Has anyone been successful in enabling IPv6 for the Docker daemon?

Currently reading
Has anyone been successful in enabling IPv6 for the Docker daemon?

3
0
NAS
DS918+
To add IPv6 support to our Docker containers, one first needs to enable IPv6 support in the Docker daemon. More specifically for our Synology boxes, the daemon.json file is located at /var/packages/Docker/etc/dockerd.json. Which begs the question: do changes to this file persist across updates? If they don't, this could be an annoyance...

Anyway, setting "ipv6": true in the daemon.json file doesn't seem to work, the Docker service doesn't start with this option.

Has anyone been able to figure out why? How do we fix this?
 
Well, I was using MACVLAN network for a specific container and that required to properly configure IPv6 for the whole thing. However, I've moved to host network for this container and now, as long as the host itself (the NAS) has an IPv6, it will also be associated to "network: host" containers.
 
Well, I was using MACVLAN network for a specific container and that required to properly configure IPv6 for the whole thing. However, I've moved to host network for this container and now, as long as the host itself (the NAS) has an IPv6, it will also be associated to "network: host" containers.
So v6 is a problem for you I’m guessing? Have you tried to turn v6 off on your adapter on host level?
 
I think you misunderstood me... I had a problem with IPv6 when I was using a MACVLAN network for a specific container, to get that network with IPv6, Docker needs to support it to (which doesn't seem currently possible). I no longer have a problem because I switched the container to "host mode".
 
Last edited:
Hi, found this thread on a similar case as described by 0xKubo. Changing dockerd.json in /var/packages/Docker/etc/dockerd.json resulted in error while trying to restart docker service. I figured another dockerd.json existing in /volume1/@appstore/Docker/config/dockerd.json. After both files contained the same and new settings, docker service started as usually.

Here's what I've added to the files to activate ipv6 support:
"ipv6": true,
"fixed-cidr-v6": "2001:db8:1::/64"

The second line is necessary to receive a global ipv6. Otherwise the container would receive a local fe80: address only.
Received both config lines for ipv6 from here: Walkthrough: Enabling IPv6 Functionality for Docker & Docker Compose – Collabnix

Hope that helps
 
Hi, found this thread on a similar case as described by 0xKubo. Changing dockerd.json in /var/packages/Docker/etc/dockerd.json resulted in error while trying to restart docker service. I figured another dockerd.json existing in /volume1/@appstore/Docker/config/dockerd.json. After both files contained the same and new settings, docker service started as usually.

Here's what I've added to the files to activate ipv6 support:
"ipv6": true,
"fixed-cidr-v6": "2001:db8:1::/64"

The second line is necessary to receive a global ipv6. Otherwise the container would receive a local fe80: address only.
Received both config lines for ipv6 from here: Walkthrough: Enabling IPv6 Functionality for Docker & Docker Compose – Collabnix

Hope that helps
Sorry to resurrect this, but I'm hoping you can help. (I was referred to this post from Reddit.) I changed the dockerd.json file by adding the lines you have that are supposed to add to activate ipv6 support. Unfortunately, when I attempt to run Docker after changing both files I am given the message, "Failed to run the package service."

For each file below, I have bolded the part I added.
dockerd.json file in /var/packages/Docker/etc/:

"data-root" : "/var/packages/Docker/target/docker",
"log-driver" : "db",
"registry-mirrors" : [],
"storage-driver" : "btrfs"
"ipv6": true,
"fixed-cidr-v6": "2001:db8:1::/64"


dockerd.json file in /volume1/@appstore/Docker/config/:

"registry-mirrors": [],
"data-root": "/var/packages/Docker/target/docker",
"log-driver": "db"
"ipv6": true,
"fixed-cidr-v6": "2001:db8:1::/64"


If anyone can provide any advice, I would appreciate it.
 
Sorry to resurrect this, but I'm hoping you can help. (I was referred to this post from Reddit.) I changed the dockerd.json file by adding the lines you have that are supposed to add to activate ipv6 support. Unfortunately, when I attempt to run Docker after changing both files I am given the message, "Failed to run the package service."

