IPv6 without userland proxy


Playing around with RancherOS for a while now. I’ve just tried to think on how I could get IPv6 connectivity for my containers running in (user) Docker. I’ve noticed my RancherOS server already auto discovered a public IPv6 address. Listening on a port on IPv6 with netcat allows connecting to it from an external IPv6 host, which confirms IPv6 is working as it should.

Now what I’d like to accomplish is having all of my services (running in Docker containers of course) be available on IPv6 as well. I’ve noticed for each published port, there is already a listening socket, on IPv6 only (like [::]:80), but my published ports do work on IPv4 (probably due to net.ipv6.bindv6only=0). However, for IPv6, they don’t work. Connecting to published ports on IPv6 does establish a connection (random other ports give connection refused), but somehow it’s not connected/tunnelled to the container. Running netcat in the container shows no incoming connection, even though the remote client says it’s connected. On IPv4 everything works as expected.

I’ve tried to do the same thing with an Ubuntu server, managed by Docker Machine, where it works as expected. The main difference is that docker-proxy was running for each published port. RancherOS uses --userland-proxy=false, which prevents this.

Is there a way to have IPv6 traffic coming in on the published ports to be forwarded/tunnelled to the right containers, as is done automatically with IPv4?

Also, I’ve noticed RancherOS’ SSH daemon is not listening on IPv6. What’s the best way to have this be available on IPv6 as well? Do I have to configure this in a custom sshd_config by adding a write-files: section for it in my cloud-config?


We’ve never tested RancherOS with IPv6, so unsure if it will work. i’m not an expert, so would not know how to set it up.

You can set the userland-proxy to true by including this snippet in your cloud-config.

   extra_args: [--userland-proxy=true]