Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Errors in container without IPv6 #1546

Open
onovy opened this issue Jul 11, 2024 · 11 comments
Open

Errors in container without IPv6 #1546

onovy opened this issue Jul 11, 2024 · 11 comments

Comments

@onovy
Copy link

onovy commented Jul 11, 2024

Hi,

I have disabled IPv6 inside container and logs is full of error like this:

[2024-07-11 04:07:33] ERROR error on processing request:resolution failed: resolver: "upstream 'https://dns.google/dns-query'" error: upstream 'https://dns.google/dns-query': can't resolve request via upstream server https://dns.google/dns-query (https://[2001:4860:4860::8888]:443/dns-query): can't perform https request: Post "https://[2001:4860:4860::8888]:443/dns-query": dial tcp [2001:4860:4860::8888]:443: connect: cannot assign requested address

It looks like dns resolver is trying to connect to Google DoH over IPv6, which obviously fails. In IPv6 disabled container it should not try to connect to upstream DNS over IPv6 at all.

Same problem is with downloading adlists:

[2024-07-08 09:28:35]  WARN list_cache: Can't download file: Get "https://raw.githubusercontent.com/oneoffdallas/dohservers/master/list.txt": dial tcp [2606:50c0:8000::154]:443: connect: cannot assign requested address attempt=1/3 link=https://raw.githubusercontent.com/oneoffdallas/dohservers/master/list.txt

Thanks.
@ThinkChaos
Copy link
Collaborator

Hi,

You can use connectIPVersion (see the basic configuration docs) and potentially filtering to stop clients from resolving IPv6 addresses.

@onovy
Copy link
Author

onovy commented Sep 6, 2024

thanks a lot for this workaround. But i think it still should be handled better by default.

If you have hosts without IPv6 stack, it should not try to connect over IPv6 at all. As you can see from error message: " cannot assign requested address" IPv6 is correctly disabled - kernel doesn't allow to bind IPv6 address for outbound connection.

@imp1sh
Copy link

imp1sh commented Sep 23, 2024

This is a questionable method in the first place. Plenty of different applications will break when you fully disable the IPv6 stack.

@onovy
Copy link
Author

onovy commented Sep 23, 2024

any example of application which doesn't work with disabled IPv6 stack please?

@ThinkChaos
Copy link
Collaborator

How are you disabling the networking in the container?

Do you have any ideas on detecting disabled IPv6 from Go?
Reading /proc/sys is not portable, and has to be done by network interface which is not straightforward as we listen on addresses. Maybe just detecting if it's disabled for all interfaces would be good enough, but need the answer to the first question.

@imp1sh
Copy link

imp1sh commented Sep 23, 2024

An example is exim4 on Debian12. When the IPv6 stack is disabled it won't start.

@onovy
Copy link
Author

onovy commented Sep 23, 2024

it's option when creating network in docker, for example:

docker network create --ipv6=false network_name

What about this?
https://pkg.go.dev/golang.org/x/[email protected]/nettest#SupportsIPv6
But TBH I'm not Go developer :).

imp1sh:
Because default configuration tries to bind to ::1, see https://www.chengweiyang.cn/2014/11/22/Disable-ipv6-breaks-my-email-system/ Which is expected. But we are not talking about binding, but connecting to outer world here, right?

@imp1sh
Copy link

imp1sh commented Sep 23, 2024

Why do you disable IPv6 in the first place?

@onovy
Copy link
Author

onovy commented Sep 23, 2024

i didn't, it's disabled in docker by default :)

# docker inspect bridge| grep EnableIPv6
        "EnableIPv6": false,
# docker inspect host| grep EnableIPv6
        "EnableIPv6": false,

@ThinkChaos
Copy link
Collaborator

ThinkChaos commented Sep 24, 2024
edited
Loading

What about this?
https://pkg.go.dev/golang.org/x/[email protected]/nettest#SupportsIPv6
But TBH I'm not Go developer :).

Ah nice thanks, I didn't find that one when I looked!
Seems like we could change the default to be conditional on this... so I pushed a branch in my fork that makes the default connectIPVersion use that: feat/detect-no-ipv6. If you can try it out it would be great! If you need more detailed instructions/a prebuilt container let me know.
EDIT: to be clear, I haven't tested that code at all, just wrote it out, so IDK if it's going to work, but I put warning logs so you should be able to see what happens (or not).

@imp1sh I agree disabling IPv6 is not ideal from the start, but unfortunately it's still common so I think if we can easily detect it we might as well.

@onovy
Copy link
Author

onovy commented Sep 27, 2024

I can confirm, with this patch inside container without IPv6, it disables IPv6:

``
[2024-09-27 10:53:44] WARN detecting IPv6 functionality
[2024-09-27 10:53:44] WARN IPv6 does not seem functional, using connectIPVersion=IPv4
[2024-09-27 10:53:44] WARN detecting IPv6 functionality
[2024-09-27 10:53:44] WARN IPv6 does not seem functional, using connectIPVersion=IPv4


dunno why it's in log twice :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@onovy @imp1sh @ThinkChaos