-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Docker Swarm Services with IPv6 #30
Comments
After consulting with the local Docker maintainer @djs55, we've come to the conclusion that there's no easy workaround for the Swarm issues without a more serious dive into the codebase (and ipvs support in the Linux kernel). However, we only use Swarm in single-node mode, for the purposes of |
If you only have one host then the current solution of The main benefits of docker service (last time I checked) were that it starts the services automatically on reboot and allows secrets management. But I'm not sure what compose does these days - I remember they were trying to unify the two systems. |
I think that compose supports the restarting of services on reboot (or rather, the underlying engine just seems to restart them). But secrets does need some investigation... If compose does work for secrets, it's altogether just a simpler deployment since the swarm layer seems increasingly out of fashion these days. |
If we don't need the fancy multi-host networking (which had many problems last time I checked, not just IPv6) then an even simpler setup would be to remove Docker completely and instead have OCurrent push a NixOS configuration for the service to the host and then do |
I'd prefer to do things one step at a time: simplifying the existing Docker setup, and subsequently evaluating a potential switch to NixOS. |
We also update the images via OCurrent Deployer using |
Similar issues can be seen on GitHub: moby/moby#24379, moby/moby#24847, moby/moby#43643, |
I worry a little about the complexity of the stack on a single host. I'm ok with this workaround in the short term, but we do need to think about the best way to replace it in the longer term. There seems to be a tension between:
So far, balancing the pieces in the medium term point me towards picking a simple base image (like Alpine) and adding ocurrent support for maintaining packages on the host (reproducibly). NixOS+Mirage brings its own multiplicity of painful tool interactions that I'm not convinced we want want to jump into just yet :-) |
@avsm Is there no plan to support IPv6 with docker services? It's a worrying omission that looks like it is not getting attention looking at the links @mtelvers shared. I am worried about the complexity of introducing Nix into our infrastructure, everywhere I've used it for ops it has been a huge maintenance burden and has required dedicated Nix experts to keep it running. Given the limited resource we have for looking after infra and that neither Mark or I have experience with it, we should avoid it.
Agree there needs to be a plan for how to manage this, we are in a very reactive mode with all these infrastructure issues. |
IPv6 does not work as expected with
docker service deploy
.Using this trivial
docker-compose.yml
as an example./etc/caddy/Caddyfile
contains a reverse proxy definition like this:Basic connectivity can be checked using using
docker compose up
and usingcurl http://<ipv4>:80
andcurl http://<ipv6>:80
, which both return thenginx
default website.After
docker swarm init
, the stack can be deployed usingdocker stack deploy --compose-file ./docker-compose.yml test
. Connectivity tests on IPv6 now fail. IPv4 works as expected.Updating
/etc/docker/daemon.json
by addingipv6
andfixed-cidr-v6
as described here does not help.The situation can be worked around by deploying the caddy image with host ports like this. Now, IPv4 and IPv6 connectivity work.
The text was updated successfully, but these errors were encountered: