IPv6 addresses assigned to containers while DHCP is not set

[Teleminator]

Hi!

 

I use Unraid Version: 6.12.6.

The only router on the LAN is AVM Fritz!Box 7590 with dual stack and dynamic IPv4/ipV6 and it advertises my LAN-IPv6-prefix and DNS to the LAN.

 

Unraids network-config sets just IPv4+IPv6 and eth0, no bonding and no bridging.

 

My docker-config sets macvlan and bind it to eth0 with NO dhcp set:

 

My docker containers get two global IPv6 addresses, one from the container by SLAAC with the advertised prefix and the other one (red cross) seems to comes from docker.

 

Docker configures also a wrong gateway-address. IPv4-addresses are okay.

 

So, why does docker assign IPv6 addresses to containers even though dhcp pool is disabled and also why does docker assigns a wrong gateway?

In addition to this, if the IPv6-prefix of my LAN changes, docker does not update its IPv6-subnet on the fly. The SLAAC-address in the containers are updated as expected.

So, how is it possible to disable dockers DHCPv6?

[JorgeB]

I think only @bonienlmay be able to help with this.

[MAM59]

This is not really DHCPV6.

What happens is that docker reads the hosts V6 address (here from SLAAC, in my net it is static), strips the first 64 bit and takes it as  the prefix (which is wrong here, i have /48 not /64, but it still works because it carries over the next block too). Copies the received gateway address, which means, your <prefix>::1 must be announced somewhere.

It then uses some dice throws to generate a new 16bit section, here 2000, and then appends it to the prefix. This new "prefix" is offered by router advertisement protocol to the starting dockers with a netmask of /72.

The dockers then pick their own address from this pool by SLAAC

 

The gateway is somehow a guess because if not static, it is announced as the link local FE80:: adress by the real router. This cannot be used for the docker subnet, therefor it makes an "educated guess" what the real, routeable, address could be.

In your case it picks the ::1, which is wrong as you say.

I use static addresses, and also use the "real" address for the gateway. Thats why it works here.

 

Sad news for you: the Fritzbox handles V6 very poorly and utterly wrong. It will be hard to impossible to train it it use a "good" address, switching the dockers to static wont help you because your prefix is dynamic... BAD LUCK!!!

Maybe your prefix changes are less frequent (my nephew for instance has one or two changes per year), then it might be worth to change it manually each time. But with a daily change you are really lost.

Try to fix the FB to the ::1 address, this would work best. (but if the prefix changes, you always need to restart the dockers)