Docker Hub Registry IPv6 Support Now Generally Available | Docker


As the world becomes increasingly interconnected, it’s essential for the internet to support the growing number of devices and users. That’s where IPv6 comes in.

What is IPv6, and what does it have to do with Docker? 

IPv6 is the latest version of the Internet Protocol, the system that enables devices to communicate with each other over the internet. It’s designed to address the limitations of the previous version, IPv4, which is running out of available addresses. 

As Docker supports more customers, this means we need to support different use cases, like IPv6-only networks. Today, we are pleased to announce the general availability of IPv6 support for the Docker Hub Registry, Docker Docs, and Docker Scout endpoints. 

Why are we adopting IPv6? 

We have heard from the community that you need IPv6 support for Docker software as a service (SaaS) endpoints to work efficiently and effectively. In the past, IPv6-only networks required extra tooling to interact with some of Docker’s SaaS resources. This is no longer the case. Now you can get rid of your NAT64 gateway and docker pull.

What does this mean for my workflows? 

This is my favorite part… nothing! 🥳 During our beta testing of IPv6, we introduced new endpoints for accessing the Docker Hub Registry. Those were only for the beta testing and are no longer needed. Now, if you are on an IPv6-only network, dual-stack network, or an IPv4-only network, these commands will work.

To begin, log in to the Docker Hub:

Then pull whatever image you need:

How will Docker Hub download rate limits work?

If you use authentication when pulling container images from the Docker Hub Registry, nothing changes. Our servers will properly attach rate limit data to the authenticated user ID in the HTTP request. 

If you do not authenticate your docker pull commands by running docker login first, then we’ll need to rate limit the request based on the IP address. For IPv4 addresses, this is done on a per-IP basis. 

For IPv6 addresses, this becomes a harder problem because IPv6 has a much larger IP address range available to customers. Therefore, to accommodate the larger IP address range, we will rate limit against the first 64 bits in the IPv6 address. You can see an example of what our servers use as the source by looking at the docker-ratelimit-source header returned in the following HTTP response:

$ curl https://registry-1.docker.io/v2/ratelimitpreview/test/manifests/latest -I -XGET -6
HTTP/1.1 401 Unauthorized
content-type: application/json
docker-distribution-api-version: registry/2.0
www-authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io",scope="repository:ratelimitpreview/test:pull"
date: Wed, 28 June 2023 01:06:44 GMT
content-length: 164
strict-transport-security: max-age=31536000
docker-ratelimit-source: 2601:245:c100:a71::

How can I verify that IPv6 is being used? 

While browsing the Docker Docs or pulling a Docker container image, you can use network monitoring software like tcpdump to monitor the traffic.

Let’s say that you want to verify the network you use for pulling a container image from the Docker Hub Registry.

First, in your favorite terminal, start a tcpdump capture. This command will produce log records of all of the network connections between your local machine and the Docker Hub servers:

sudo tcpdump host registry-1.docker.io -vv

In another terminal window, pull a container image from Docker Hub:

docker pull registry-1.docker.io/library/alpine:latest

You should see output that looks like this:

🚀 sudo tcpdump host registry-1.docker.io -vv
tcpdump: data link type PKTAP
tcpdump: listening on pktap, link-type PKTAP (Apple DLT_PKTAP), snapshot length 524288 bytes
15:42:16.740577 IP6 (flowlabel 0xa0800, hlim 64, next-header TCP (6) payload length: 44) 2601:245:c100:a71:8454:86d0:52f1:d46f.62630 > 2600:1f18:2148:bc02:cfd8:db68:ea1f:277c.https: Flags [S], cksum 0xb80b (correct), seq 2539670618, win 65535, options [mss 1440,nop,wscale 6,nop,nop,TS val 4154959809 ecr 0,sackOK,eol], length 0
15:42:16.774831 IP6 (class 0x20, hlim 229, next-header TCP (6) payload length: 40) 2600:1f18:2148:bc02:cfd8:db68:ea1f:277c.https > 2601:245:c100:a71:8454:86d0:52f1:d46f.62630: Flags [S.], cksum 0x6b60 (correct), seq 4264170311, ack 2539670619, win 26847, options [mss 1440,sackOK,TS val 2058512533 ecr 4154959809,nop,wscale 12], length 0
…

When you look at the second column of tab-delimited data, it will say IP6 to denote IPv6 being used. Additionally, the IP addresses you see in the output are in IPv6 format instead of IPv4 format. The quick way to tell is if the IP address has a colon (:) in it, then it is IPv6. If the IP address only has periods (.), then it is IPv4. 🎉

The future

We are excited to be able to provide full dual-stack network capabilities to Docker Hub Registry, Docker Docs, and Docker Scout endpoints. We believe that dual-stack capabilities offer an important performance and reliability benefit to our customers. We intend to provide dual-stack network support for new endpoints as part of our commitment to delivering the best possible experience for our users. 

If you have the ability to control your local network, turn on IPv6 and see Docker Hub Registry, Docker Docs, and Docker Scout endpoints continue to work. If you have access to an IPv6-only network, try docker pull or take a look at our docs pages — they will all continue to work as they did before. 

We look forward to hearing feedback from our community through our hub-feedback GitHub issue tracker.

Learn more



Source link