{"id":3838,"date":"2015-10-03T15:14:20","date_gmt":"2015-10-03T15:14:20","guid":{"rendered":"http:\/\/really.zonky.org\/?p=3838"},"modified":"2019-06-05T19:42:05","modified_gmt":"2019-06-05T19:42:05","slug":"linux-containers-disabling-the-autoconfigured-ipv6-address","status":"publish","type":"post","link":"https:\/\/really.zonky.org\/?p=3838","title":{"rendered":"Linux Containers: Disabling The Autoconfigured IPv6 Address"},"content":{"rendered":"

A newer post<\/a> has more information (and more reliable information).<\/em><\/p>\n

One of the things that has been mildly irritating me about my little collection of Linux containers has been that in addition to the statically defined IPv6 addresses, there is also an automatically defined IPv6 address :-<\/p>\n

\u00bb lxc-ls --fancy\nNAME \u00a0 \u00a0 \u00a0STATE \u00a0 \u00a0IPV4 \u00a0 \u00a0 \u00a0 IPV6 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0AUTOSTART \u00a0\n---------------------------------------------------------------------------------------------------------\napricot \u00a0 RUNNING \u00a010.0.0.34 \u00a02001:db8:ca2c:dead:21e:a0ff:feb6:6a, 2001:db8:ca2c:dead::3eb \u00a0 \u00a0 \u00a0YES \u00a0 \u00a0 \u00a0 \u00a0\nchagers \u00a0 RUNNING \u00a010.0.0.32 \u00a02001:db8:ca2c:dead:804a:bfff:fe83:f98d, 2001:db8:ca2c:dead::5e11 \u00a0YES \u00a0 \u00a0 \u00a0 \u00a0\nglanders \u00a0RUNNING \u00a010.0.0.31 \u00a02001:db8:ca2c:dead:21e:a0ff:feb6:66, 2001:db8:ca2c:dead::ba11 \u00a0 \u00a0 YES \u00a0 \u00a0 \u00a0 \u00a0\nlyme \u00a0 \u00a0 \u00a0RUNNING \u00a010.0.0.30 \u00a02001:db8:ca2c:dead:21e:a0ff:feb6:65, 2001:db8:ca2c:dead::cafe \u00a0 \u00a0 YES \u00a0 \u00a0 \u00a0 \u00a0\nmango \u00a0 \u00a0 RUNNING \u00a010.0.0.35 \u00a02001:db8:ca2c:dead:6c42:24ff:fe7d:4e9, 2001:db8:ca2c:dead::a \u00a0 \u00a0 \u00a0YES \u00a0 \u00a0 \u00a0 \u00a0\npeach \u00a0 \u00a0 RUNNING \u00a010.0.0.33 \u00a02001:db8:ca2c:dead:21e:a0ff:feb6:68, 2001:db8:ca2c:dead::3a11 \u00a0 \u00a0 YES \u00a0 \u00a0 \u00a0 \u00a0\nrhubarb \u00a0 RUNNING \u00a010.0.0.40 \u00a02001:db8:ca2c:dead:21e:a0ff:feb6:69, 2001:db8:ca2c:dead::dead \u00a0 \u00a0 YES<\/pre>\n
Now this is hardly the end of the world, but it is not\u00a0tidy<\/em>\u00a0and it is the sort of thing that may lead to problems down the road if servers are communicating on an address that is not reverse DNS registered. Or indeed when someone contacts a server on an address such as\u00a02001:db8<\/em>:ca2c:dead::3eb<\/em>\u00a0and the reply comes from\u00a02001:db8:ca2c:dead:21e:a0ff:feb6:6a<\/em>.<\/p>\n
After any number of false starts, the answer is quite simple – use sysctl<\/em> to turn off autoconfigured address from\u00a0within<\/em>\u00a0the container; which doesn’t make much sense logically – containers don’t have a kernel of their own, so the global kernel should be the one that is tuned. However :-<\/p>\n
for container in $(lxc-ls)\ndo\n  echo net.ipv6.conf.eth0.autoconf = 0 >> \/var\/lib\/lxc\/$container\/rootfs\/etc\/sysctl.conf\ndone\n<\/pre>\n
Does the trick (after a reboot) \u00a0:-<\/p>\n
\u00bb lxc-ls --fancy\nNAME \u00a0 \u00a0 \u00a0STATE \u00a0 \u00a0IPV4 \u00a0 \u00a0 \u00a0 IPV6 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0AUTOSTART \u00a0\n---------------------------------------------------------------------------------------------------------\napricot \u00a0 RUNNING \u00a010.0.0.34 \u00a02001:db8:ca2c:dead:21e:a0ff:feb6:6a, 2001:db8:ca2c:dead::3eb \u00a0 \u00a0 \u00a0YES \u00a0 \u00a0 \u00a0 \u00a0\nchagers \u00a0 RUNNING \u00a010.0.0.32 \u00a02001:db8:ca2c:dead:18d9:99ff:fe28:3591, 2001:db8:ca2c:dead::5e11 \u00a0YES \u00a0 \u00a0 \u00a0 \u00a0\nglanders \u00a0RUNNING \u00a010.0.0.31 \u00a02001:db8:ca2c:dead:21e:a0ff:feb6:66, 2001:db8:ca2c:dead::ba11 \u00a0 \u00a0 YES \u00a0 \u00a0 \u00a0 \u00a0\nlyme \u00a0 \u00a0 \u00a0RUNNING \u00a010.0.0.30 \u00a02001:db8:ca2c:dead::cafe \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0YES \u00a0 \u00a0 \u00a0 \u00a0\nmango \u00a0 \u00a0 RUNNING \u00a010.0.0.35 \u00a02001:db8:ca2c:dead:2411:80ff:feb9:6600, 2001:db8:ca2c:dead::a \u00a0 \u00a0 YES \u00a0 \u00a0 \u00a0 \u00a0\npeach \u00a0 \u00a0 RUNNING \u00a010.0.0.33 \u00a02001:db8:ca2c:dead::3a11 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0YES \u00a0 \u00a0 \u00a0 \u00a0\nrhubarb \u00a0 RUNNING \u00a010.0.0.40 \u00a02001:db8:ca2c:dead::dead \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0YES \u00a0 \u00a0 \u00a0 \u00a0\n<\/pre>\n
