aws 运行docker
by Nicolas Leiva
尼古拉斯·莱瓦(Nicolas Leiva)
如何在AWS上运行启用IPv6的Docker容器 (How to run IPv6-enabled Docker containers on AWS)
Do you want to forget about NAT and run containers without having to translate IP addresses? Then you need public IP addresses, lots of them. Unfortunately, the price of each IPv4 address is exceeding $20, so you won’t get one for each and every one of your containers. On the other hand, there is no shortage of IPv6 addresses, so you could in theory assign a unique one to as many containers as you’d like.
您是否想忽略NAT并运行容器而不必转换IP地址? 然后,您需要公共IP地址,其中有很多。 不幸的是,每个IPv4地址的价格都超过了20美元 ,因此您不会为每个容器获得一个。 另一方面,不缺少IPv6地址,因此从理论上讲,您可以将唯一的容器分配给任意数量的容器。
When the Internet protocol (IP) that helps deliver this blog post to your device was defined back in 1981, the internet addresses that identify sources and destinations were specified as fixed length of four octets (32 bits). This is actually the fourth version of the protocol, so we refer to these addresses as IP version 4 (IPv4) addresses.
早在1981年 ,定义了有助于将该博客文章发送到您的设备的Internet协议( IP )时,用于标识源和目标的Internet地址就指定为固定长度的四个八位位组( 32位 )。 这实际上是协议的第四个版本,因此我们将这些地址称为IP版本4( IPv4 )地址。
Approximately a decade later, in 1992, it became evident that we would eventually run out of 32-bit IPv4 addresses, so in march 1994, re-usable private IP addresses were defined in an attempt to preserve IP address space. You use these to identify hosts private to an enterprise. If any of these hosts need to connect to an outside host, its address needs to be translated into a — public — IP address that is globally unique. This process is know as Network Address Translation (NAT) and was defined a couple of months later.
大约十年后的1992年 ,很明显我们最终将用完32位IPv4地址,因此在1994年3月 ,定义了可重用的私有IP地址,以试图保留IP地址空间。 您可以使用这些标识企业专用的主机。 如果这些主机中的任何一个需要连接到外部主机,则需要将其地址转换为全局唯一的公共 IP地址。 此过程称为网络地址转换( NAT ),并在几个月后定义。
About a year later (1995), a new version of the Internet Protocol came out to provide — among other things — expanded addressing capabilities. We know this as IPv6, which increases the IP address size from 32 bits to 128 bits.
约一年后(1995年) ,互联网协议的新版本出来后提供- 除其他事项外 -扩展寻址能力。 我们将其称为IPv6 ,它将IP地址的大小从32位增加到128位 。
The problem? IPv6 is not backwards compatible with IPv4, therefore the transition has been really, really slow… Over 20 years now with a current adoption of ~22%.
问题? IPv6与IPv4不能向后兼容,因此过渡确实非常缓慢……20多年来,当前采用率约为22% 。
Anyways, the purpose of this post is to demonstrate how to run Containers on a Cloud Provider (AWS) using IPv6. This is something that was pending from my previous post: Kubernetes multi-cluster networking made simple. The target topology is the following.
无论如何,本文的目的是演示如何使用IPv6在云提供程序(AWS)上运行容器。 这是我以前的文章中尚未完成的事情: Kubernetes多集群网络变得简单 。 目标拓扑如下。
While we cannot currently breakup an IPv6 Block allocated to a VPC (/56), to assign smaller subnets (/64) to instances in AWS, we can use Elastic Network Interfaces (ENI) to associate a contiguous block of IPv6 addresses to an instance. This will generate an IPv6 prefix length greater than /64—in this example /126 — which is not a best practice in a LAN, so take this with a grain of salt.
