Traefik run in docker with network mode host is accepting only ipv6 connections not ipv4 :/

Hi,

I'm running latest traefik (v3.1.4) as docker compose

version: '3'
services:
  traefik:
    # The official v2 Traefik docker image
    image: traefik:v3.1.4
    container_name: traefik 
    restart: always
    volumes:
      - ./dynamic_conf.yml:/etc/traefik/dynamic_conf.yml
      - ./traefik.yml:/etc/traefik/traefik.yml  
      - ./shared:/shared
      # So that Traefik can listen to the Docker events
      - /var/run/docker.sock:/var/run/docker.sock
    network_mode: host
    logging:
      driver: "json-file"
      options:
        max-size: "50m"

But it didn't work as expected I was unable to get to the services after some debuging I have found that it listen only on tcp6

ubuntu@arm:~/projects-docker/traefic$ sudo netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      2567/docker-proxy   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      709/systemd-resolve 
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      1/init              
tcp        0      0 127.0.0.54:53           0.0.0.0:*               LISTEN      709/systemd-resolve 
tcp6       0      0 :::8080                 :::*                    LISTEN      2575/docker-proxy   
tcp6       0      0 :::22                   :::*                    LISTEN      1/init              
tcp6       0      0 :::80                   :::*                    LISTEN      3310/traefik        
tcp6       0      0 :::111                  :::*                    LISTEN      1/init              
tcp6       0      0 :::443                  :::*                    LISTEN      3310/traefik   

Any advice how to enforce also tcp / ipv4 ?

My setup is as this:
docker:

ubuntu@arm:~/projects-docker/traefic$ docker info
Client: Docker Engine - Community
 Version:    27.3.1
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.17.1
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.29.7
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 3
  Running: 3
  Paused: 0
  Stopped: 0
 Images: 5
 Server Version: 27.3.1
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 7f7fdf5fed64eb6a7caf99b3e12efcf9d60e311c
 runc version: v1.1.14-0-g2c9f560
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.8.0-1013-oracle
 Operating System: Ubuntu 24.04.1 LTS
 OSType: linux
 Architecture: aarch64
 CPUs: 4
 Total Memory: 23.42GiB
 Name: arm
 ID: eca0d048-0b46-4266-963d-46de3e3bae7c
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled

ubuntu:

ubuntu@arm:~/projects-docker/traefic$ cat /etc/os-release 
PRETTY_NAME="Ubuntu 24.04.1 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04.1 LTS (Noble Numbat)"
VERSION_CODENAME=noble

It's an ARM instance in Oracle OCI

You don’t show your full Traefik static and dynamic config, we don’t even know which port you want to use.

Have you tried curl, it seems sometimes the netstat result wasn’t reliable.

Sorry I tried to provide all necesary information and forgot this one :confused:

So traefik.yml

accessLog: {}
  
log:
  level: DEBUG # DEBUG / INFO

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          scheme: https
  websecure:
    address: ":443"
    
providers:
  file:
    filename: /etc/traefik/dynamic_conf.yml
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false

certificatesResolvers:
  acmeresolver:
    acme:
      email: "my@email.com"
      storage: "/shared/acme.json"
      httpChallenge:
        entryPoint: web

# API and dashboard configuration
api:
  insecure: false
  dashboard: false

dynamic_conf.yml

http:
  middlewares:
    # Redirect non-www URLs to their www equivalent
    # Use with traefik.http.routers.myRouter.middlewares: "redirect-non-www-to-www@file"
    redirect-non-www-to-www:
      # Redirect a request from an url to another with regex matching and replacement
      redirectregex:
        # Apply a permanent redirection (HTTP 301)
        permanent: true
        # The regular expression to match and capture elements from the request URL
        regex: "^https?://(?:www\\.)?(.+)"
        # How to modify the URL to have the new target URL
        replacement: "https://www.${1}"

