How to run world reachable docker containers on your notebook

Posted on 2019-11-20 by Nico Schottelius

Today Alain from 200ok and me were hacking in the Hacking Hotel Diesbach and found an interesting problem: the docker containers on Alain's notebook did not reach the Internet.

IPv6 only networks

It turns out that here in the Hacking Hotel, we are in an IPv6 only network and docker by default assigns IPv4 addresses to containers. This obviously does not work, because there is no IPv4 connectivity in an IPv6 only network...

Turning the problem into a feature

...being in the Hacking Hotel means being inside the 2a0a:e5c0:10::/48 network. The nice thing about IPv6 is that you have a lot of space. With the /48 network, we have around 65'536 /64 sub networks. But enough from the IPv6 love...

... what this means is that we can just route a /64 network to Alain's notebook and reconfigure his docker daemon to use IPv6 instead of IPv4. Simply creating the /etc/docker/daemon.json with the following content is enough:

  "ipv6": true,
  "fixed-cidr-v6": "2a0a:e5c0:10:f00::/64"

This is great, as long as we work in the Hacking Hotel...

And turning it into a demo ready state

The problem with our solution above is that the network is only routed to his notebook, when he is in the Hacking Hotel and it will not work outside.

Alain also has a VPN from that gives him a static /48 network to his notebook. Now we selected a /64 subnet and what does it give?

World wide reachable docker containers on a notebook!

Isn't that sweet? Given the right firewall settings, the containers can now be reached from anywhere in the world. From a notebook, which can be anywhere else in the world.

More of this

If you like hacking with IPv6, or to reproduce the docker setup above, you are invited to join the IPv6 Chat or to get yourself a 50% off deal on the Black IPv6 Friday campaign.