Last active
January 1, 2024 12:40
-
-
Save WietseWind/846b6274c0e7208e3b8fa96fb1149c07 to your computer and use it in GitHub Desktop.
Ubuntu 22.04 with docker-ce in IPv6 only environment
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Assumptions: | |
| # - Ubuntu 22.04 | |
| # - Docker CE | |
| # - IPv6 only environment | |
| # - Using netplan for IPv6 addressing | |
| # - IPv6 /64 assigned to host | |
| # - UFW in use (and DNS to be allowed) - otherwise skip the ufw config | |
| # (The above is the Hetzner default) | |
| apt -y update && apt -y upgrade && apt -y dist-upgrade | |
| sudo apt-get install ca-certificates curl gnupg lsb-release | |
| sudo mkdir -p /etc/apt/keyrings && curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg | |
| echo \ | |
| "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \ | |
| $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null | |
| apt -y update && apt -y install docker-ce | |
| sed 's/dhcp4: true/dhcp4: false/g' -i /etc/netplan/50-cloud-init.yaml && chmod 700 /etc/netplan/50-cloud-init.yaml && netplan apply | |
| ipv6prefix=$(ip addr |grep inet6|grep -v fe80|grep -v ::1/128|xargs|cut -d " " -f 2|cut -d "/" -f 1|cut -d ':' -f -5) | |
| ipv6dns=$(resolvectl status|grep Current|cut -d ":" -f 2-|grep '[a-f0-9]:[a-f0-9]'|xargs) | |
| mkdir -p /etc/docker | |
| echo -e '{\n "ipv6": true,\n "fixed-cidr-v6": "'$ipv6prefix'1000::/68",\n "dns": ["'$ipv6dns'"],\n "userland-proxy": false\n}' > /etc/docker/daemon.json | |
| # No NATv6 needed, we're routing | |
| # ip6tables -t nat -A POSTROUTING -s "$ipv6prefix"1000::/68 ! -o docker0 -j MASQUERADE && apt install -y iptables-persistent | |
| sed 's/^COMMIT$/# COMMIT/g' -i /etc/ufw/before6.rules | |
| echo '' >> /etc/ufw/before6.rules | |
| echo '# Allow DNS traffic from containers to DNS server' >> /etc/ufw/before6.rules | |
| echo '-A ufw6-before-forward -s '$ipv6prefix'1000::/68 -d '$ipv6dns' -p udp --dport 53 -j ACCEPT' >> /etc/ufw/before6.rules | |
| echo '-A ufw6-before-forward -s '$ipv6prefix'1000::/68 -d '$ipv6dns' -p tcp --dport 53 -j ACCEPT' >> /etc/ufw/before6.rules | |
| echo '' >> /etc/ufw/before6.rules | |
| echo '# Allow DNS traffic from DNS server to containers (optional)' >> /etc/ufw/before6.rules | |
| echo '-A ufw6-before-forward -s '$ipv6dns' -d '$ipv6prefix'1000::/68 -p udp --sport 53 -j ACCEPT' >> /etc/ufw/before6.rules | |
| echo '-A ufw6-before-forward -s '$ipv6dns' -d '$ipv6prefix'1000::/68 -p tcp --sport 53 -j ACCEPT' >> /etc/ufw/before6.rules | |
| echo '' >> /etc/ufw/before6.rules | |
| echo 'COMMIT' >> /etc/ufw/before6.rules | |
| ufw reload | |
| echo 'net.ipv6.conf.default.forwarding=1' >> /etc/sysctl.conf && sysctl -p /etc/sysctl.conf | |
| echo 'net.ipv6.conf.eth0.proxy_ndp=1' >> /etc/sysctl.conf && sysctl -p /etc/sysctl.conf | |
| echo 'net.ipv6.conf.all.forwarding=1' >> /etc/sysctl.conf && sysctl -p /etc/sysctl.conf |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment