How do I stop Docker trying to pull from IPv6?
from Zagorath@aussie.zone to selfhosted@lemmy.world on 11 Aug 06:30
https://aussie.zone/post/23555109

I’m currently trying to install Docker on my old Raspberry Pi (3 Model B+) to host some personal projects. When I run docker run hello-world, I get:

Unable to find image 'hello-world:latest' locally
docker: Error response from daemon: Get "https://registry-1.docker.io/v2/library/hello-world/manifests/sha256:ec153840d1e635ac434fab5e377081f17e0e15afab27beb3f726c3265039cfff": dial tcp [2600:1f18:2148:bc00:eff:d3ae:b836:fa07]:443: connect: network is unreachable

My Internet connection does not support IPv6 at all, which would explain why this error occurs. But how do I force docker-pull to only use IPv4?

#selfhosted

threaded - newest

chonkyninja@lemmy.world on 11 Aug 06:58 next collapse

It’s transparently pulling from both at the same time and the first one to connect wins. It should just work. Unless you got a typo.

frebib@social.nerdhouse.io on 11 Aug 07:41 next collapse

It will only try IPv6 if your computer has an address. Now the question is: if your network doesn’t support it, then why do you have an address?

Unforeseen@sh.itjust.works on 11 Aug 10:51 next collapse

They said thier internet connection didn’t support it, not their network.

You can lease ipv6 all day long but its not going to go anywhere if it can’t route to the internet.

Auli@lemmy.ca on 11 Aug 12:24 collapse

Well where is the router getting the prefix from if their ISP doesn’t support it.

atzanteol@sh.itjust.works on 11 Aug 12:34 next collapse

Link local adresses.

tychosmoose@piefed.social on 11 Aug 12:36 collapse

Some routers advertise a routable link local.

[deleted] on 11 Aug 12:41 collapse
.
iglou@programming.dev on 11 Aug 09:26 next collapse

Looks like your Pi thinks it can use IPv6. Find where, and disable it.

Zagorath@aussie.zone on 11 Aug 11:01 collapse

Yes, that is what I am here seeking help with.

TheKracken@lemmy.world on 11 Aug 12:38 collapse

Absolutely Disable ipv6 - Raspberry Pi Forums share.google/ynTkPxr9LkSfz5CZM

Zagorath@aussie.zone on 11 Aug 14:26 collapse

Sorry, maybe I should have explained every single step I tried in the body of the original post. I didn’t, partly because there were just too many and partly because I forgot which methods I had tried and which pages I had visited. But that page is one I’ve seen already.

It mentions to “blacklist” the module in a file that doesn’t exist. In fact, in a file that’s in a directory that doesn’t exist, which makes me very sceptical about the later claim that creating that file will fix it. /etc/modules-load.d exists, but not /etc/modules.d. I did already try the final suggestion to add that line to the end of /boot/firmware/cmdline.txt though. No luck.

I think the fact that it’s 6 years old is probably a big part of the reason it didn’t help. Files and directories have moved around. The suggestions in that post are literally just “do this” without any underlying explanation of what it’s doing that could lend to further investigation of the more modern way to do it.

iglou@programming.dev on 12 Aug 08:28 collapse

What version of Pi OS are you running?

(we can move to DMs if you wish, it will be less polluting, or stay in the comment thread if you don’t feel safe in DMs)

Zagorath@aussie.zone on 12 Aug 11:20 collapse

I’m happy to keep it public if only for the off chance that if we find a solution it might some day help someone else with the same issue. The thread’ll fall down in the rankings naturally over time anyway so I wouldn’t worry about polluting anything for people not actively seeking it out.

I’m not 100% sure how to find the OS version, but uname -a outputs […]6.12.25+rpt-rpi-v8[…]. /etc/os-release contains “Debian GNU/Linux 12 (bookworm)”. It should be whatever was latest as of a month or two ago when I installed the OS fresh.

iglou@programming.dev on 12 Aug 11:35 collapse

I have read the rest of the comments to see what you already tried. I was about yo tell you to use sysctl to disable ipv6 but it looks like that is already done.

As a matter of fact, it looks like you have no ipv6 address at all. Which makes me think that your DNS config might be off, as it shouldn’t even attempt an ipv6 resolution.

