Host OS is Ubuntu 19.10. I've been successful in starting the FreeIPA container using docker run, but I'd like to get it working in compose. When I run docker-compose up, freeipa crashes with the following error:
IPv6 stack is enabled in the kernel but there is no interface that has
::1 address assigned. Add ::1 address resolution to 'lo' interface.
You might need to enable IPv6 on the interface 'lo' in sysctl.conf.
My current config:
freeipa:
image: freeipa/freeipa-server
command:
[
"--realm=${ROOT_DOMAIN}",
"--ds-password=${LDAP_USER_PASSWORD}",
"--admin-password=${LDAP_ADMIN_PASSWORD}",
"-U",
]
hostname: ${FREEIPA_DOMAIN}
container_name: freeipa
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.http.routers.freeipa.rule=Host(`${FREEIPA_DOMAIN:?Domain for Freeipa must be set!}`)"
- "traefik.http.routers.freeipa.entrypoints=secure"
- "traefik.http.routers.freeipa.tls.certresolver=le"
networks:
- proxy
volumes:
- ${SERVICES_ROOT}/${FREEIPA_ROOT:-freeipa}/db:/data
- ${SERVICES_ROOT}/${FREEIPA_ROOT:-freeipa}/logs:/var/logs
- /sys/fs/cgroup:/sys/fs/cgroup:ro
tmpfs:
- /run
- /var/cache
- /tmp
Link to the full (very large) compose file here
I've enabled ipv6 in Docker and reloaded the daemon:
cat /etc/docker/daemon.json
{
"ipv6": true,
"fixed-cidr-v6": "2001:db8:1::/64"
}
Following this blog post, I checked the interface configuration within a container:
$: docker run -itd ajeetraina/ubuntu-iproute bash
f549ae3efe887fe45a1594c87516b948cebbbb6916a6550d738e3271200bd9b7
$: docker exec -it f549 ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:ac:11:00:02
inet addr:172.17.0.2 Bcast:172.17.255.255 Mask:255.255.0.0
inet6 addr: fe80::42:acff:fe11:2/64 Scope:Link
inet6 addr: 2001:db8:1::242:ac11:2/64 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:21 errors:0 dropped:0 overruns:0 frame:0
TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3722 (3.7 KB) TX bytes:726 (726.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
It seems like there shouldn't be an issue with the loopback device from what I'm seeing here.
I have found the answer in an unrelated Github issue. Adding
sysctls:
- net.ipv6.conf.all.disable_ipv6=0
to the service definition fixes the problem. I hope this helps someone!
Related
I try to run a NTP server/client. The application for which I am using NTP is running in a docker.
I am little bit confused, because:
1. I don't know if I have to configure the /etc/ntp.conf file inside the docker or outside on my machine.
2. Which IP address I have to use. If I use ifconfig I get the output below. I dont know if I have to use the IP of the docker or the one of wlp4s0. Also, if I check my IP via https://whatismyipaddress.com/de/meine-ip , I get a totally different IP address which I don't see if I run ifconfig. I don't know If its important, but I am using the WLAN of my company.
docker0 Link encap:Ethernet HWaddr 02:42:5e:fd:b4:0d
inet addr:172.17.0.1 Bcast:172.17.255.255 Mask:255.255.0.0
inet6 addr: fe80::42:5eff:fefd:b40d/64 Scope:Link
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:1713 (1.7 KB)
enp6s0 Link encap:Ethernet HWaddr 4c:cc:6a:de:50:f6
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:19
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:4092 errors:0 dropped:0 overruns:0 frame:0
TX packets:4092 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:689519 (689.5 KB) TX bytes:689519 (689.5 KB)
wlp4s0 Link encap:Ethernet HWaddr 9c:b6:d0:1b:90:8b
inet addr:10.39.158.200 Bcast:10.39.159.255 Mask:255.255.252.0
inet6 addr: fe80::dc16:b5ad:2f01:d58a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7821858 errors:0 dropped:0 overruns:0 frame:0
TX packets:1046710 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:10548810679 (10.5 GB) TX bytes:96754356 (96.7 MB)
Thank you!
You should set-up your NTP server on the underlying host not inside a container.
When considering your ntp.conf you should ensure you have a minimum of 3 upstream servers, and ideally 5 to ensure robust timing. Ideally you should find some low stratum low round trip time servers to use as your upstream providers.
It seems people have reported issues with containers using the wrong time-zone;
If you use an Alpine image then you need to install tzdata before hand then set the following inside your docker file;
ENV TZ=Europe/London
RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
If your using something else other than Alpine then you can still use that same command in your docker file to ensure the correct time zone is set.
A list of valid time-zones can be found here.
As for IP addressing;
wlp4s0 looks like your physical Ethernet interface for the underlying host - if that is the case then that's the address you should use provided all your containers will run on that host, and they themselves can reach that IP address. The reason you see a different IP address when you check on-line is because everything in the output you provided only showed private IP addresses, not public ones. It looks like your public IP is being provided via NAT or similar from your hosting provider/network provider.
