daemon doesn't listen on IPv6

[mbunkus]

Current Behavior

Even if the Docker container has IPv6 enabled, the daemon isn't listening on it, requiring the use of IPv4:

[0 root@durnik ~] docker container inspect netbox-netbox-1 | rg 'IPAddress|GlobalIPv6Address' | tail -n 2
                    "IPAddress": "172.18.1.7",
                    "GlobalIPv6Address": "2a01:4f8:262:xxxx:a:b:c:d",
[0 root@durnik ~] telnet 172.18.1.7 8080
Trying 172.18.1.7...
Connected to 172.18.1.7.
Escape character is '^]'.
HTTP/1.1 400 Bad Request
Content-Type: text/html
Server: Unit/1.27.0
Date: Sun, 20 Nov 2022 00:25:50 GMT
Content-Length: 54
Connection: close

<!DOCTYPE html><title>Error 400</title><p>Error 400.
Connection closed by foreign host.
[1 root@durnik ~] telnet 2a01:4f8:262:xxxx:a:b:c:d 8080
Trying 2a01:4f8:262:xxxx:a:b:c:d...
telnet: Unable to connect to remote host: Connection refused

Actual IPv6 obscured.

Expected Behavior

I would expect the daemon to listen on both IPv4 and IPv6.

Docker Compose Version

2.12.2

Docker Version

Client: Docker Engine - Community
 Version:           20.10.21
 API version:       1.41
 Go version:        go1.18.7
 Git commit:        baeda1f
 Built:             Tue Oct 25 18:01:58 2022
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.21
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.18.7
  Git commit:       3056208
  Built:            Tue Oct 25 17:59:49 2022
  OS/Arch:          linux/amd64
  Experimental:     true
 containerd:
  Version:          1.6.9
  GitCommit:        1c90a442489720eec95342e1789ee8a5e1b9536f
 runc:
  Version:          1.1.4
  GitCommit:        v1.1.4-0-g5fd4c4d
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

The git Revision

8b16b16

The git Status

[0 root@durnik (release) /srv/docker-compose/netbox] git st
On branch release
Your branch is up to date with 'origin/release'.

