Disable IPv6 address on certain containers

I noticed that containers created from docker images do not have an IPv6 address, and neither do containers created from Alpine Linux images. The issue is that the DNS system creates AAAA records for these containers with a bogus IPv6 address, and accessing the container via the FQDN fails. Is there a way to disable AAAA record generation for these containers?

That is not accurate. I have got container based on images from both alpine and docker images with both ipv4 and ipv4 addresses.

Is there anything specific to your network?

$ incus ls
+----------+---------+------------------------------+-----------------------------------------------+-----------------+-----------+
|   NAME   |  STATE  |             IPV4             |                     IPV6                      |      TYPE       | SNAPSHOTS |
+----------+---------+------------------------------+-----------------------------------------------+-----------------+-----------+
| alpine   | RUNNING | 11.0.0.17 (eth0)             | fd42:c876:306b:5f62:216:3eff:fe03:cf94 (eth0) | CONTAINER       | 0         |
+----------+---------+------------------------------+-----------------------------------------------+-----------------+-----------+
| caddy    | RUNNING | 11.0.0.155 (eth0)            | fd42:c876:306b:5f62:216:3eff:fe1a:40e8 (eth0) | CONTAINER (APP) | 0         |
+----------+---------+------------------------------+-----------------------------------------------+-----------------+-----------+

You can also create a new network with ipv6 disabled, and assign that network to the containers.

# create a network with ipv6 disabled
incus network create mynet ipv6.address=none

# start a container with the network
incus launch images:alpine/edge alpine --network=mynet

Or you can simply disable ipv6 on the default bridge network.

# disable ipv6 on the default network
incus network set incusbr0 ipv6.address=none

Can you show examples of these? I think you are seeing IPv6 private addresses, and these are generated by each runtime (i.e. each rootfs).

I don’t think there’s anything specific. I’m running Incus 6.4 on Slackware current.

[~]$ incus list

+---------------------+---------+-----------------------+------+-----------------+-----------+
| NAME         |  STATE  |         IPV4          | IPV6 |      TYPE       | SNAPSHOTS |
+---------------------+---------+-----------------------+------+-----------------+-----------+
| alpine       | RUNNING | 10.230.138.105 (eth0) |      | CONTAINER       | 0         |
+---------------------+---------+-----------------------+------+-----------------+-----------+

It’s important to show the full picture. Here’s me creating the noipv6 network (as described by @abiosoft), then launching a container.
The container gets an IPv6 address but Incus is not aware of it.
Try the same steps and post if you get some different result.

$ incus network create noipv6 ipv6.address=none
Network noipv6 created
$ incus network show noipv6
config:
  ipv4.address: 10.248.131.1/24
  ipv4.nat: "true"
  ipv6.address: none
description: ""
name: noipv6
type: bridge
used_by: []
managed: true
status: Created
locations:
- none
project: default
$ incus launch images:alpine/edge alpine --network=noipv6
Launching alpine
$ incus shell alpine
alpine:~# ifconfig 
eth0      Link encap:Ethernet  HWaddr 00:16:17:18:19:20  
          inet addr:10.248.131.31  Bcast:10.248.131.255  Mask:255.255.255.0
          inet6 addr: fe80::216:3eff:fe1f:9bac/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:827 (827.0 B)  TX bytes:1312 (1.2 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

alpine:~# 
$ incus list alpine
+--------+---------+----------------------+------+-----------+-----------+
|  NAME  |  STATE  |         IPV4         | IPV6 |   TYPE    | SNAPSHOTS |
+--------+---------+----------------------+------+-----------+-----------+
| alpine | RUNNING | 10.248.131.31 (eth0) |      | CONTAINER | 0         |
+--------+---------+----------------------+------+-----------+-----------+
$ 

What is weird though, is that two such containers can ping each other over the IPv6 link-local address. :thinking:

$ incus launch images:alpine/edge alpine1 --network=noipv6
Launching alpine1
$ incus launch images:alpine/edge alpine2 --network=noipv6
Launching alpine2
$ incus exec alpine1 -- ip -6 addr show eth0
35: eth0@if36: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 state UP qlen 1000
    inet6 fe80::216:3eff:fea5:6202/64 scope link 
       valid_lft forever preferred_lft forever
$ incus exec alpine2 -- ip -6 addr show eth0
33: eth0@if34: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 state UP qlen 1000
    inet6 fe80::216:3eff:fe15:9fd/64 scope link 
       valid_lft forever preferred_lft forever
$ incus exec alpine1 -- ping -6 -c 3 fe80::216:3eff:fe15:9fd
PING fe80::216:3eff:fe15:9fd (fe80::216:3eff:fe15:9fd): 56 data bytes
64 bytes from fe80::216:3eff:fe15:9fd: seq=0 ttl=64 time=0.101 ms
64 bytes from fe80::216:3eff:fe15:9fd: seq=1 ttl=64 time=0.059 ms
64 bytes from fe80::216:3eff:fe15:9fd: seq=2 ttl=64 time=0.072 ms

--- fe80::216:3eff:fe15:9fd ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.059/0.077/0.101 ms
$ 

I do not want to create a IPv4-only network if it’s not really necessary.