虽然我们目前无法拆分分配给VPC的IPv6块( /56 ),但要为AWS中的实例分配较小的子网( /64 ),但是我们可以使用弹性网络接口( ENI )将IPv6地址的连续块关联到实例。 这将生成大于/64的IPv6前缀长度(在本示例中为/126 ,这在LAN中不是最佳实践,因此请耐心等待。
In a nutshell, this is what we will do:
简而言之,这是我们将要做的:
- Re-configure IPv6 addressing on the instance and install Docker. 在实例上重新配置IPv6寻址并安装Docker。
- Run a couple of Containers using only IPv6. 仅使用IPv6运行几个容器。
创建附加了ENI的EC2实例 (Create EC2 instances with an ENI attached to it)
We will use the AWS CLI create-network-interface to create an ENI with a primary IPv6 address and also a contiguous block of IPv6 addresses for each one of our instances. These addresses will come from a known Subnet. We will also apply a Security Group to our ENI.
我们将使用AWS CLI create-network-interface为每个实例创建一个具有主要IPv6地址和一个连续IPv6地址块的ENI 。 这些地址将来自已知的Subnet 。 我们还将对我们的ENI应用一个Security Group 。
子网,安全组和ENI (Subnet, Security Group and ENI)
If you don’t have a VPC with IPv6 support already, please take a look at Getting Started with IPv6 for Amazon VPC, so you can store the ID of theSubnet and Security Group in the variables subnetId and sgId.
如果您还没有支持IPv6的VPC ,请查看Amazon VPC的IPv6入门 ,以便可以将Subnet和Security Group的ID存储在变量subnetId和sgId 。
subnetId=subnet-09a931730fa9exxxxsgId=sg-0eaf439572982yyyyFor instance-1 we will reserve addresses ::1:1, ::8, ::9, ::a and ::b. I have removed the subnet prefix for the ease of reading. The first address will be for the instance, and the other four will make the /126 we need for the linux bridge the containers will be connected to.
对于instance-1我们将保留地址::1:1 , ::8 , ::9 , ::a和::b 。 为了方便阅读,我删除了子网前缀。 第一个地址将用于实例,其他四个将使/126我们需要将容器连接到的Linux桥。
2600:1f18:47b:ca03::1:12600:1f18:47b:ca03::82600:1f18:47b:ca03::92600:1f18:47b:ca03::a2600:1f18:47b:ca03::bFor our instance-2 we will reserve addresses ::2:2, ::c, ::d, ::e and ::f.
对于我们的instance-2我们将保留地址::2:2 , ::c , ::d , ::e和::f 。
2600:1f18:47b:ca03::2:22600:1f18:47b:ca03::c2600:1f18:47b:ca03::d2600:1f18:47b:ca03::e2600:1f18:47b:ca03::fWith all this info we execute the create-network-interface command. However, we also need to store the ID of ENI for the following operations, so we query NetworkInterface.NetworkInterfaceId and store the returned value in eni1 for instance-1.
利用所有这些信息,我们执行create-network-interface命令。 但是,我们还需要为以下操作存储ENI的ID,因此我们query NetworkInterface.NetworkInterfaceId并将返回的值存储在instance-1 eni1中。
eni1=`aws ec2 create-network-interface \ --subnet-id $subnetId \ --description "My IPv6 ENI 1" \ --groups $sgId \ --ipv6-addresses \ Ipv6Address=2600:1f18:47b:ca03::1:1 \ Ipv6Address=2600:1f18:47b:ca03::8 \ Ipv6Address=2600:1f18:47b:ca03::9 \ Ipv6Address=2600:1f18:47b:ca03::a \ Ipv6Address=2600:1f18:47b:ca03::b \ --query 'NetworkInterface.NetworkInterfaceId' \ --output text`You can check the value returned as follows.
您可以检查返回的值,如下所示。
$ echo $eni1eni-08ba7c2f50a22a160Repeat for the second ENI.
重复第二个ENI 。
eni2=`aws ec2 create-network-interface \ --subnet-id $subnetId \ --description "My IPv6 ENI 2" \ --groups $sgId \ --ipv6-addresses \ Ipv6Address=2600:1f18:47b:ca03::2:2 \ Ipv6Address=2600:1f18:47b:ca03::c \ Ipv6Address=2600:1f18:47b:ca03::d \ Ipv6Address=2600:1f18:47b:ca03::e \ Ipv6Address=2600:1f18:47b:ca03::f \ --query 'NetworkInterface.NetworkInterfaceId' \ --output text`启动附加了ENI的实例 (Launching instances with ENI attached)
Amazon EC2 uses public–key cryptography to encrypt and decrypt login information [Amazon EC2 Key Pairs], so you need a public and private key to connect to the instances.
