IPv6 Disabled, results in nginx to fail to start from container

BrettC · August 9, 2024, 6:07pm

Greetings, I have IPv6 disabled on my Raspberry Pi3 via the /etc/sysctl.conf:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

However, upon disabling IPv6, rebooting the RBPi3b, nginx fails to start from the container image: registry.gitlab.com/rshake-public/rsh-fe-config:v19. The error returned is:

nginx: [emerg] socket() [::]:80 failed (97: Address family not supported by protocol)

Please keep in mind that the device is sending data to the raspberryshake network without issue, I can access port 18000 without issue, same goes for SSH, but local web access is failing with IPv6 fully disabled.

When I check the docker container for nginx (/etc/nginx/http.d/fe.conf), I can see that this line exists:

listen [::]:80 default_server ipv6only=on;

I can make entry into the container and issue the command sed -i '/listen \[/s/^/#/g' /etc/nginx/http.d/fe.conf to comment out this line, then restart nginx via nginx -c /etc/nginx/nginx.conf, and the web gui functions as it normally would.

Is there a way to make the ipv6 a dynamic check when the docker images are updated (on update or restart)?

Stormchaser · August 9, 2024, 8:52pm

Hello BrettC, and welcome back to the community!

I am trying to replicate your situation by adding the same third line to my /etc/sysctl.conf. However, after rebooting, I can still access the Shake FE via direct local IP address (mine is in the 192.168.xxx.xxx range).

Can you try to see if this is valid for your situation too?

BrettC · August 10, 2024, 4:07am

Greetings! The result is connection refused when IPv6 is fully disabled at the RBPi3 when accessed from within the LAN.

When netstat -anoep is ran, I can see that the docker-proxy process is listening on port 80. The issue seems to be at the nginx level within the container running, it’s effectively throwing an emerg that IPv6 doesn’t exist on the machine (container in this case) but the configuration of nginx is expecting IPv6 is be enabled and available. When this transpires, nginx will fail to start within the container.

root@raspberryshake:~# netstat -anoep
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name     Timer
tcp        0      0 0.0.0.0:10090           0.0.0.0:*               LISTEN      0          19733      1069/docker-proxy    off (0.00/0/0)
tcp        0      0 0.0.0.0:10091           0.0.0.0:*               LISTEN      0          18771      1060/docker-proxy    off (0.00/0/0)
tcp        0      0 0.0.0.0:10092           0.0.0.0:*               LISTEN      0          17029      1051/docker-proxy    off (0.00/0/0)
tcp        0      0 0.0.0.0:10093           0.0.0.0:*               LISTEN      0          19702      1042/docker-proxy    off (0.00/0/0)
tcp        0      0 0.0.0.0:10094           0.0.0.0:*               LISTEN      0          19688      1033/docker-proxy    off (0.00/0/0)
tcp        0      0 0.0.0.0:10095           0.0.0.0:*               LISTEN      0          19680      1024/docker-proxy    off (0.00/0/0)
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      0          15626      336/rpcbind          off (0.00/0/0)
tcp        0      0 0.0.0.0:18000           0.0.0.0:*               LISTEN      0          21734      1696/docker-proxy    off (0.00/0/0)
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      0          18787      1078/docker-proxy    off (0.00/0/0)
tcp        0      0 0.0.0.0:10096           0.0.0.0:*               LISTEN      0          18745      1014/docker-proxy    off (0.00/0/0)
tcp        0      0 0.0.0.0:10097           0.0.0.0:*               LISTEN      0          16962      1005/docker-proxy    off (0.00/0/0)
tcp        0      0 0.0.0.0:18002           0.0.0.0:*               LISTEN      0          21726      1687/docker-proxy    off (0.00/0/0)
tcp        0      0 0.0.0.0:10098           0.0.0.0:*               LISTEN      0          16954      996/docker-proxy     off (0.00/0/0)
tcp        0      0 0.0.0.0:10099           0.0.0.0:*               LISTEN      0          19619      986/docker-proxy     off (0.00/0/0)
tcp        0      0 0.0.0.0:10100           0.0.0.0:*               LISTEN      0          17879      977/docker-proxy     off (0.00/0/0)
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      0          19755      1087/docker-proxy    off (0.00/0/0)
tcp        0      0 0.0.0.0:18006           0.0.0.0:*               LISTEN      0          22740      1671/docker-proxy    off (0.00/0/0)
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      0          16283      593/sshd             off (0.00/0/0)
tcp        0      0 127.0.0.1:6010          0.0.0.0:*               LISTEN      0          28993      4315/sshd: root@pts  off (0.00/0/0)
tcp        0      0 0.0.0.0:16032           0.0.0.0:*               LISTEN      0          22926      1845/docker-proxy    off (0.00/0/0)
tcp        0      0 172.17.0.2:8000         0.0.0.0:*               LISTEN      0          19983      1188/python          off (0.00/0/0)
tcp        0      0 127.0.0.1:2947          0.0.0.0:*               LISTEN      0          14403      1/init               off (0.00/0/0)
tcp        0      0 172.17.0.2:18000        172.17.0.5:55278        ESTABLISHED 0          22365      1696/docker-proxy    off (0.00/0/0)
tcp        0    128 192.168.21.12:22        192.168.20.58:32983     ESTABLISHED 0          28061      4315/sshd: root@pts  on (0.07/0/0)
tcp        0      0 172.17.0.2:51544        172.17.0.4:18000        ESTABLISHED 0          22367      1696/docker-proxy    off (0.00/0/0)