For each file below, I have bolded the part I added.
dockerd.json file in /var/packages/Docker/etc/:

"data-root" : "/var/packages/Docker/target/docker",
"log-driver" : "db",
"registry-mirrors" : [],
"storage-driver" : "btrfs"
"ipv6": true,
"fixed-cidr-v6": "2001:db8:1::/64"


dockerd.json file in /volume1/@appstore/Docker/config/:

"registry-mirrors": [],
"data-root": "/var/packages/Docker/target/docker",
"log-driver": "db"
"ipv6": true,
"fixed-cidr-v6": "2001:db8:1::/64"


If anyone can provide any advice, I would appreciate it.
Sorry for reopening the post but I had the same issue and could resove it as follows:

You have to address the json file conformance and append a comma to each line except the last one:

dockerd.json file in /var/packages/Docker/etc/:

"data-root" : "/var/packages/Docker/target/docker",
"log-driver" : "db",
"registry-mirrors" : [],
"storage-driver" : "btrfs",
"ipv6": true,
"fixed-cidr-v6": "2001:db8:1::/64"

dockerd.json file in /volume1/@appstore/Docker/config/:

"registry-mirrors": [],
"data-root": "/var/packages/Docker/target/docker",
"log-driver": "db",
"ipv6": true,
"fixed-cidr-v6": "2001:db8:1::/64"


and the service should start as expected again.
 
Last edited:
Sorry for reopening the post but I had the same issue and could resove it as follows:

You have to address the json file conformance and append a comma to each line except the last one:

dockerd.json file in /var/packages/Docker/etc/:

"data-root" : "/var/packages/Docker/target/docker",
"log-driver" : "db",
"registry-mirrors" : [],
"storage-driver" : "btrfs",
"ipv6": true,
"fixed-cidr-v6": "2001:db8:1::/64"

dockerd.json file in /volume1/@appstore/Docker/config/:

"registry-mirrors": [],
"data-root": "/var/packages/Docker/target/docker",
"log-driver": "db",
"ipv6": true,
"fixed-cidr-v6": "2001:db8:1::/64"


and the service should start as expected again.

In my case, "ipv6": true, gets wiped from /volume1/@appconf/Docker/dockerd.json when I restart dockerd via sudo synopkgctl stop Docker && sudo synopkgctl start Docker.

"ipv6": true, is still in /volume1/@appstore/Docker/config/dockerd.json after the restart.

Has anybody experienced that?

I am on DSM 7.1-42661 Update 1.
 
Last edited:
Just to be sure, no one actualy used 2001:db8:1::/64, right?

This cidr range is a placeholder(!) for documentation purposes only, which is the sole reason why blog posts and documentation ar using this range :D

Update: Please use an Unique Local Address (ULA) within the recommended subnet fd00::/8 instead.

If you have no idea how to generate your own subnet prefix, here is an ugly looking, but helpfull ipv6 ULA subnet generator: IPv6 Local Address Range Generator. Just hit the "generate" button and use the suggested "IPv6 Network Address" instead of 2001:db8:1::/6.
 
No, no, I was using my own IPv6 range given by my ISP.

Interestingly enough the "fixed-cidr-v6": "...", section is preserved in the config but "ipv6": true, is removed.

Out of curiosity which DSM and Docker versions are you on?
 
So you got a fixed GA-Prefix from your ISP? I have dynamic GA-Prefixes and didn't bother yet to enable ivp6 for containers as per my undestanding I would still need some sort of reverse proxy to make the container accessible to the outside world. Unfortunatly full ipv6 migration is far on the buttom of my todo lit.

Regarding the dockerd.json file, may I suggest to check which one actualy is used:
Code:
me@dsm:~$ ps ax | grep dockerd
18893 ?        Ssl  279:25 /var/packages/Docker/target/usr/bin/dockerd --config-file /var/packages/Docker/etc/dockerd.json
 
Last edited:
I have the exact same problem as @jmartin

I figured out that when the Docker package is launched, it calls this script: /var/packages/Docker/scripts/start-stop-status start
This script calls itself a binary: /var/packages/Docker/target/tool/updater
This binary is responsible to removing the "ipv6": true from /var/packages/Docker/etc/dockerd.json

I was able to prevent this to happen by commenting the line 180 of /var/packages/Docker/scripts/start-stop-status:
Code:
#        $DockerUpdaterBin postinst updatedockerdconf "$(get_install_volume_type)"

To change it easily:
Code:
sudo awk -i inplace -v INPLACE_SUFFIX=.bak 'index($1,"#"){next} index($0,"$DockerUpdaterBin postinst updatedockerdconf \"$(get_install_volume_type)\""){print "#"$0;next} {print $0}'
/var/packages/Docker/scripts/start-stop-status

Then you can use sudo synopkgctl stop Docker && sudo synopkgctl start Docker and it works ;)

Of course, this would likely need to be repeated after an upgrade of the Docker Package.
 