Amazon EC2使用公共密钥密码术来加密和解密登录信息[ Amazon EC2密钥对 ],因此您需要一个公共和私有密钥才能连接到实例。
You can use an existing one or alternatively create one as follows, where ~/.ssh/id_rsa.pub is the location of your public key file.
您可以使用现有文件,也可以如下创建文件,其中~/.ssh/id_rsa.pub是公用密钥文件的位置。
aws ec2 import-key-pair \ --key-name <name> \ --public-key-material file://~/.ssh/id_rsa.pubWe will store the name of the key pair in a variable named AWS_SSH_KEY. You either assign the name manually, as you just picked it, or retrieve it from AWS with describe-key-pairs.
我们将密钥对的名称存储在名为AWS_SSH_KEY的变量中。 您可以像刚刚选择的那样手动分配名称,或者使用describe-key-pairs从AWS检索名称。
AWS_SSH_KEY=$(aws ec2 describe-key-pairs --query KeyPairs[0].KeyName --output text)Now is time to create the instances. We will use AMI ID ami-0ac019f4fcb7cb7e6, which is Ubuntu Server 18.04 LTS, and instance type r5d.large.
现在该创建实例了。 我们将使用AMI ID ami-0ac019f4fcb7cb7e6 (即Ubuntu Server 18.04 LTS )和实例类型r5d.large 。
The number of IP addresses you can assign to an instance is restricted by its type, so for r5d.large for example we can go up to 10 IPv6 addresses, which is enough for this small proof of concept. See the details for instance type in IP Addresses Per Network Interface Per Instance Type.
可以为实例分配的IP地址数量受其类型限制,因此对于r5d.large ,例如,我们最多可以添加10个IPv6地址,这足以用于此小型概念验证。 请参阅“ 每个实例类型的每个网络接口的IP地址 ”中有关实例类型的详细信息。
We also want to attach the ENI we previously created, whose ID was stored in eni1. We keep the instance ID we receive back from AWS in vm1 (we are queryingInstances[0].InstanceId).
我们还希望附加先前创建的ENI ,其ID存储在eni1 。 我们将从AWS收到的实例ID保留在vm1 (我们正在查询Instances[0].InstanceId )。
vm1=`aws ec2 run-instances \ --key-name $AWS_SSH_KEY \ --image-id ami-0ac019f4fcb7cb7e6 \ --instance-type r5d.large \ --network-interfaces DeviceIndex=0,NetworkInterfaceId=$eni1 \ --query 'Instances[0].InstanceId' \ --output text`Similarly for instance-2.
同样对于instance-2 。
vm2=`aws ec2 run-instances \ --key-name $AWS_SSH_KEY \ --image-id ami-0ac019f4fcb7cb7e6 \ --instance-type r5d.large \ --network-interfaces DeviceIndex=0,NetworkInterfaceId=$eni2 \ --query 'Instances[0].InstanceId' \ --output text`Next, let’s get the first public IPv6 address of instance-1 and store it in ip1.
接下来,让我们获取instance-1的第一个公共IPv6地址并将其存储在ip1 。
ip1=`aws ec2 describe-instances \ --filter Name=instance-id,Values=$vm1 \ --output text \ --query 'Reservations[].Instances[].NetworkInterfaces[].\Ipv6Addresses[0].Ipv6Address'`You can now access instance-1 with ssh -i <private key file> ubuntu@${ip1}. Similarly, for instance-2 you can retrieve the first public IPv6 address with:
现在,您可以使用ssh -i <private key file> ubuntu@ $ {ip1}访问instance-1 。 同样, for inst 2,您可以使用以下命令检索第一个公共IPv6地址:
ip2=`aws ec2 describe-instances \ --filter Name=instance-id,Values=$vm2 \ --output text \ --query 'Reservations[].Instances[].NetworkInterfaces[].\Ipv6Addresses[0].Ipv6Address'`So you can access it with ssh -i <private key file> ubuntu@${ip2}.