Detailing and belving a bit more into the Pi3b and IPv6, the following processes were done:

Edited /boot/cmdline.txt to have ipv6.disable=1 added at the end.
Edited /etc/sysctl.conf to have the following at the end of file: net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1
Ran command sysctl -p to apply the sysctl items.
Rebooted.

Before the IPv6 being disabled:

root@raspberryshake:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether b8:27:eb:ca:XX:XX brd ff:ff:ff:ff:ff:ff
    inet 192.168.21.12/22 brd 192.168.23.255 scope global dynamic noprefixroute eth0
       valid_lft 604660sec preferred_lft 529060sec
    inet6 2605:59c8:41fc:a000:ba27:ebff:XXXX:XXXX/64 scope global dynamic mngtmpaddr
       valid_lft 14265sec preferred_lft 14265sec
    inet6 fe80::ba27:ebff:XXXX:XXXX/64 scope link
       valid_lft forever preferred_lft forever
4: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:9a:19:ff:2f brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.2/16 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:9aff:fe19:ff2f/64 scope link
       valid_lft forever preferred_lft forever
6: vethec7bab5@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
    link/ether 1e:90:c2:db:28:38 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 169.254.83.206/16 brd 169.254.255.255 scope global noprefixroute vethec7bab5
       valid_lft forever preferred_lft forever
    inet6 fe80::8cee:bea0:6a5d:2e32/64 scope link
       valid_lft forever preferred_lft forever
8: vethf4d3509@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
    link/ether c6:33:b9:3c:b3:4c brd ff:ff:ff:ff:ff:ff link-netnsid 1
    inet 169.254.228.121/16 brd 169.254.255.255 scope global noprefixroute vethf4d3509
       valid_lft forever preferred_lft forever
    inet6 fe80::cc47:54cb:5050:f5f4/64 scope link
       valid_lft forever preferred_lft forever
    inet6 fe80::c433:b9ff:fe3c:b34c/64 scope link
       valid_lft forever preferred_lft forever
10: veth457ce6e@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
    link/ether 4e:6f:52:1f:df:cb brd ff:ff:ff:ff:ff:ff link-netnsid 2
    inet 169.254.198.40/16 brd 169.254.255.255 scope global noprefixroute veth457ce6e
       valid_lft forever preferred_lft forever
    inet6 fe80::d809:68a6:acbc:d5b7/64 scope link
       valid_lft forever preferred_lft forever
    inet6 fe80::4c6f:52ff:fe1f:dfcb/64 scope link
       valid_lft forever preferred_lft forever

After the IPv6 being disabled:

root@raspberryshake:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether b8:27:eb:ca:XX:XX brd ff:ff:ff:ff:ff:ff
    inet 192.168.21.12/22 brd 192.168.23.255 scope global dynamic noprefixroute eth0
       valid_lft 604229sec preferred_lft 528629sec
4: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:b7:06:dd:56 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.2/16 scope global docker0
       valid_lft forever preferred_lft forever
6: veth507c563@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
    link/ether 1e:f6:76:aa:a8:72 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 169.254.171.137/16 brd 169.254.255.255 scope global noprefixroute veth507c563
       valid_lft forever preferred_lft forever
8: veth37ddeda@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
    link/ether ce:01:b6:1b:0c:5f brd ff:ff:ff:ff:ff:ff link-netnsid 1
    inet 169.254.249.139/16 brd 169.254.255.255 scope global noprefixroute veth37ddeda
       valid_lft forever preferred_lft forever
10: veth37dea23@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
    link/ether c6:6d:56:9f:88:64 brd ff:ff:ff:ff:ff:ff link-netnsid 2
    inet 169.254.178.223/16 brd 169.254.255.255 scope global noprefixroute veth37dea23
       valid_lft forever preferred_lft forever

Stormchaser · August 12, 2024, 10:09am

Thank you for the further details BrettC!

I was able to reproduce the issue on my test Shake, and I have forwarded all I’ve found (together with your detailed update) to the team. I’ll update you as soon as I have news from them.

Stormchaser · August 12, 2024, 8:03pm

Hello again BrettC,

Our team has reviewed what you wrote and told me that this issue will be addressed in the next Shake OS update.

However, as of now, we cannot provide a specific ETA for when this new implementation will be available.

Thank you for your patience in the meantime. Be sure to keep a lookout for any new announcements on the forum. We will definitely post one when the OS is released!

In the meantime, if anyone else from the community wants to add anything, feel free!

BrettC · August 12, 2024, 8:39pm

Not a problem. If things revert on my end, I’ll just reapply what I have manually until the new update rolls out.