Develop Reference

freeipa-server container won't start in docker compose

Host OS is Ubuntu 19.10. I've been successful in starting the FreeIPA container using docker run, but I'd like to get it working in compose. When I run docker-compose up, freeipa crashes with the following error:
IPv6 stack is enabled in the kernel but there is no interface that has
::1 address assigned. Add ::1 address resolution to 'lo' interface.
You might need to enable IPv6 on the interface 'lo' in sysctl.conf.
My current config:
freeipa:
image: freeipa/freeipa-server
command:
[
"--realm=${ROOT_DOMAIN}",
"--ds-password=${LDAP_USER_PASSWORD}",
"--admin-password=${LDAP_ADMIN_PASSWORD}",
"-U",
]
hostname: ${FREEIPA_DOMAIN}
container_name: freeipa
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.http.routers.freeipa.rule=Host(`${FREEIPA_DOMAIN:?Domain for Freeipa must be set!}`)"
- "traefik.http.routers.freeipa.entrypoints=secure"
- "traefik.http.routers.freeipa.tls.certresolver=le"
networks:
- proxy
volumes:
- ${SERVICES_ROOT}/${FREEIPA_ROOT:-freeipa}/db:/data
- ${SERVICES_ROOT}/${FREEIPA_ROOT:-freeipa}/logs:/var/logs
- /sys/fs/cgroup:/sys/fs/cgroup:ro
tmpfs:
- /run
- /var/cache
- /tmp
Link to the full (very large) compose file here
I've enabled ipv6 in Docker and reloaded the daemon:
cat /etc/docker/daemon.json
{
"ipv6": true,
"fixed-cidr-v6": "2001:db8:1::/64"
}
Following this blog post, I checked the interface configuration within a container:
$: docker run -itd ajeetraina/ubuntu-iproute bash
f549ae3efe887fe45a1594c87516b948cebbbb6916a6550d738e3271200bd9b7
$: docker exec -it f549 ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:ac:11:00:02
inet addr:172.17.0.2 Bcast:172.17.255.255 Mask:255.255.0.0
inet6 addr: fe80::42:acff:fe11:2/64 Scope:Link
inet6 addr: 2001:db8:1::242:ac11:2/64 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:21 errors:0 dropped:0 overruns:0 frame:0
TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3722 (3.7 KB) TX bytes:726 (726.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
It seems like there shouldn't be an issue with the loopback device from what I'm seeing here.

I have found the answer in an unrelated Github issue. Adding
sysctls:
- net.ipv6.conf.all.disable_ipv6=0
to the service definition fixes the problem. I hope this helps someone!

Way to assign Linux container to the same LAN as host? [duplicate]

This question already has an answer here:
DOCKER: Linux Container on Windows 10, how to use nmap to scan device's mac address
(1 answer)
Closed 2 years ago.
My goal is to make my Linux container live on the same lan as host and other devices.
Because I need to use nmap frequently to scan the devices mac address on the lan. Unfortunately, the nmap scanning is only working when these machines all live on the same subnet.
I've tried several ways to make it happen, but all failed.
Although there are lots of instructions about how to do this, seem like they are all for Docker for Linux.
For example, a very detailed instructions from stackoverflow:
Docker on CentOS with bridge to LAN network is also not working for me.
Things I've tried:
Macvlan:
it seems like Docker for Windows 10 doesn't support macvlan due to I have no way to make Windows network adapter as parent..
Pipework:
which is only working on Linux system but I am using Windows 10..
Modify bip from daemon.json:
I tried, which will set docker0 to static IP then container is still not able to ping devices on the LAN. I guess it's because the container is placed at NAT and change docker0 bridge ip won't be able to achieve my goal.
Run image with --net host:
which ifconfig shows:
docker0 Link encap:Ethernet HWaddr 02:42:2d:b8:0b:7c
inet addr:172.17.0.1 Bcast:172.17.255.255 Mask:255.255.0.0
inet6 addr: fe80::42:2dff:feb8:b7c/64 Scope:Link
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:540 (540.0 B)
eth0 Link encap:Ethernet HWaddr 02:50:00:00:00:01
inet addr:192.168.65.3 Bcast:192.168.65.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:111 errors:0 dropped:0 overruns:0 frame:0
TX packets:147 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:9701 (9.7 KB) TX bytes:10384 (10.3 KB)
hvint0 Link encap:Ethernet HWaddr 00:15:5d:0d:52:27
inet addr:10.0.75.2 Bcast:0.0.0.0 Mask:255.255.255.0
inet6 addr: fe80::215:5dff:fe0d:5227/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:359819 errors:0 dropped:1303 overruns:0 frame:0
TX packets:1157 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:54740692 (54.7 MB) TX bytes:103676 (103.6 KB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:57 errors:0 dropped:0 overruns:0 frame:0
TX packets:57 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:5732 (5.7 KB) TX bytes:5732 (5.7 KB)
It's able to ping everything on my subnet, but the IP is still not from my subnet but 192.168.65.3.
Then I was trying to change the eth0 ip to static IP by editing /etc/network/interface.d/eth0, after restart networking service, the eth0 ip is changed to static ip from my subnet, but the network is not working anymore.
PLEASE, if anyone here knows how to place Windows 10's Linux Container on the LAN as same as host's.
My Docker Version
Client:
Version: 18.03.1-ce
API version: 1.37
Go version: go1.9.5
Git commit: 9ee9f40
Built: Thu Apr 26 07:12:48 2018
OS/Arch: windows/amd64
Experimental: false
Orchestrator: swarm
Server:
Engine:
Version: 18.03.1-ce
API version: 1.37 (minimum version 1.12)
Go version: go1.9.5
Git commit: 9ee9f40
Built: Thu Apr 26 07:22:38 2018
OS/Arch: linux/amd64
Experimental: false

