Project

General

Profile

Actions

Task #7378

open

Document / explore on how to sensibly run docker with a /64

Added by Nico Schottelius almost 2 years ago. Updated almost 2 years ago.

Status:
In Progress
Priority:
Normal
Assignee:
-
Start date:
11/29/2019
Due date:
% Done:

0%

Estimated time:
PM Check date:

Description

draft 1: "https only"

  • Block everything incoming besides https
  • Reasoning:
    • containers by default insecure
    • if https open -> it is likely intended
  • container types (brainstorming)
    • databases
    • message broker
    • workers (probably not even reachable)
    • a lot of http only stuff

draft 2: tls/ssl in a container

  • get a name
  • get a cert
  • TBD

draft 3: "NAT66 + firewall"

  • Use the same approach as in IPv4 world
  • We use a site local IPv6 addresses
  • Do a NAT66 to the one IPv6 address of the host
  • People can behave/have similar mechanisms as before
Actions #2

Updated by Nico Schottelius almost 2 years ago

  • Status changed from New to In Progress
  • Description updated (diff)
Actions #3

Updated by Nico Schottelius almost 2 years ago

  • Description updated (diff)
Actions #4

Updated by Nico Schottelius almost 2 years ago

  • Description updated (diff)
Actions #5

Updated by Nico Schottelius almost 2 years ago

  • Description updated (diff)
Actions #6

Updated by Den Ivanov almost 2 years ago

Some advices -> maybe that would help (*may be dependent on docker version):
1) Run docker with: ``` --ipv6 --fixed-cidr-v6={{ our net }} ```
2) Change sysctl options:
```
net.ipv6.conf.all.forwarding=1
net.ipv6.conf.default.forwarding=1
net.ipv6.conf.eth0.accept_ra=2
```
3) Remove IPv4-only embedded docker DNS server (useful when using custom networks created with "docker network create"):
```
RESOLV_CONF=$(sed 's/nameserver 127.0.0.11//g' /etc/resolv.conf)
echo "$RESOLV_CONF" > /etc/resolv.conf
```

Actions #7

Updated by Evil Ham almost 2 years ago

This might benefit from #7379 :-D

Actions

Also available in: Atom PDF