Jump to: navigation, search

Docker is the next generation in our services setup. Because we like to learn a few things about it first, we experiment in the "testbed" VM and this wiki page lists some information about how we do things, useful hints, cheat sheets and other stuff...

Creating a base image[edit]

Creating a base debian image is done with docker's mkimage.sh script, which internally invokes debootstrap and sets up a few things that improve debian for use in a container.

/usr/share/docker.io/contrib/mkimage.sh -t tolabaki/debian:stable debootstrap stable http://mirror.nl.leaseweb.net/debian/

Networking[edit]

IPv4[edit]

IPv4 networking in docker is simple. Docker sets up a NAT router and everything works out of the box. There is not much to worry about.

IPv6[edit]

IPv6 is not enabled by default in docker. Additionally, IPv6 does not support NAT. This takes a little effort to setup.

There are multiple ways to configure the IPv6 network, as explained here. In our leaseweb servers we have to use the NDP proxying technique, since we are sharing a big /64 subnet with other leaseweb machines.

/etc/default/docker[edit]

First, we enable IPv6 in docker by editing the docker daemon's command line options:

DOCKER_OPTS="--ipv6 --fixed-cidr-v6 2001:1af8:40e0:a00d:6::6400/118 --dns 2001:1af8:4300:1::10"
  • 2001:1af8:40e0:a00d:6::6400/118 is the subnet that docker is allowed to use for containers
  • 2001:1af8:4300:1::10 is the leaseweb DNS. At the time of writing, the testbed VM does not have a public IPv4, therefore IPv4 DNS servers do not work at all. If they did, though, we should have listed at least one there too.

Host networking[edit]

You should make sure that the host has two things configured:

  • The docker0 interface should have the fe80::1 link-local IPv6 address. This is a link-local address, so it doesn't matter if its also present in other interfaces and it also doesn't matter if it's not the only link-local IPv6 address on that interface. Just add it:
ip -6 addr add dev docker0 fe80::1
  • The IPv6 routing table should have an entry for the docker subnet:
ip -6 route add 2001:1af8:40e0:a00d:6::6400/118 dev docker0

NDP Proxy Daemon (ndppd)[edit]

To configure dynamic NDP proxying, we need to use the NDP Proxy Daemon.

  • git clone ...
  • make && make install
  • nano /etc/systemd/system/ndppd.service
[Unit]
Description=NDP Proxy Daemon
After=network.target

[Service]
Type=forking
ExecStart=/usr/local/sbin/ndppd -d -p /run/ndppd.pid
PIDFile=/run/ndppd.pid

[Install]
WantedBy=multi-user.target
  • nano /etc/ndppd.conf
route-ttl 30000
proxy eth0 {
  router yes
  timeout 500
  ttl 30000
  rule 2001:1af8:40e0:a00d:6::6400/118 {
    iface docker0
  }
}
  • systemctl enable ndppd.service
  • systemctl start ndppd.service

Other notes[edit]

https://stackoverflow.com/questions/34620695/docker-what-is-the-equivalent-of-the-legacy-link-parameter