@abiosoft

What distribution and Incus version are you running?

Incus 6.4 on Ubuntu 24.04

$ cat /etc/os-release
PRETTY_NAME="Ubuntu 24.04 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04 LTS (Noble Numbat)"
VERSION_CODENAME=noble
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=noble
LOGO=ubuntu-logo

$ incus version
Client version: 6.4
Server version: 6.4

Could you please post your kernel config options? Specifically, IP related options. Thank you.

I have made zero modifications to the kernel (config). It is based off the standard ubuntu 24.04 release.

It is not clear what you are trying to do.

Perhaps you need to define what you mean by bogus IPv6 address.

You give the impression that you do not want any IPv6 addresses, but you do not want an IPv4-only network either.

By bogus, I mean that the IPv6 address could not be used to access the instance: ping would fail.

I had assumed that certain images didn’t have IPv6 addresses, and that Incus DNS was creating what I called bogus addresses. It turns out that my kernel was misconfigured: I went to the Incus-try-it web page, accessed the kernel config, and fixed my config accordingly. I now have valid IPv6 addresses for all my instances. This issue can be closed.

1 Like

Thanks for working this out. Can you post something more in case someone is affected by the same issue? Specifically, the problem lines in the kernel config.

Here’s a diff between my old config and working config.

--- config-6.10.7-orig	2024-09-01 13:52:20.063995761 -0400
+++ linux-6.10.7/.config	2024-09-01 13:59:02.887994224 -0400
@@ -1201,9 +1201,11 @@
 # CONFIG_TCP_CONG_ADVANCED is not set
 CONFIG_TCP_CONG_CUBIC=y
 CONFIG_DEFAULT_TCP_CONG="cubic"
+# CONFIG_TCP_AO is not set
 # CONFIG_TCP_MD5SIG is not set
-CONFIG_IPV6=m
-# CONFIG_IPV6_ROUTER_PREF is not set
+CONFIG_IPV6=y
+CONFIG_IPV6_ROUTER_PREF=y
+CONFIG_IPV6_ROUTE_INFO=y
 # CONFIG_IPV6_OPTIMISTIC_DAD is not set
 CONFIG_INET6_AH=m
 CONFIG_INET6_ESP=m
@@ -1216,18 +1218,22 @@
 CONFIG_INET6_TUNNEL=m
 CONFIG_IPV6_VTI=m
 CONFIG_IPV6_SIT=m
-# CONFIG_IPV6_SIT_6RD is not set
+CONFIG_IPV6_SIT_6RD=y
 CONFIG_IPV6_NDISC_NODETYPE=y
 CONFIG_IPV6_TUNNEL=m
 CONFIG_IPV6_GRE=m
 CONFIG_IPV6_FOU=m
 CONFIG_IPV6_FOU_TUNNEL=m
-# CONFIG_IPV6_MULTIPLE_TABLES is not set
-# CONFIG_IPV6_MROUTE is not set
-# CONFIG_IPV6_SEG6_LWTUNNEL is not set
-# CONFIG_IPV6_SEG6_HMAC is not set
+CONFIG_IPV6_MULTIPLE_TABLES=y
+CONFIG_IPV6_SUBTREES=y
+CONFIG_IPV6_MROUTE=y
+CONFIG_IPV6_MROUTE_MULTIPLE_TABLES=y
+CONFIG_IPV6_PIMSM_V2=y
+CONFIG_IPV6_SEG6_LWTUNNEL=y
+CONFIG_IPV6_SEG6_HMAC=y
+CONFIG_IPV6_SEG6_BPF=y
 # CONFIG_IPV6_RPL_LWTUNNEL is not set
-# CONFIG_IPV6_IOAM6_LWTUNNEL is not set
+CONFIG_IPV6_IOAM6_LWTUNNEL=y
 # CONFIG_NETLABEL is not set
 # CONFIG_MPTCP is not set
 CONFIG_NETWORK_SECMARK=y
@@ -2905,6 +2911,7 @@
 CONFIG_VIRTIO_NET=m
 CONFIG_NLMON=m
 # CONFIG_NETKIT is not set
+# CONFIG_NET_VRF is not set
 # CONFIG_VSOCKMON is not set
 CONFIG_MHI_NET=m
 CONFIG_SUNGEM_PHY=m
1 Like