因此,您可以使用ssh -i <private key file> ubuntu@ $ {ip2}访问它。
使实例对IPv6友好 (Making the instances IPv6-friendly)
We will need to install software in our instances. Unfortunately, this won’t be possible right off the bat as our sources.list file comes with links to us-east-1.ec2.archive.ubuntu.com, that don’t resolve to an IPv6 address. ? We need to replace these to use archive.ubuntu.com instead, which properly supports IPv6. You can do this with sed.
我们将需要在实例中安装软件。 不幸的是,这不可能立即实现,因为我们的sources.list文件附带了指向us-east-1.ec2.archive.ubuntu.com链接,这些链接无法解析为IPv6地址。 ? 我们需要替换它们以使用rchive.ubuntu.com来代替,该网站正确地支持IPv6。 您可以使用s ed.执行此操作ed.
sudo sed -i 's/us-east-1\.ec2\.//g' /etc/apt/sources.listNow you can use apt-get with the option Acquire::ForceIPv6=true.
现在,您可以将apt-get与选项Acquire::ForceIPv6=true 。
$ sudo apt-get -o Acquire::ForceIPv6=true updateGet:1 http://archive.ubuntu.com/ubuntu bionic InRelease [242 kB]Get:2 http://security.ubuntu.com/ubuntu bionic-security InRelease [83.2 kB]Get:3 http://archive.ubuntu.com/ubuntu bionic-updates InRelease [88.7 kB]...Get:38 http://archive.ubuntu.com/ubuntu bionic-backports/universe Sources [2068 B]Get:39 http://archive.ubuntu.com/ubuntu bionic-backports/universe amd64 Packages [3468 B]Get:40 http://archive.ubuntu.com/ubuntu bionic-backports/universe Translation-en [1604 B]Fetched 28.4 MB in 5s (5363 kB/s)Reading package lists... Done在实例上重新配置IPv6寻址并安装Docker (Re-configure IPv6 addressing on the instance and install Docker)
Right now, our instances have a single interface with multiple IPv6 addresses. instance-1 shows five /128 IPv6 addresses.
现在,我们的实例具有一个带有多个IPv6地址的接口。 instance-1显示五个/128 IPv6地址。
$ ip add...2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000... inet6 2600:1f18:47b:ca03::1:1/128 scope global dynamic noprefixroute valid_lft 385sec preferred_lft 85sec inet6 2600:1f18:47b:ca03::8/128 scope global dynamic noprefixroute valid_lft 385sec preferred_lft 85sec inet6 2600:1f18:47b:ca03::9/128 scope global dynamic noprefixroute valid_lft 385sec preferred_lft 85sec inet6 2600:1f18:47b:ca03::a/128 scope global dynamic noprefixroute valid_lft 385sec preferred_lft 85sec inet6 2600:1f18:47b:ca03::b/128 scope global dynamic noprefixroute valid_lft 385sec preferred_lft 85sec新的IPv6地址分配 (New IPv6 address distribution)
We want only one (/64) in the main interface and a /126 in a linux bridge (docker0) to allocate addresses to our containers from this range. For this purpose, we will edit netplan’s config file at /etc/netplan/50-cloud-init.yaml. It originally looks like this:
我们只希望主界面中的一个( /64 )和Linux网桥(docker0)中的/126可以为该范围内的容器分配地址。 为此,我们将在/etc/netplan/50-cloud-init.yaml编辑netplan的配置文件。 最初看起来像这样:
network: version: 2 ethernets: ens5: dhcp4: true dhcp6: true match: macaddress: 12:fb:b4:8b:15:f8 set-name: ens5We only remove the dhcp6 statement from it.
