아래에 지정된 환경에서는 IPv4가 고양이처럼 가르릉거리지만 IPv6은 잠시 후에 사라집니다. 즉, 호스트도 Docker 네트워크를 통해 IPv6를 통해 컨테이너에 연결할 수 없습니다. 내가 뭐 놓친 거 없니?
편집 #1
64:ff9b::를 전역 항목으로 대체했지만 문제가 지속됩니다. 호스트는 직접 연결된 Docker 컨테이너에 대한 IPv6(IPv4는 아님) 연결을 잃습니다. 먼저 "호스트에 대한 경로 없음", 그 다음에는 시간 초과입니다.
플레이북.yml
---
- hosts: all
become: yes
become_method: sudo
tasks:
- import_tasks: tasks/firewall.yml
- import_tasks: tasks/router.yml
- import_tasks: tasks/docker.yml
- name: /usr/local/docker-services
file:
path: /usr/local/docker-services
owner: root
group: root
mode: '0700'
state: directory
- name: nginx-site.conf
copy:
dest: /usr/local/docker-services/nginx-site.conf
owner: root
group: root
mode: '0666'
src: files/nginx-site.conf
- name: docker-compose.yml
copy:
dest: /usr/local/docker-services/docker-compose.yml
owner: root
group: root
mode: '0666'
content: |
version: '2.4'
networks:
ext-nginx:
internal: true
enable_ipv6: true
driver_opts:
com.docker.network.bridge.name: docker1
ipam:
config:
- subnet: 192.168.234.0/30
gateway: 192.168.234.1
- subnet: 64:ff9b::192.168.234.0/126
gateway: 64:ff9b::192.168.234.1
services:
nginx:
container_name: nginx
image: nginx
restart: always
logging:
options:
labels: container
labels:
container: nginx
networks:
ext-nginx:
ipv4_address: 192.168.234.2
ipv6_address: 64:ff9b::192.168.234.2
priority: 1
volumes:
- type: bind
source: /usr/local/docker-services/nginx-site.conf
target: /etc/nginx/conf.d/default.conf
read_only: true
register: docker_compose_yml
- name: docker-compose.service
copy:
dest: /etc/systemd/system/docker-compose.service
owner: root
group: root
mode: '0644'
src: files/docker-compose.service
register: docker_compose_service
- name: systemctl daemon-reload
when: docker_compose_service.changed
systemd:
daemon_reload: yes
- name: systemctl stop docker-compose.service
when: >-
docker_compose_service.changed
or docker_compose_yml.changed
service:
name: docker-compose
state: stopped
- name: systemctl start docker-compose.service
service:
name: docker-compose
state: started
enabled: yes
작업/firewall.yml
---
- name: Firewall rules applicator
apt:
name: iptables-persistent
- name: Firewall rules file
loop: [4, 6]
copy:
dest: '/etc/iptables/rules.v{{ item }}'
owner: root
group: root
mode: '0644'
src: 'files/firewall/rules.v{{ item }}'
register: firewall_file
- name: Apply firewall rules
when: 'firewall_file.results[0].changed or firewall_file.results[1].changed'
service:
name: netfilter-persistent
state: restarted
작업/router.yml
---
- name: net.ipv4.ip_forward
sysctl:
name: net.ipv4.ip_forward
value: '1'
- name: net.ipv6.conf.all.forwarding
sysctl:
name: net.ipv6.conf.all.forwarding
value: '1'
작업/docker.yml
---
- name: apt-transport-https
apt:
name: apt-transport-https
- name: Docker apt key
apt_key:
url: https://download.docker.com/linux/debian/gpg
- name: Docker apt repo
apt_repository:
filename: docker
repo: >
deb https://download.docker.com/linux/debian
{{ ansible_lsb.codename }} stable
- name: /etc/docker
file:
path: /etc/docker
owner: root
group: root
mode: '0755'
state: directory
- name: /etc/docker/daemon.json
copy:
dest: /etc/docker/daemon.json
owner: root
group: root
mode: '0644'
content: '{"iptables":false}'
- name: Docker
apt:
name: docker-ce
- name: Docker compose
apt:
name: docker-compose
파일/방화벽/rules.v4