I'm trying to configure a Docker network using the macvlan driver, but my containers can't reach the gateway or the WAN.
The network is set up like so:
docker network create -d macvlan --subnet=10.1.1.0/24 --ip-range=10.1.1.160/28 --gateway=10.1.1.1 -o parent=ens160 pub_net
The host OS is Ubuntu 16.04, which itself is a VM running on ESXi (lots of layers, I know). The ens160 interface is connected to an ESXi vSwitch ("LAN"). The gateway (10.1.1.1) is a pfSense VM on the same machine, and connected to the same "LAN" vSwitch. The pfSense VM is also connected to a "WAN" vSwitch which physically connects to the upstream network. The Ubuntu host OS has an IP and full WAN connectivity, but the Docker container does not.
Some details about the Ubuntu host:
host$ ifconfig
docker0 Link encap:Ethernet HWaddr aa:bb:cc:00:e2:77
inet addr:172.17.0.1 Bcast:0.0.0.0 Mask:255.255.0.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
ens160 Link encap:Ethernet HWaddr aa:bb:cc:9b:be:f2
inet addr:10.1.1.22 Bcast:10.1.1.255 Mask:255.255.255.0
inet6 addr: fe80::c7b7:d64c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:64642 errors:0 dropped:0 overruns:0 frame:0
TX packets:1881 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:19190911 (19.1 MB) TX bytes:169266 (169.2 KB)
ens192 Link encap:Ethernet HWaddr aa:bb:cc:9b:be:fc
inet addr:10.2.2.22 Bcast:10.2.2.255 Mask:255.255.255.0
inet6 addr: fe80::bb15:267d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:294 errors:0 dropped:10 overruns:0 frame:0
TX packets:515 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:57996 (57.9 KB) TX bytes:63258 (63.2 KB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:2637 errors:0 dropped:0 overruns:0 frame:0
TX packets:2637 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:204727 (204.7 KB) TX bytes:204727 (204.7 KB)
host$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.2.2.1 0.0.0.0 UG 100 0 0 ens192
0.0.0.0 10.1.1.1 0.0.0.0 UG 101 0 0 ens160
10.1.1.0 0.0.0.0 255.255.255.0 U 100 0 0 ens160
10.2.2.0 0.0.0.0 255.255.255.0 U 100 0 0 ens192
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 ens192
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
Switching to the Docker container, and details there:
host$ sudo docker run --net=pub_net -it alpine /bin/sh
container$ ifconfig
eth0 Link encap:Ethernet HWaddr AA:BB:CC:01:01:A0
inet addr:10.1.1.160 Bcast:0.0.0.0 Mask:255.255.255.0
inet6 addr: fe80::42:1a0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:15 errors:0 dropped:0 overruns:0 frame:0
TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1789 (1.7 KiB) TX bytes:634 (634.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:2 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:224 (224.0 B) TX bytes:224 (224.0 B)
container$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.1.1.1 0.0.0.0 UG 0 0 0 eth0
10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
As mentioned, if I ping 10.1.1.1 (or any other external IP) from within the container I get no response. If I ping another Docker container on the same host I do get a response.
What do I need to change so that the container can reach the WAN?
You need to turn on promiscuous mode and allow forged transmits for your LAN vSwitch. This is because macvlan mode requires the guest to be listening for the falsified MAC addresses as well as be able to falsify MAC addresses.
VMware Knowledge Base article on promiscuous mode
VMware documentation on forged transmits
I've setup a CoreOs host with a public routable /64 ipv6 Subnet.
From within the host i have a global ipv6 address which is working fine but i can't get access to ipv6 hosts from within any docker container.
These are my current settings to my docker deamon:
DOCKER_OPTS=--dns 8.8.8.8 --dns 8.8.4.4 --ipv6 --fixed-cidr-v6='2a03:4000:6:e0d0::/64'
Adding --ip-forward=false or the google ipv6 DNS servers doesn't help either
Only if I add --net=host it works so I think I'm missing a fundamental network configuration part.
ifconfig from within an ubuntu:latest docker container shows this:
eth0 Link encap:Ethernet HWaddr 02:42:ac:11:00:02
inet addr:172.17.0.2 Bcast:0.0.0.0 Mask:255.255.0.0
inet6 addr: fe80::42:acff:fe11:2/64 Scope:Link
inet6 addr: 2a03:4000:6:e0d0:0:242:ac11:2/64 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:19 errors:0 dropped:4 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1565 (1.5 KB) TX bytes:676 (676.0 B)
What special configuration do i need to do to get this working?
Here is how I run my docker container -
docker run --name docker-test-server -p 5000:5000 -p 4444:4444
Container OS - Ubuntu 14.04 LTS
Now since I have mapped 4444 of container to that of machine, I try to connect -
root#localhost:/var/repo# nc -vz 127.0.0.1 4444
Connection to 127.0.0.1 4444 port [tcp/*] succeeded!