我们仅从其中删除dhcp6语句。
network: version: 2 ethernets: ens5: dhcp4: true match: macaddress: 12:fb:b4:8b:15:f8 set-name: ens5As a side note, and completely optional, the MAC address of the instance and IPv6 addresses associated to it can be retrieved from the Instance Metadata anytime.
附带说明一下,并且是完全可选的 ,可以随时从实例元数据中检索实例的MAC地址和与之关联的IPv6地址。
$ curl http://169.254.169.254/latest/meta-data/network/interfaces/macs/12:fb:b4:8b:15:f8And:
和:
$ curl http://169.254.169.254/latest/meta-data/network/interfaces/macs/12:fb:b4:8b:15:f8/ipv6s/2600:1f18:47b:ca03:0:0:0:82600:1f18:47b:ca03:0:0:0:92600:1f18:47b:ca03:0:0:0:a2600:1f18:47b:ca03:0:0:0:b2600:1f18:47b:ca03:0:0:1:1⚠️ Yeah, Instance Metadata is an IPv4-only service ?. The good news is you don’t need a public IPv4 address to access to it.
Ye️是的, 实例元数据是仅IPv4的服务吗? 好消息是您不需要公共IPv4地址即可访问它。
Continuing with the instance’s interface configuration, we need to also create a separate file for the IPv6 config at/etc/netplan/60-ipv6-static.yaml.
继续实例的接口配置,我们还需要在/etc/netplan/60-ipv6-static.yaml为IPv6配置创建一个单独的文件。
network: version: 2 ethernets: ens5: dhcp6: no accept-ra: no addresses: - 2600:1f18:47b:ca03::1:1/64 gateway6: fe80::1066:30ff:feb8:c008We disabled DHCPv6 (dhcp6: no) and discarded IPv6 Router Advertisements (accept-ra: no). The gateway information (fe80::1066:30ff:feb8:c008) comes from an iproute2 command (seems like it’s always the same in EC2).
我们禁用了DHCPv6( dhcp6: no )并丢弃了IPv6路由器广告( accept-ra: no )。 网关信息( fe80::1066:30ff:feb8:c008 )来自iproute2命令(好像在EC2中总是一样)。
$ ip -6 route | grep defaultdefault via fe80::1066:30ff:feb8:c008 dev ens5 proto ra metric 100 pref mediumFinally, apply our config changes with netplan apply.
最后,使用netplan apply应用我们的配置更改。
sudo netplan --debug applyWe repeat for instance-2 with the corresponding addresses.
我们为instance-2重复相应的地址。
安装Docker (Install Docker)
You can follow the official installation guide or just run the following commands. Notice the option Acquire::ForceIPv6=true for apt-get.
您可以遵循官方安装指南,也可以只运行以下命令。 注意apt-get的选项Acquire::ForceIPv6=true 。
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"sudo apt-get -o Acquire::ForceIPv6=true updatesudo apt-get -o Acquire::ForceIPv6=true install -y docker-cesudo usermod -aG docker ${USER}You need to log out and log back in for the user changes to take effect.
您需要注销并重新登录,以使用户更改生效。
We will edit/create a Docker config file at /etc/docker/daemon.json to start allocating IPv6 addresses to our containers. Should look like this for instance-1.
我们将在/etc/docker/daemon.json编辑/创建一个Docker配置文件,以开始为我们的容器分配IPv6地址。 对于instance-1应该看起来像这样。
{ "ipv6": true, "fixed-cidr-v6": "2600:1f18:47b:ca03::8/126"}Then re-start the daemon to apply the changes; sudo systemctl restart docker. We have now successfully split the ENI IPv6 address allocation between the main interface and the Docker bridge.
然后重新启动守护程序以应用更改; sudo systemctl restart docker 。 现在,我们已经成功在主接口和Docker桥之间分配了ENI IPv6地址分配。
$ ip add...2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000... inet6 2600:1f18:47b:ca03::1:1/64 scope global valid_lft forever preferred_lft forever...3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default... inet6 2600:1f18:47b:ca03::9/126 scope global tentative valid_lft forever preferred_lft forever...Do the same for instance-2, with fixed-cidr-v6 = ::c/126.