Actually, here is a script you can run after each update of Docker:
Bash:
#!/bin/sh
synopkgctl stop Docker
sed -i 's/^[^#]*[[:space:]]*\$DockerUpdaterBin postinst updatedockerdconf "\$(get_install_volume_type)"/#&/' /var/packages/Docker/scripts/start-stop-status
sed -i '1a\   "ipv6" : true,' /var/packages/Docker/etc/dockerd.json
synopkgctl start Docker
It automatically adds "ipv6": true into /var/packages/Docker/etc/dockerd.json if needed, and it automatically comments the line in /var/packages/Docker/scripts/start-stop-status if needed.

Script to run with sudo.
 
Actually, here is a script you can run after each update of Docker:
Bash:
#!/bin/sh
synopkgctl stop Docker
sed -i 's/^[^#]*[[:space:]]*\$DockerUpdaterBin postinst updatedockerdconf "\$(get_install_volume_type)"/#&/' /var/packages/Docker/scripts/start-stop-status
sed -i '1a\   "ipv6" : true,' /var/packages/Docker/etc/dockerd.json
synopkgctl start Docker
It automatically adds "ipv6": true into /var/packages/Docker/etc/dockerd.json if needed, and it automatically comments the line in /var/packages/Docker/scripts/start-stop-status if needed.

Script to run with sudo.
Hi Bolemo,

I can confirm it works. The ipv6 field is not getting stripped anymore.

Here's my version using jq so the ipv6 field doesn't get added every time the script is run.

Bash:
#!/usr/bin/env bash

_main() {
  synopkgctl stop Docker

  sed -i 's/^[^#]*[[:space:]]*\$DockerUpdaterBin postinst updatedockerdconf "\$(get_install_volume_type)"/#&/' \
    /var/packages/Docker/scripts/start-stop-status


  local docker_config_path='/var/packages/Docker/etc/dockerd.json'
  local content="$(cat "${docker_config_path}")"
  jq '. | .ipv6 = true' <<< "${content}" > "${docker_config_path}"

  synopkgctl start Docker
}

_main "$@"

After configuring a new docker network everything is working fine with ipv6. Thanks for your help!
 
Last edited:
Hello,

I hope somebody is reading this, because I am at wit's end and I could use the help of an expert.

I am trying to install haugene-transmission-openvpn package on Synology DSM6. My VPN is Njalla which provides a nice all-in-one conf file but also requires IPv6.

My first stumbling block was the keepalive in the Njalla conf file, I commented it out because Docker was throwing an error that I already had ping commands that were unneeded if keepalive was used. I couldn't find the ping commands anywhere so ...

I have been mightily struggling with IPv6. My first error was : Linux can't add IPv6 to interface tun0, which lead me here. I added the ipv6 : true and fixed-cidr-v6 to /var/packages/Docker/etc/dockerd.json. This seems to work, but after a minute it times out and dies.

Thanks in advance for any wisdom.