nothing to commit, working tree clean

### Startup Command

docker compose up -d

### NetBox Logs

```text
netbox-netbox-1  | 🧬 loaded config '/etc/netbox/config/configuration.py'
netbox-netbox-1  | 🧬 loaded config '/etc/netbox/config/extra.py'
netbox-netbox-1  | 🧬 loaded config '/etc/netbox/config/logging.py'
netbox-netbox-1  | 🧬 loaded config '/etc/netbox/config/plugins.py'
netbox-netbox-1  | 💡 Superuser Username: admin, E-Mail: [email protected]
netbox-netbox-1  | ⚠️⚠️⚠️ WARNING: The initializers have been moved to a plugin. See release notes.
netbox-netbox-1  | ⚠️⚠️⚠️ Set environment variable 'SKIP_STARTUP_SCRIPTS' to 'true' to remove this warning.
netbox-netbox-1  | ✅ Initialisation is done.
netbox-netbox-1  | ⏳ Waiting for control socket to be created... (1/10)
netbox-netbox-1  | 2022/11/20 00:32:08 [warn] 6#6 Unit is running unprivileged, then it cannot use arbitrary user and group.
netbox-netbox-1  | 2022/11/20 00:32:08 [info] 6#6 unit 1.27.0 started
netbox-netbox-1  | 2022/11/20 00:32:08 [info] 13#13 discovery started
netbox-netbox-1  | 2022/11/20 00:32:08 [notice] 13#13 module: python 3.10.4 "/usr/lib/unit/modules/python3.10.unit.so"
netbox-netbox-1  | 2022/11/20 00:32:08 [info] 6#6 controller started
netbox-netbox-1  | 2022/11/20 00:32:08 [info] 15#15 router started
netbox-netbox-1  | 2022/11/20 00:32:08 [notice] 6#6 process 13 exited with code 0
netbox-netbox-1  | 2022/11/20 00:32:08 [info] 15#15 OpenSSL 3.0.2 15 Mar 2022, 30000020
netbox-netbox-1  | ⚙️ Applying configuration from /etc/unit/nginx-unit.json
netbox-netbox-1  | 2022/11/20 00:32:10 [info] 19#19 "netbox" prototype started
netbox-netbox-1  | 2022/11/20 00:32:10 [info] 20#20 "netbox" application started
netbox-netbox-1  | ✅ Unit configuration loaded successfully
netbox-netbox-1  | 2022/11/20 00:32:11 [notice] 6#6 process 11 exited with code 0

Content of docker-compose.override.yml

services:
  netbox:
    ports:
      - 8100:8080
    networks:
      - netbox

  netbox-worker:
    networks:
      - netbox

  netbox-housekeeping:
    networks:
      - netbox

  postgres:
    networks:
      - netbox

  redis:
    networks:
      - netbox

  redis-cache:
    networks:
      - netbox

networks:
  netbox:
    enable_ipv6: true
    ipam:
      config:
        - subnet: "172.18.1.0/24"
        - subnet: "2a01:4f8:262:xxxx:a::/80"

[cimnine]

Could you try the following:

1. Manually apply the change in Make nginx-unit listen on IPv4 and IPv6 #889:

   diff --git a/docker/nginx-unit.json b/docker/nginx-unit.json
   index 87a186b..d6ff9cc 100644
   --- a/docker/nginx-unit.json
   +++ b/docker/nginx-unit.json
   @@ -1,6 +1,9 @@
    {
      "listeners": {
   -    "*:8080": {
   +    "0.0.0.0:8080": {
   +      "pass": "routes"
   +    },
   +    "[::]:8080": {
          "pass": "routes"
        }
      },

2. Add this to your docker-compose.override.yaml:

   services:
    netbox:
      volumes:
      - ./docker/nginx-unit.json:/etc/unit/nginx-unit.json:z,ro

This should mount the updated Nginx Unit configuration file to the correct spot within NetBox Docker.

Then stop the container and start it again. Like this, for example:

docker compose stop
docker compose rm netbox
docker compose up netbox

You should also be able to check that Nginx Unit is now listening on the IPv6 port by doing this in a separate terminal:

$ docker compose exec -u 0 netbox /bin/bash
$> apt update && apt install -y net-tools
$> netstat -tulpn

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.11:44285        0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      -
tcp6       0      0 :::8080                 :::*                    LISTEN      -
udp        0      0 127.0.0.11:60519        0.0.0.0:*                           -

Note the tcp6 line.

[mbunkus]

Thank you so much for looking into it!

The proposed change works just fine for me. After applying, stopping, removing & restarting netbox, the unitd process listens on IPv6, too:

[0 root@durnik (release) /srv/docker-compose/netbox] docker compose exec -u 0 --privileged -ti netbox /bin/bash
root@452fa291e85c:/opt/netbox/netbox# lsof -Pni:8080
COMMAND PID USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
unitd    25 unit   14u  IPv4 6955738      0t0  TCP *:8080 (LISTEN)
unitd    25 unit   15u  IPv6 6955739      0t0  TCP *:8080 (LISTEN)

(I prefer lsof over netstat, but that's really only due to familiarity)

Also reachability from outside the container is given:

[0 root@durnik (release) /srv/docker-compose/netbox] curl --silent 'http://[2a01:4f8:262:yyyy::a:b:c]:8100' | grep -i netbox | head -n 2
  data-netbox-url-name="home"
  data-netbox-base-path=""

2a01:4f8:262:yyyy::a:b:c is the obscured IPv6 address the Docker host has on its main network interface. I've also used my external-facing nginx & changed proxying to said address, 2a01:4f8:262:yyyy::a:b:c, and access via my web browser works as well.

[cimnine]

Thanks for testing. We'll include it in our next release as default configuration. #889