对instance-2执行相同的操作,其中fixed-cidr-v6 = ::c/126 。
仅使用IPv6运行几个容器 (Run a couple of Containers using only IPv6)
We are ready to run containers. Or at least that’s what I thought. Turns out registry-1.docker.io and hub.docker.com don’t support IPv6, so we can’t get Docker images from it. ?
我们准备运行容器。 或至少那是我的想法。 事实证明, registry-1.docker.io和hub.docker.com不支持IPv6,因此我们无法从中获取Docker映像。 ?
运行图像 (Running an Image)
Have we come to a dead end? No, Google Container Registry comes to our rescue! → gcr.io/gcp-runtimes/ubuntu_18_0_4:latest. Let’s run this on each instance.
我们走到了尽头吗? 不,Google Container Registry可助我们一臂之力! → gcr.io/gcp-runtimes/ubuntu_18_0_4:latest 。 让我们在每个实例上运行它。
docker run -it --rm gcr.io/gcp-runtimes/ubuntu_18_0_4:latest bashInstall ping and iproute2 in each container to do some connectivity tests and check the routing table.
在每个容器中安装ping和iproute2 ,以进行一些连接测试并检查路由表。
apt-get -o Acquire::ForceIPv6=true updateapt-get -o Acquire::ForceIPv6=true install iputils-ping iproute2 -yAt this point, we have already validated the instances can access the Internet over IPv6 (via apt-get). Let’s look at the IP addresses allocated; we got ::a in the container on instance-1 (container-1). Similarly, we got ::e in the container running on instance-2 (container-2).
至此,我们已经验证了实例可以通过IPv6(通过apt-get )访问Internet。 让我们看一下分配的IP地址。 我们在instance-1 ( container-1 )的容器中得到::a 。 同样,我们在instance-2 ( container-2 )上运行的容器中得到::e 。
root@d7c9480161f9:/# ip add...4: eth0@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default... inet6 2600:1f18:47b:ca03::a/126 scope global nodad valid_lft forever preferred_lft forever...To make more explicit that this is working, we can ping a host in the Internet over IPv6.
为了更明确地表明这是可行的,我们可以通过IPv6 ping Internet中的主机。
root@d7c9480161f9:/# ping6 ipv6-test.com -c 1PING ipv6-test.com(agaric.t0x.net (2001:41d0:8:e8ad::1)) 56 data bytes64 bytes from agaric.t0x.net (2001:41d0:8:e8ad::1): icmp_seq=1 ttl=46 time=78.7 ms--- ipv6-test.com ping statistics ---1 packets transmitted, 1 received, 0% packet loss, time 0msrtt min/avg/max/mdev = 78.788/78.788/78.788/0.000 msOk, let’s now ping container-2 (d7c9480161f9) from container-1 (5312fff41595).
好了,现在让我们平安container-2 ( d7c9480161f9 )从container-1 5312fff41595 )。
root@d7c9480161f9:/# ping6 2600:1f18:47b:ca03::e -c 1PING 2600:1f18:47b:ca03::e(2600:1f18:47b:ca03::e) 56 data bytes64 bytes from 2600:1f18:47b:ca03::e: icmp_seq=1 ttl=62 time=0.250 ms--- 2600:1f18:47b:ca03::e ping statistics ---1 packets transmitted, 1 received, 0% packet loss, time 0msrtt min/avg/max/mdev = 0.250/0.250/0.250/0.000 msThe other way around (container-2 to container-1), just in case. It all works. ?
反之( container-2到container-1) ,以防万一。 一切正常。 ?
root@5312fff41595:/# ping6 2600:1f18:47b:ca03::a -c 1PING 2600:1f18:47b:ca03::a(2600:1f18:47b:ca03::a) 56 data bytes64 bytes from 2600:1f18:47b:ca03::a: icmp_seq=1 ttl=62 time=0.263 ms--- 2600:1f18:47b:ca03::a ping statistics ---1 packets transmitted, 1 received, 0% packet loss, time 0msrtt min/avg/max/mdev = 0.263/0.263/0.263/0.000 msIf this isn’t working for you, make sure the Security Group applied to the ENI allows IPv6 ICMP from your instances. I specifically created an inbound Custom ICMP Rule — IPv6 with the same Security Group ID as the source to make this example work.