Scott




2022-11-20 16:58:53stdout2022-11-20 17:58:52 Exiting due to fatal error
2022-11-20 16:58:53stdout2022-11-20 17:58:52 Linux can't add IPv6 to interface tun0
2022-11-20 16:58:53stdout2022-11-20 17:58:52 sitnl_send: rtnl: generic error (-13): Permission denied
2022-11-20 16:58:53stdout2022-11-20 17:58:52 net_addr_v6_add: 2a02:6f8:2020:196:3::1016/112 dev tun0
2022-11-20 16:58:53stdout2022-11-20 17:58:52 net_iface_up: set tun0 up
2022-11-20 16:58:53stdout2022-11-20 17:58:52 net_iface_mtu_set: mtu 1500 for tun0
2022-11-20 16:58:53stdout2022-11-20 17:58:52 net_addr_v4_add: 198.167.196.86/27 dev tun0
2022-11-20 16:58:53stdout2022-11-20 17:58:52 net_iface_up: set tun0 up
2022-11-20 16:58:53stdout2022-11-20 17:58:52 net_iface_mtu_set: mtu 1500 for tun0
2022-11-20 16:58:53stdout2022-11-20 17:58:52 TUN/TAP device tun0 opened
2022-11-20 16:58:53stdout2022-11-20 17:58:52 ROUTE6_GATEWAY fdee:a18e:fb24:c71e::1 IFACE=eth0
2022-11-20 16:58:53stdout2022-11-20 17:58:52 net_route_v6_best_gw result: via fdee:a18e:fb24:c71e::1 dev eth0
2022-11-20 16:58:53stdout2022-11-20 17:58:52 net_route_v6_best_gw query: dst ::
2022-11-20 16:58:53stdout2022-11-20 17:58:52 GDG6: remote_host_ipv6=n/a
2022-11-20 16:58:53stdout2022-11-20 17:58:52 ROUTE_GATEWAY 172.17.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:11:00:03
2022-11-20 16:58:53stdout2022-11-20 17:58:52 net_route_v4_best_gw result: via 172.17.0.1 dev eth0
2022-11-20 16:58:53stdout2022-11-20 17:58:52 net_route_v4_best_gw query: dst 0.0.0.0
2022-11-20 16:58:53stdout2022-11-20 17:58:52 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-11-20 16:58:53stdout2022-11-20 17:58:52 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-11-20 16:58:53stdout2022-11-20 17:58:52 Data Channel: using negotiated cipher 'AES-256-GCM'
2022-11-20 16:58:53stdout2022-11-20 17:58:52 OPTIONS IMPORT: data channel crypto options modified
2022-11-20 16:58:53stdout2022-11-20 17:58:52 OPTIONS IMPORT: adjusting link_mtu to 1625
2022-11-20 16:58:53stdout2022-11-20 17:58:52 OPTIONS IMPORT: peer-id set
2022-11-20 16:58:53stdout2022-11-20 17:58:52 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2022-11-20 16:58:53stdout2022-11-20 17:58:52 OPTIONS IMPORT: route-related options modified
2022-11-20 16:58:53stdout2022-11-20 17:58:52 OPTIONS IMPORT: route options modified
2022-11-20 16:58:53stdout2022-11-20 17:58:52 OPTIONS IMPORT: --ifconfig/up options modified
2022-11-20 16:58:53stdout2022-11-20 17:58:52 OPTIONS IMPORT: --persist options modified
2022-11-20 16:58:53stdout2022-11-20 17:58:52 OPTIONS IMPORT: compression parms modified
2022-11-20 16:58:53stdout2022-11-20 17:58:52 OPTIONS IMPORT: explicit notify parm(s) modified
2022-11-20 16:58:53stdout2022-11-20 17:58:52 OPTIONS IMPORT: timers and/or timeouts modified
2022-11-20 16:58:53stdout2022-11-20 17:58:52 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:11: ip-win32 (2.5.5)
2022-11-20 16:58:53stdout2022-11-20 17:58:52 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2022-11-20 16:58:53stdout2022-11-20 17:58:52 PUSH: Received control message: 'PUSH_REPLY,topology subnet,route-gateway 198.167.196.65,compress lzo,tun-ipv6,persist-key,persist-tun,redirect-gateway def1,explicit-exit-notify 1,route-ipv6 2000::/3,dhcp-option DNS 95.215.19.53,ip-win32 dynamic,ping 10,ping-restart 120,ifconfig-ipv6 2a02:6f8:2020:196:3::1016/112 2a02:6f8:2020:196:3::1,ifconfig 198.167.196.86 255.255.255.224,peer-id 0,cipher AES-256-GCM'
2022-11-20 16:58:52stdout2022-11-20 17:58:52 SENT CONTROL [vpn-196]: 'PUSH_REQUEST' (status=1)
2022-11-20 16:58:51stdout2022-11-20 17:58:51 [vpn-196] Peer Connection Initiated with [AF_INET]198.167.192.7:1194
2022-11-20 16:58:51stdout2022-11-20 17:58:51 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA256
2022-11-20 16:58:48stdout2022-11-20 17:58:48 VERIFY OK: depth=0, CN=vpn-196
2022-11-20 16:58:48stdout2022-11-20 17:58:48 VERIFY EKU OK
2022-11-20 16:58:48stdout2022-11-20 17:58:48 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2022-11-20 16:58:48stdout2022-11-20 17:58:48 Validating certificate extended key usage
2022-11-20 16:58:48stdout2022-11-20 17:58:48 VERIFY KU OK
2022-11-20 16:58:48stdout2022-11-20 17:58:48 VERIFY OK: depth=1, CN=openvpn.njal.la
2022-11-20 16:58:48stdout2022-11-20 17:58:48 TLS: Initial packet from [AF_INET]198.167.192.7:1194, sid=43decd33 77c76978
2022-11-20 16:58:48stdout2022-11-20 17:58:48 UDP link remote: [AF_INET]198.167.192.7:1194