I'm still working on this, but your assertion that macvlan doesn't work on Windows 10 is incorrect. Using some of the instructions in the question you linked, I got a fairly functional macvlan network set up on Windows 10. I'm still wrestling with getting hosts on my network to be able to ping hosts on the macvlan network.
Here's what I did:
In an admin powershell window: Set-NetIPInterface -ifindex <interface_index> -Forwarding Enabled setting (use Get-NetAdapter to get list of network adapters and their ifindex numbers)
docker network create routed0 --subnet 192.168.2.0/24 replacing 192.168.2.0/24 with the correct network number and netmask bits for the network you want to assign to the routed0 network
For me, this yielded a docker network via which attached containers could successfully talk with internet hosts via the router for 192.168.1.0/24. However, I have yet to figure out how to configure the windows 10 box acting as the gateway for 192.168.2.0/24 to actually act as a gateway (and do things like route ICMP requests from hosts on 1.0/24 to the docker network 2.0/24 that it's hosting).

I had posted another question which is the same root cause of this question. Therefore, they could apply to the same solution.
The solution is post on
DOCKER: Linux Container on Windows 10, how to use nmap to scan device's mac address

Docker container can't reach or ping WAN using macvlan network driver

I'm trying to configure a Docker network using the macvlan driver, but my containers can't reach the gateway or the WAN.
The network is set up like so:
docker network create -d macvlan --subnet=10.1.1.0/24 --ip-range=10.1.1.160/28 --gateway=10.1.1.1 -o parent=ens160 pub_net
The host OS is Ubuntu 16.04, which itself is a VM running on ESXi (lots of layers, I know). The ens160 interface is connected to an ESXi vSwitch ("LAN"). The gateway (10.1.1.1) is a pfSense VM on the same machine, and connected to the same "LAN" vSwitch. The pfSense VM is also connected to a "WAN" vSwitch which physically connects to the upstream network. The Ubuntu host OS has an IP and full WAN connectivity, but the Docker container does not.
Some details about the Ubuntu host:
host$ ifconfig
docker0 Link encap:Ethernet HWaddr aa:bb:cc:00:e2:77
inet addr:172.17.0.1 Bcast:0.0.0.0 Mask:255.255.0.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
ens160 Link encap:Ethernet HWaddr aa:bb:cc:9b:be:f2
inet addr:10.1.1.22 Bcast:10.1.1.255 Mask:255.255.255.0
inet6 addr: fe80::c7b7:d64c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:64642 errors:0 dropped:0 overruns:0 frame:0
TX packets:1881 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:19190911 (19.1 MB) TX bytes:169266 (169.2 KB)
ens192 Link encap:Ethernet HWaddr aa:bb:cc:9b:be:fc
inet addr:10.2.2.22 Bcast:10.2.2.255 Mask:255.255.255.0
inet6 addr: fe80::bb15:267d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:294 errors:0 dropped:10 overruns:0 frame:0
TX packets:515 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:57996 (57.9 KB) TX bytes:63258 (63.2 KB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:2637 errors:0 dropped:0 overruns:0 frame:0
TX packets:2637 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:204727 (204.7 KB) TX bytes:204727 (204.7 KB)
host$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.2.2.1 0.0.0.0 UG 100 0 0 ens192
0.0.0.0 10.1.1.1 0.0.0.0 UG 101 0 0 ens160
10.1.1.0 0.0.0.0 255.255.255.0 U 100 0 0 ens160
10.2.2.0 0.0.0.0 255.255.255.0 U 100 0 0 ens192
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 ens192
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
Switching to the Docker container, and details there:
host$ sudo docker run --net=pub_net -it alpine /bin/sh
container$ ifconfig
eth0 Link encap:Ethernet HWaddr AA:BB:CC:01:01:A0
inet addr:10.1.1.160 Bcast:0.0.0.0 Mask:255.255.255.0
inet6 addr: fe80::42:1a0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:15 errors:0 dropped:0 overruns:0 frame:0
TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1789 (1.7 KiB) TX bytes:634 (634.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:2 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:224 (224.0 B) TX bytes:224 (224.0 B)
