Actions
Task #7378
closedDocument / explore on how to sensibly run docker with a /64
Status:
Closed
Priority:
Normal
Assignee:
-
Start date:
11/29/2019
Due date:
% Done:
0%
Estimated time:
PM Check date:
Description
draft 1: "https only"¶
- Block everything incoming besides https
- Reasoning:
- containers by default insecure
- if https open -> it is likely intended
- container types (brainstorming)
- databases
- message broker
- workers (probably not even reachable)
- a lot of http only stuff
draft 2: tls/ssl in a container¶
- get a name
- get a cert
- TBD
draft 3: "NAT66 + firewall"¶
- Use the same approach as in IPv4 world
- We use a site local IPv6 addresses
- Do a NAT66 to the one IPv6 address of the host
- People can behave/have similar mechanisms as before
Updated by Den Ivanov over 4 years ago
Is that related to https://redmine.ungleich.ch/issues/7359 ?
Updated by Nico Schottelius over 4 years ago
- Description updated (diff)
- Status changed from New to In Progress
Updated by Den Ivanov over 4 years ago
Some advices -> maybe that would help (*may be dependent on docker version):
1) Run docker with: ``` --ipv6 --fixed-cidr-v6={{ our net }} ```
2) Change sysctl options:
```
net.ipv6.conf.all.forwarding=1
net.ipv6.conf.default.forwarding=1
net.ipv6.conf.eth0.accept_ra=2
```
3) Remove IPv4-only embedded docker DNS server (useful when using custom networks created with "docker network create"):
```
RESOLV_CONF=$(sed 's/nameserver 127.0.0.11//g' /etc/resolv.conf)
echo "$RESOLV_CONF" > /etc/resolv.conf
```
Updated by Nico Schottelius 4 months ago
- Status changed from In Progress to Closed
Actions