Except for the older containers \ud83d\ude41<\/p>\n
I’ve obviously missed\u00a0something<\/em>, but fixing nearly half of the containers is a good start.<\/p>\n
After attending to pending upgrades (some of my old containers were still running\u00a0wheezy<\/em>), and setting the network configuration to manual<\/a>, one of the recalictrant containers (glanders<\/em>) lost it’s autoconfigured address.<\/p>\n
Two more containers lost their unwanted extra addresses after “fixing” their configuration. I’m not sure what was wrong with the old configuration, but after copying and modifying a recently created container configuration, they rebooted with just one IPv6 address. The last one was\u00a0mango<\/em>, but after an extra reboot, it also was fixed :-<\/p>\n
\u00bb lxc-ls --fancy\nNAME \u00a0 \u00a0 \u00a0STATE \u00a0 \u00a0IPV4 \u00a0 \u00a0 \u00a0 IPV6 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0AUTOSTART \u00a0\n-----------------------------------------------------------------\napricot \u00a0 RUNNING \u00a010.0.0.34 \u00a02001:db8:ca2c:dead::3eb \u00a0 YES \u00a0 \u00a0 \u00a0 \u00a0\nchagers \u00a0 RUNNING \u00a010.0.0.32 \u00a02001:db8:ca2c:dead::5e11 \u00a0YES \u00a0 \u00a0 \u00a0 \u00a0\nglanders \u00a0RUNNING \u00a010.0.0.31 \u00a02001:db8:ca2c:dead::ba11 \u00a0YES \u00a0 \u00a0 \u00a0 \u00a0\nlyme \u00a0 \u00a0 \u00a0RUNNING \u00a010.0.0.30 \u00a02001:db8:ca2c:dead::cafe \u00a0YES \u00a0 \u00a0 \u00a0 \u00a0\nmango \u00a0 \u00a0 RUNNING \u00a010.0.0.35 \u00a02001:db8:ca2c:dead::a \u00a0 \u00a0 YES \u00a0 \u00a0 \u00a0 \u00a0\npeach \u00a0 \u00a0 RUNNING \u00a010.0.0.33 \u00a02001:db8:ca2c:dead::3a11 \u00a0YES \u00a0 \u00a0 \u00a0 \u00a0\nrhubarb \u00a0 RUNNING \u00a010.0.0.40 \u00a02001:db8:ca2c:dead::dead \u00a0YES \u00a0 \u00a0 \u00a0 \u00a0\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
A newer post has more information (and more reliable information). One of the things that has been mildly irritating me about my little collection of Linux containers has been that in addition to the statically defined IPv6 addresses, there is also an automatically defined IPv6 address :- \u00bb lxc-ls –fancy NAME \u00a0 \u00a0 \u00a0STATE \u00a0 […]<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false,"_share_on_mastodon":"0"},"categories":[4,209,226],"tags":[163,1006,918],"class_list":["post-3838","post","type-post","status-publish","format-standard","hentry","category-it","category-linux-it","category-working-notes","tag-containers","tag-ipv6","tag-lxc","category-4-id","category-209-id","category-226-id","post-seq-1","post-parity-odd","meta-position-corners","fix"],"share_on_mastodon":{"url":"","error":""},"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p1f2KI-ZU","_links":{"self":[{"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/posts\/3838","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/really.zonky.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3838"}],"version-history":[{"count":7,"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/posts\/3838\/revisions"}],"predecessor-version":[{"id":5558,"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/posts\/3838\/revisions\/5558"}],"wp:attachment":[{"href":"https:\/\/really.zonky.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3838"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/really.zonky.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3838"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/really.zonky.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3838"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}