container$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.1.1.1 0.0.0.0 UG 0 0 0 eth0
10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
As mentioned, if I ping 10.1.1.1 (or any other external IP) from within the container I get no response. If I ping another Docker container on the same host I do get a response.
What do I need to change so that the container can reach the WAN?

You need to turn on promiscuous mode and allow forged transmits for your LAN vSwitch. This is because macvlan mode requires the guest to be listening for the falsified MAC addresses as well as be able to falsify MAC addresses.
VMware Knowledge Base article on promiscuous mode
VMware documentation on forged transmits

MirageOS and Xen - Virtual interface unable to acquire IP address

I've compiled and built a MirageOS unikernel for XEN following this guide https://github.com/mirage/mirage-www/blob/master/tmpl/wiki/hello-world.md (mostly last part, Step 4, stackv4) but after I launch it I'm not able to pass the DHCP discovery phase, as shown in the following log:
Parsing config from stackv4.xl
Xen Minimal OS!
Initialising console ... done.
getenv(OCAMLRUNPARAM) -> null
getenv(CAMLRUNPARAM) -> null
getenv(PATH) -> null
Unsupported function lseek called in Mini-OS kernel
Unsupported function lseek called in Mini-OS kernel
Unsupported function lseek called in Mini-OS kernel
getenv(OCAMLRUNPARAM) -> null
getenv(CAMLRUNPARAM) -> null
getenv(TMPDIR) -> null
getenv(TEMP) -> null
Netif: add resume hook
Netif.connect 0
Netfront.create: id=0 domid=0
sg:true gso_tcpv4:true rx_copy:true rx_flip:false smart_poll:false
MAC: 00:16:3e:7e:c0:0d
Attempt to open(/dev/urandom)!
Unsupported function getpid called in Mini-OS kernel
Unsupported function getppid called in Mini-OS kernel
Manager: connect
Manager: configuring
DHCP: start discovery
Sending DHCP broadcast (length 552)
DHCP: start discovery
Sending DHCP broadcast (length 552)
DHCP: start discovery
Sending DHCP broadcast (length 552)
DHCP: start discovery
....
My MirageOS unikernel configuration:
name = 'stackv4'
kernel = '/home/mirage/mirage-skeleton/stackv4/mir-stackv4.xen'
builder = 'linux'
memory = 256
on_crash = 'preserve'
disk = [ ]
# if your system uses openvswitch then either edit /etc/xen/xl.conf and set
# vif.default.script="vif-openvswitch"
# or add "script=vif-openvswitch," before the "bridge=" below:
vif = [ 'bridge=xenbr0' ]
My network configuration:
eth0 Link encap:Ethernet HWaddr 02:01:06:02:83:c0
inet6 addr: fe80::1:6ff:fe02:83c0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:110876 errors:0 dropped:0 overruns:0 frame:0
TX packets:14602 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:9736700 (9.7 MB) TX bytes:1999992 (1.9 MB)
Interrupt:117
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:384394 errors:0 dropped:0 overruns:0 frame:0
TX packets:384394 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:26761500 (26.7 MB) TX bytes:26761500 (26.7 MB)
vif16.0 Link encap:Ethernet HWaddr fe:ff:ff:ff:ff:ff
inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:58 errors:0 dropped:0 overruns:0 frame:0
TX packets:11289 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:33640 (33.6 KB) TX bytes:778590 (778.5 KB)
xenbr0 Link encap:Ethernet HWaddr 02:01:06:02:83:c0
inet addr:131.159.24.167 Bcast:131.159.25.255 Mask:255.255.254.0
inet6 addr: fe80::1:6ff:fe02:83c0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:110689 errors:0 dropped:0 overruns:0 frame:0
TX packets:11987 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:8328727 (8.3 MB) TX bytes:1703101 (1.7 MB)
My bridge configuration:
bridge name bridge id STP enabled interfaces
xenbr0 8000.0201060283c0 no eth0
vif16.0
My /etc/network/interface:
auto lo
iface lo inet loopback
auto eth0
#iface eth0 inet dhcp
# up ip link set eth0 up
iface eth0 inet manual
auto xenbr0
iface xenbr0 inet dhcp
bridge_ports eth0
I'm trying to understand what is the problem but everything appears to be correct (according to this other guide http://wiki.xen.org/wiki/Network_Configuration_Examples_(Xen_4.1%2B)#Example_Debian-style_bridge_configuration_.28e.g._Debian.2C_Ubuntu.29).