如果这对您不起作用,请确保应用于ENI的Security Group允许您实例中的IPv6 ICMP。 我专门创建了一个入站Custom ICMP Rule — IPv6与源相同的Security Group ID的Custom ICMP Rule — IPv6 ,以使此示例正常工作。
路由表 (Routing tables)
Let’s explore the routing table in container-1.
让我们探索container-1的路由表。
root@d7c9480161f9:/# ip -6 route2600:1f18:47b:ca03::8/126 dev eth0 proto kernel metric 256 pref mediumfe80::/64 dev eth0 proto kernel metric 256 pref mediumdefault via 2600:1f18:47b:ca03::9 dev eth0 metric 1024 pref medium::9 is the IP in docker0 as seen in a previous terminal output. What about instance-1 routing’s table?
如上一个终端输出所示, ::9是docker0的IP。 instance-1路由表又如何呢?
$ ip -6 route2600:1f18:47b:ca03::8/126 dev docker0 proto kernel metric 256 pref medium2600:1f18:47b:ca03::8/126 dev docker0 metric 1024 pref medium2600:1f18:47b:ca03::/64 dev ens5 proto kernel metric 256 pref medium...default via fe80::1066:30ff:feb8:c008 dev ens5 proto static metric 1024 pref medium忠告 (Word of advice)
Docker suggests we enable IPv6 routing on Linux to make this work by executing the following two lines.
Docker建议我们通过执行以下两行,在Linux上启用IPv6路由,以使这项工作有效。
sudo sysctl net.ipv6.conf.default.forwarding=1sudo sysctl net.ipv6.conf.all.forwarding=1I didn’t have to do it for this example, as the EC2 instances came with this setup already. They also do not recommend IPv6 subnets smaller than /80.
在本示例中,我不必这样做,因为EC2实例已经随该设置一起提供了。 他们也不建议使用小于/80 IPv6子网。
⚠️ “The subnet for Docker containers should at least have a size of /80, so that an IPv6 address can end with the container’s MAC address and you prevent NDP neighbor cache invalidation issues in the Docker layer” [Docker]
“️“ Docker容器的子网至少应具有/ 80的大小 ,以便IPv6地址可以以容器的MAC地址结尾,并且可以防止Docker层中的NDP邻居缓存失效问题” [ Docker ]
Last, but not least, I run into a discussion where they state IPv6 is disabled on containers in some Docker versions. I’m running 18.09.0.
最后但并非最不重要的一点是,我进行了讨论 ,其中他们指出在某些Docker版本中,容器上的IPv6被禁用。 我正在运行18.09.0 。
$ docker info -f '{{.ServerVersion}}'18.09.0The following are the network kernel settings for disable_ipv6 within the container.
以下是容器中disable_ipv6的网络内核设置。
root@d7c9480161f9:/# sysctl -a | grep disable_ipv6net.ipv6.conf.all.disable_ipv6 = 1net.ipv6.conf.default.disable_ipv6 = 1net.ipv6.conf.eth0.disable_ipv6 = 0net.ipv6.conf.lo.disable_ipv6 = 0结论 (Conclusion)
While this is not exactly the end goal, it is interesting to know we can run IPv6-only containers in the cloud today. ✅
尽管这并不是最终目标,但有趣的是,我们今天可以在云中运行仅IPv6的容器。 ✅
Next up, I’ll try to extend this and run Kubernetes with only IPv6 on a cloud provider… Or maybe check out IPv6 support among different Cloud Providers first.
接下来,我将尝试扩展它,并在云提供商上仅使用IPv6来运行Kubernetes。或者也许首先在不同的云提供商中查看IPv6支持。
翻译自: https://www.freecodecamp.org/news/how-to-run-ipv6-enabled-docker-containers-on-aws-87e090ab0397/
aws 运行docker
扫一扫
377
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