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -d 127.0.0.0/8 ! -i lo -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -o docker1 -d 192.168.234.2/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -i docker1 -o eth0 -j ACCEPT
-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -d 78.47.124.58 -p tcp -m tcp --dport 80 -j DNAT --to 192.168.234.2
-A POSTROUTING -o eth0 ! -s 78.47.124.58 -j MASQUERADE
COMMIT
파일/방화벽/rules.v6
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -d ::1/128 ! -i lo -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -o docker1 -d 64:ff9b::192.168.234.2 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -i docker1 -o eth0 -j ACCEPT
-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -d 2a01:4f8:c0c:3bc1::/64 -p tcp -m tcp --dport 80 -j DNAT --to 64:ff9b::192.168.234.2
-A POSTROUTING -o eth0 ! -s 2a01:4f8:c0c:3bc1::/64 -j MASQUERADE
COMMIT
파일/nginx-site.conf
server {
listen 80;
listen [::]:80;
server_name localhost;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
파일/docker-compose.service
[Unit]
Requires=docker.service
[Service]
Type=oneshot
RemainAfterExit=yes
WorkingDirectory=/usr/local/docker-services
ExecStart=/usr/bin/docker-compose up -d --force-recreate
ExecStop=/usr/bin/docker-compose down
[Install]
WantedBy=multi-user.target
답변1
내 생각엔 IPv6 방화벽 규칙이 차단하고 있는 것 같습니다.NDP(이웃 검색 프로토콜)패킷으로 인해 호스트가 컨테이너의 링크 계층 주소를 올바르게 확인하지 못하게 됩니다.
IPv4 스택에서 링크 계층(이더넷) 주소의 확인은 다음에 의해 처리됩니다.ARP(주소 확인 프로토콜), 링크 계층 주소를 패킷 대상으로 사용하여 작동합니다. 호스트가 ARP 요청이나 원치 않는 ARP 광고를 발행하면 해당 패킷은 브로드캐스트 링크 계층 주소(이더넷 프로토콜에 있음)로 직접 전달되므로 필터링 FF:FF:FF:FF:FF:FF대상이 되지 않습니다 .iptables
IPv6 스택에서 링크 계층 주소 확인은 NDP(Neighbor Discovery Protocol)에 의해 처리됩니다. ARP와 달리 NDP 패킷은 실제로 IPv6 주소로 전달되는 ICMPv6 패킷이므로 ip6tables필터링 대상이 됩니다.
나는 내 경험과 사례에서 볼 수 있듯이아치 리눅스 위키 기사, CONNTRACK 모듈은 ICMPv6 NDP 패킷을 추적하고 응답 패킷을 다음과 같이 표시하도록 설계되지 않았습니다.확립된또는관련된. 내 제안은 이러한 트래픽을 files/firewall/rules.v6파일에서 명시적으로 허용하는 것입니다.
(새로운 규칙)
-A INPUT -i docker1 -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m comment --comment router-solicitation -j ACCEPT
-A INPUT -i eth0 -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m comment --comment router-advertisement -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m comment --comment neighbor-solicitation -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m comment --comment neighbor-advertisement -j ACCEPT
(완전한 파일)
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -d ::1/128 ! -i lo -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i docker1 -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m comment --comment router-solicitation -j ACCEPT
-A INPUT -i eth0 -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m comment --comment router-advertisement -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m comment --comment neighbor-solicitation -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m comment --comment neighbor-advertisement -j ACCEPT
-A FORWARD -o docker1 -d 64:ff9b::192.168.234.2 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -i docker1 -o eth0 -j ACCEPT
-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -d 2a01:4f8:c0c:3bc1::/64 -p tcp -m tcp --dport 80 -j DNAT --to 64:ff9b::192.168.234.2
-A POSTROUTING -o eth0 ! -s 2a01:4f8:c0c:3bc1::/64 -j MASQUERADE
COMMIT