Some suggestions:
Check you're actually running a DHCP server.
Run tcpdump or wireshark on the bridge machine (probably dom0) and see what traffic there is. Do you see the DHCP request?
Try configuring a static IP address and see if that works.
Try running a Linux guest and see if DHCP works there (and compare packet captures for that).

How to access ipv6 host from docker container?

On my host machine the ipv6 is working:
bessarabov#5:~$ curl --silent --verbose ipv6.google.com 2>&1 | head
* Rebuilt URL to: ipv6.google.com/
* Trying 2a00:1450:4010:c04::71...
* Connected to ipv6.google.com (2a00:1450:4010:c04::71) port 80 (#0)
> GET / HTTP/1.1
> Host: ipv6.google.com
> User-Agent: curl/7.43.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Mon, 01 Feb 2016 08:44:04 GMT
But inside docker there is no ipv6:
$ docker run --rm -it ubuntu:14.04.3 bash
root#54c52afa87ee:/# ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:ac:11:00:02
inet addr:172.17.0.2 Bcast:0.0.0.0 Mask:255.255.0.0
inet6 addr: fe80::42:acff:fe11:2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:648 (648.0 B) TX bytes:648 (648.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
root#54c52afa87ee:/# apt-get install -y curl
...
root#54c52afa87ee:/# curl --silent --verbose ipv6.google.com 2>&1 | head
* Rebuilt URL to: ipv6.google.com/
* Hostname was NOT found in DNS cache
* Trying 2a00:1450:4010:c04::71...
* Immediate connect fail for 2a00:1450:4010:c04::71: Network is unreachable
* Closing connection 0
root#54c52afa87ee:/#
What should I do to be able to access ipv6 host from docker container?
I'm using docker on my mac. I've installed it with docker-toolbox.
bessarabov#5:~$ docker version
Client:
Version: 1.9.1
API version: 1.21
Go version: go1.4.3
Git commit: a34a1d5
Built: Fri Nov 20 17:56:04 UTC 2015
OS/Arch: darwin/amd64
Server:
Version: 1.9.1
API version: 1.21
Go version: go1.4.3
Git commit: a34a1d5
Built: Fri Nov 20 17:56:04 UTC 2015
OS/Arch: linux/amd64
bessarabov#5:~$ docker-machine ls
NAME ACTIVE URL STATE URL SWARM DOCKER ERRORS
default * virtualbox Running tcp://192.168.99.100:2376 v1.9.1
bessarabov#5:~$

from the doc
https://docs.docker.com/engine/userguide/networking/default_network/ipv6/
I see
By default, the Docker server configures the container network for IPv4 only. You can enable IPv4/IPv6 dualstack support by running the Docker daemon with the --ipv6 flag.
Do you start the docker daemon with IPv6 ?