Now I enter the shell -
docker exec -it docker-test-server /bin/bash
Successfully entering, I try to get the IP address of the machine.
root#ec919687cda8:/# ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:ac:11:00:09
inet addr:172.17.0.9 Bcast:0.0.0.0 Mask:255.255.0.0
inet6 addr: fe80::42:acff:fe11:9/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2227 errors:0 dropped:0 overruns:0 frame:0
TX packets:2199 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:166686 (166.6 KB) TX bytes:121473 (121.4 KB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Now I come out of the container, and try to connect to the container from the machine where the container is running by providing the IP address of container found in ifconfig -
nc -vz 172.17.0.9 4444
nc: connect to 172.17.0.9 port 4444 (tcp) failed: Connection refused
Could someone, please explain me
why am I unable to connect to the machine?
What can I do to connect to the machine?
I am running a bare container that just installs ubuntu 14.04 and exposes 2 ports. Nothing fancy.
Thanks.
You need to either disable the firewall or add port to your ubuntu firewall by using sudo ufw disable or sudo ufw
I was also facing the same issue but instead of connection refused, I got timeout.
I've compiled and built a MirageOS unikernel for XEN following this guide https://github.com/mirage/mirage-www/blob/master/tmpl/wiki/hello-world.md (mostly last part, Step 4, stackv4) but after I launch it I'm not able to pass the DHCP discovery phase, as shown in the following log:
Parsing config from stackv4.xl
Xen Minimal OS!
Initialising console ... done.
getenv(OCAMLRUNPARAM) -> null
getenv(CAMLRUNPARAM) -> null
getenv(PATH) -> null
Unsupported function lseek called in Mini-OS kernel
Unsupported function lseek called in Mini-OS kernel
Unsupported function lseek called in Mini-OS kernel
getenv(OCAMLRUNPARAM) -> null
getenv(CAMLRUNPARAM) -> null
getenv(TMPDIR) -> null
getenv(TEMP) -> null
Netif: add resume hook
Netif.connect 0
Netfront.create: id=0 domid=0
sg:true gso_tcpv4:true rx_copy:true rx_flip:false smart_poll:false
MAC: 00:16:3e:7e:c0:0d
Attempt to open(/dev/urandom)!
Unsupported function getpid called in Mini-OS kernel
Unsupported function getppid called in Mini-OS kernel
Manager: connect
Manager: configuring
DHCP: start discovery
Sending DHCP broadcast (length 552)
DHCP: start discovery
Sending DHCP broadcast (length 552)
DHCP: start discovery
Sending DHCP broadcast (length 552)
DHCP: start discovery
....
My MirageOS unikernel configuration:
name = 'stackv4'
kernel = '/home/mirage/mirage-skeleton/stackv4/mir-stackv4.xen'
builder = 'linux'
memory = 256
on_crash = 'preserve'
disk = [ ]
# if your system uses openvswitch then either edit /etc/xen/xl.conf and set
# vif.default.script="vif-openvswitch"
# or add "script=vif-openvswitch," before the "bridge=" below:
vif = [ 'bridge=xenbr0' ]
My network configuration:
eth0 Link encap:Ethernet HWaddr 02:01:06:02:83:c0
inet6 addr: fe80::1:6ff:fe02:83c0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:110876 errors:0 dropped:0 overruns:0 frame:0
TX packets:14602 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:9736700 (9.7 MB) TX bytes:1999992 (1.9 MB)
Interrupt:117
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:384394 errors:0 dropped:0 overruns:0 frame:0
TX packets:384394 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:26761500 (26.7 MB) TX bytes:26761500 (26.7 MB)
vif16.0 Link encap:Ethernet HWaddr fe:ff:ff:ff:ff:ff
inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:58 errors:0 dropped:0 overruns:0 frame:0
TX packets:11289 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:33640 (33.6 KB) TX bytes:778590 (778.5 KB)
xenbr0 Link encap:Ethernet HWaddr 02:01:06:02:83:c0
inet addr:131.159.24.167 Bcast:131.159.25.255 Mask:255.255.254.0
inet6 addr: fe80::1:6ff:fe02:83c0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:110689 errors:0 dropped:0 overruns:0 frame:0
TX packets:11987 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:8328727 (8.3 MB) TX bytes:1703101 (1.7 MB)
My bridge configuration:
bridge name bridge id STP enabled interfaces
xenbr0 8000.0201060283c0 no eth0
vif16.0
My /etc/network/interface:
auto lo
iface lo inet loopback
auto eth0
#iface eth0 inet dhcp
# up ip link set eth0 up
iface eth0 inet manual
auto xenbr0
iface xenbr0 inet dhcp
bridge_ports eth0
I'm trying to understand what is the problem but everything appears to be correct (according to this other guide http://wiki.xen.org/wiki/Network_Configuration_Examples_(Xen_4.1%2B)#Example_Debian-style_bridge_configuration_.28e.g._Debian.2C_Ubuntu.29).
Some suggestions:
Check you're actually running a DHCP server.
Run tcpdump or wireshark on the bridge machine (probably dom0) and see what traffic there is. Do you see the DHCP request?
Try configuring a static IP address and see if that works.
Try running a Linux guest and see if DHCP works there (and compare packet captures for that).