    # Redirect www URLs to their non-www equivalent
    # Use with traefik.http.routers.myRouter.middlewares: "redirect-www-to-non-www@file"
    redirect-www-to-non-www:
      # Redirect a request from an url to another with regex matching and replacement
      redirectregex:
        # Apply a permanent redirection (HTTP 301)
        permanent: true
        # The regular expression to match and capture elements from the request URL
        regex: "^https?://www\\.(.+)"
        # How to modify the URL to have the new target URL
        replacement: "https://${1}"

    obfuscate-server-header:
      headers:
        customResponseHeaders:
          server: Apache

and finaly the labels:

    labels:
      - traefik.enable=true
      - traefik.http.routers.rss.rule=Host(`rss.example.org`)
      - traefik.http.routers.rss.tls=true
      - traefik.http.routers.rss.tls.certresolver=acmeresolver
      - traefik.http.routers.rss.middlewares=obfuscate-server-header@file,redirect-www-to-non-www@file

I tried the remove middlewares at all but the result is the same. I believe that the problem is really with tcp6 as

curl 193.122.15.111:80
curl: (7) Failed to connect to 193.122.15.111 port 80 after 34 ms: Couldn't connect to server

On the other hand if i try:

curl 193.122.15.111:8080

I will get a proper result. firewall shouldn't be an issue I can run the service which is now on 8080 (and which I'm trying to proxy) on port 80 and it's working :confused:

Works for me.

On a non-Orcle ARM server with latest Ubuntu:

apt update && apt -y upgrade
apt install -y sudo htop git fail2ban curl wget

curl -fsSL https://get.docker.com | sh -

adduser test
sudo usermod -aG sudo test
su - test

sudo docker run -d -p 80:80 -p 8080:8080 --name traefik traefik:v3.1 --api.insecure=true --entrypoints.web.address=:80 --accesslog=true

sudo netstat -tulpn
$ sudo netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      9880/docker-proxy
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      596/systemd-resolve
tcp        0      0 127.0.0.54:53           0.0.0.0:*               LISTEN      596/systemd-resolve
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      9901/docker-proxy
tcp6       0      0 :::22                   :::*                    LISTEN      1/init
tcp6       0      0 :::80                   :::*                    LISTEN      9895/docker-proxy
tcp6       0      0 :::8080                 :::*                    LISTEN      9908/docker-proxy
udp        0      0 127.0.0.54:53           0.0.0.0:*                           596/systemd-resolve
udp        0      0 127.0.0.53:53           0.0.0.0:*                           596/systemd-resolve
udp        0      0 1.2.3.4:68              0.0.0.0:*                           751/systemd-network

Update: Never mind, does not work with --network host:

$ sudo docker run -d --network host --name traefik traefik:v3.1 --api.insecure=true --entrypoints.web.address=:80 --accesslog=true

$ sudo netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      596/systemd-resolve
tcp        0      0 127.0.0.54:53           0.0.0.0:*               LISTEN      596/systemd-resolve
tcp6       0      0 :::22                   :::*                    LISTEN      1/init
tcp6       0      0 :::80                   :::*                    LISTEN      10366/traefik
tcp6       0      0 :::8080                 :::*                    LISTEN      10366/traefik
udp        0      0 127.0.0.54:53           0.0.0.0:*                           596/systemd-resolve
udp        0      0 127.0.0.53:53           0.0.0.0:*                           596/systemd-resolve
udp        0      0 1.2.3.4:68              0.0.0.0:*                           751/systemd-network

That's probably a case for forums.docker.com.


Update 2: It does work. netstat does not show the port to be listened to, but curl still works with both IPv4 and IPv6, I see both requests appearing in Traefik log.

$ sudo docker logs -f traefik
$ curl http://1.2.3.4
$ curl http://[1234:1234:1234:1234::1]

Mmm ok it means that's probably some local issue I can't see the request.

I'm planning to run multiple stack / multiple application on the VM for that reason I need to run it in a "host" network so it can proxy the other apps. Or maybe I'm missing something?

Only Traefik needs open ports, all other services/containers can just be attached to Docker networks. See simple Traefik example.