2022-11-20 16:58:48stdout2022-11-20 17:58:48 UDP link local: (not bound)
2022-11-20 16:58:48stdout2022-11-20 17:58:48 Socket Buffers: R=[212992->212992] S=[212992->212992]
2022-11-20 16:58:48stdout2022-11-20 17:58:48 TCP/UDP: Preserving recently used remote address: [AF_INET]198.167.192.7:1194
2022-11-20 16:58:47stdout2022-11-20 17:58:47 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-11-20 16:58:47stdout2022-11-20 17:58:47 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-11-20 16:58:47stdout2022-11-20 17:58:47 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2022-11-20 16:58:47stdout2022-11-20 17:58:47 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
2022-11-20 16:58:47stdout2022-11-20 17:58:47 OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 14 2022
2022-11-20 16:58:47stdout2022-11-20 17:58:47 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2022-11-20 16:58:47stdout2022-11-20 17:58:47 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2022-11-20 16:58:47stdoutadding route to local network 192.168.0.0/24 via 172.17.0.1 dev eth0
2022-11-20 16:58:45stdoutSetting OpenVPN credentials...
2022-11-20 16:58:45stdoutsed: cannot rename /etc/openvpn/custom/sedmW0THN: Device or resource busy
2022-11-20 16:58:45stdoutsed: cannot rename /etc/openvpn/custom/sedBbCEGg: Device or resource busy
2022-11-20 16:58:45stdoutModification: Updating status for config failure detection
2022-11-20 16:58:45stdoutsed: cannot rename /etc/openvpn/custom/sedFn9rYV: Device or resource busy
2022-11-20 16:58:45stdoutsed: cannot rename /etc/openvpn/custom/sedA4Qc9Z: Device or resource busy
2022-11-20 16:58:45stdoutModification: Remap SIGUSR1 signal to SIGTERM, avoid OpenVPN restart loop
2022-11-20 16:58:45stdoutsed: cannot rename /etc/openvpn/custom/sedddj9WB: Device or resource busy
2022-11-20 16:58:45stdoutsed: cannot rename /etc/openvpn/custom/sedNOWqqL: Device or resource busy
2022-11-20 16:58:45stdoutModification: Set output verbosity to 3
2022-11-20 16:58:45stdoutsed: cannot rename /etc/openvpn/custom/sed5pCA0e: Device or resource busy
2022-11-20 16:58:45stdoutModification: Change tls-crypt keyfile path
2022-11-20 16:58:45stdoutsed: cannot rename /etc/openvpn/custom/sedpYVMCh: Device or resource busy
2022-11-20 16:58:45stdoutsed: cannot rename /etc/openvpn/custom/sed5we2dD: Device or resource busy
2022-11-20 16:58:45stdoutModification: Update/set resolv-retry to 15 seconds
2022-11-20 16:58:45stdoutsed: cannot rename /etc/openvpn/custom/sedFzQmwZ: Device or resource busy
2022-11-20 16:58:45stdoutsed: cannot rename /etc/openvpn/custom/sedkGPsws: Device or resource busy
2022-11-20 16:58:45stdoutsed: cannot rename /etc/openvpn/custom/sedEWrlJ4: Device or resource busy
2022-11-20 16:58:45stdoutsed: cannot rename /etc/openvpn/custom/sedBj9kyP: Device or resource busy
2022-11-20 16:58:45stdoutModification: Change ping options
2022-11-20 16:58:45stdoutsed: cannot rename /etc/openvpn/custom/sed5Iyl4e: Device or resource busy
2022-11-20 16:58:45stdoutModification: Change ca certificate path
2022-11-20 16:58:45stdoutsed: cannot rename /etc/openvpn/custom/sedA5uzgm: Device or resource busy
2022-11-20 16:58:45stdoutModification: Point auth-user-pass option to the username/password file
2022-11-20 16:58:45stdoutModifying /etc/openvpn/custom/default.ovpn for best behaviour in this container
2022-11-20 16:58:45stdoutUsing OpenVPN provider: CUSTOM
2022-11-20 16:58:45stdoutCreating TUN device /dev/net/tun
2022-11-20 16:58:43stdoutStarting container with revision: b33d0fe4c938259a0d4eb844e55468f387456121
 
Sorry to reply this. It does not seem to work well on the latest version (DSM7.1.1)? After I run this code, it return:
======== stop Docker ========
======== start Docker ========
Failed to execute '/var/packages/Docker/scripts/start-stop-status start' (err=1)

I have already degrade docker to version 20.10.3-1305, it still return that. Does anyone have a similar problem? And how to improve the code to enable iPv6?
Hoping for someone to answer.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

I can’t find any option to restore just the settings. 1710356648 Phew, managed to fix it. Within the...
Replies
4
Views
390
GPU passthrough would be a great addition to VMM, even though the majority of DiskStations wouldn't...
Replies
4
Views
3,744
Thank you for your feedback on the matter. There is no need to break this into multiple topics considering...
Replies
30
Views
9,471

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top