers.traefik-rtr.middlewares=middlewares-basic-auth@file"
      - "traefik.http.routers.traefik-rtr.middlewares=middlewares-rate-limit@file,middlewares-basic-auth@file"
      - "traefik.http.routers.traefik-rtr.middlewares=traefik-headers,middlewares-rate-limit@file,middlewares-basic-auth@file"
      - "traefik.http.middlewares.traefik-headers.headers.accesscontrolallowmethods=GET, OPTIONS, PUT"
      - "traefik.http.middlewares.traefik-headers.headers.accesscontrolalloworiginlist=https://$DOMAINNAME"
      - "traefik.http.middlewares.traefik-headers.headers.accesscontrolmaxage=100"
      - "traefik.http.middlewares.traefik-headers.headers.addvaryheader=true"
      - "traefik.http.middlewares.traefik-headers.headers.allowedhosts=traefik.$DOMAINNAME"
      - "traefik.http.middlewares.traefik-headers.headers.hostsproxyheaders=X-Forwarded-Host"
      - "traefik.http.middlewares.traefik-headers.headers.sslredirect=true"
      - "traefik.http.middlewares.traefik-headers.headers.sslhost=traefik.$DOMAINNAME"
      - "traefik.http.middlewares.traefik-headers.headers.sslforcehost=true"
      - "traefik.http.middlewares.traefik-headers.headers.sslproxyheaders.X-Forwarded-Proto=https"
      - "traefik.http.middlewares.traefik-headers.headers.stsseconds=63072000"
      - "traefik.http.middlewares.traefik-headers.headers.stsincludesubdomains=true"
      - "traefik.http.middlewares.traefik-headers.headers.stspreload=true"
      - "traefik.http.middlewares.traefik-headers.headers.forcestsheader=true"
      - "traefik.http.middlewares.traefik-headers.headers.framedeny=true"
#      - "traefik.http.middlewares.traefik-headers.headers.customframeoptionsvalue=SAMEORIGIN" # This option overrides FrameDeny
      - "traefik.http.middlewares.traefik-headers.headers.contenttypenosniff=true"
      - "traefik.http.middlewares.traefik-headers.headers.browserxssfilter=true"
#      - "traefik.http.middlewares.traefik-headers.headers.contentsecuritypolicy=frame-ancestors 'none'; object-src 'none'; base-uri 'none';"
      - "traefik.http.middlewares.traefik-headers.headers.referrerpolicy=same-origin"
      - "traefik.http.middlewares.traefik-headers.headers.featurepolicy=camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';"
      - "traefik.http.middlewares.traefik-headers.headers.customresponseheaders.X-Robots-Tag=none,noarchive,nosnippet,notranslate,noimageindex,"

Some is blanked out because I have to use 2.4 over 3.x because of a nvidia runtime issue. I need to make my jellyfin container aware of the gpu, but cannot do that in newer versions of compose. This is also not a traefik issue, but I want to check if there are any solutions to get docker network bridge able to communicate externally with ipv6 and anything else I need to do w/ traefik to make it able to respond over ipv6.

Thanks in advance!

Topic		Replies	Views
Docker swarm, traefik 2.0 and IPv6 issue Traefik v2 docker-swarm , letsencrypt-acme	2	2347	October 20, 2019
X-Real-IP wrong for IPv6 but not IPv4 Traefik v2 docker , docker-swarm	7	3345	July 21, 2023
Traefik run in docker with network mode host is accepting only ipv6 connections not ipv4 :/ Traefik v3 (latest) tcp	5	244	October 1, 2024
Forcing Traefik Docker Container to use IPv6 when host is IPv6 only for Let's Encrypt Traefik v3 (latest) letsencrypt-acme	3	471	November 12, 2024
Traefik enabled apps work, disabled not Traefik v2 docker	3	404	June 5, 2021

IPv6 container woes

Related topics