Can you show me the content of /etc/resolv.conf ?

Also install “dig” if you dont have it already and show the output of

dig registry-1.docker.io
Zagorath@aussie.zone on 12 Aug 12:29 collapse 
$ dig registry-1.docker.io

; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> registry-1.docker.io
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50801
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;registry-1.docker.io.          IN      A

;; ANSWER SECTION:
registry-1.docker.io.   33      IN      A       54.210.249.78
registry-1.docker.io.   33      IN      A       44.218.153.24
registry-1.docker.io.   33      IN      A       107.20.112.188
registry-1.docker.io.   33      IN      A       34.234.222.10
registry-1.docker.io.   33      IN      A       34.195.83.243
registry-1.docker.io.   33      IN      A       52.21.128.203
registry-1.docker.io.   33      IN      A       52.0.248.137
registry-1.docker.io.   33      IN      A       52.207.69.161

;; Query time: 47 msec
;; SERVER: 192.168.20.1#53(192.168.20.1) (UDP)
;; WHEN: Tue Aug 12 22:27:45 AEST 2025
;; MSG SIZE  rcvd: 177
$ cat /etc/resolv.conf
# Generated by NetworkManager
search Home
nameserver 192.168.20.1

edit: oh, and in my router’s configuration:

  • Primary DNS Server:9.9.9.9
  • Secondary DNS Server:1.1.1.1
iglou@programming.dev on 12 Aug 12:33 collapse

Well this is getting weird.

Have you tried checking if your os has a resolution cashe active? If so, try to flush it.

Zagorath@aussie.zone on 12 Aug 12:39 collapse

I never set one up myself, and this 11 year-old thread implies that Raspbian doesn’t have one set up by default. It is a very old thread though, so could be wrong.

edit: this is more recent and also says Raspbian doesn’t have DNS caching by default

iglou@programming.dev on 12 Aug 12:48 collapse

At this point I am assuming that it is actually a docker issue.

Can you show your docker daemon configuration?

Hard to tell where it is on your machine. Try ~/.docker/daemon.json, or maybe /etc/docker/daemon.json… Else look for it haha

Zagorath@aussie.zone on 12 Aug 13:11 collapse

There’s a ~/.docker/config.json. In that there’re some auths, with keys https://index.docker.io/v1/, https://index.docker.io/v1/access-token, and https://index.docker.io/v1/refresh-token, and then there’s “currentContext”: “rootless”.

There’s ~/.docker/contexts/meta/[a long hex string]/meta.json, with {“Name”:“rootless”,“Metadata”:{“Description”:“Rootless mode”},“Endpoints”:{“docker”:{“Host”:“unix:///run/user/1000/docker.sock”,“SkipTLSVerify”:false}}}.

The only file in /etc/docker is key.json.

tychosmoose@piefed.social on 11 Aug 12:46 next collapse

Docker is a distraction in your problem description.

It's like if you asked why the top gear in your car isn't working and gave the model of car and engine type and gearbox. But it's really that you're stuck in slow traffic. Focus on the road name and destination to find a faster route.

For your problem, search for how to disable ipv6 for the Linux distribution and version that you have installed. You will find lots of guidance. Or share those details here for someone to help.

Or, better might be to see if there is a way to get ipv6 tunneling working on your connection. It may be possible even if the ISP is unhelpful.

Zagorath@aussie.zone on 11 Aug 14:05 collapse

It’s like if you asked why the top gear in your car isn’t working and gave the model of car and engine type and gearbox

Except if I try and access the same domain using curl, it works fine. For some reason, Docker specifically is what’s failing.

tychosmoose@piefed.social on 11 Aug 15:37 collapse

Different programs have different defaults.

But in your situation which would be more helpful - prevent this one docker command from using ipv6 (likely more difficult), or preventing all commands from using your broken ipv6 config (likely easier)?

I have no idea about the first. Maybe some people know this detail. But I'm sure that with a distro and version that you're running, there are lots of people who could help with the second. Raspberry Pi 3B+ is the hardware. What software are you using?

Zagorath@aussie.zone on 11 Aug 15:48 collapse

Whatever the latest version of Raspbian was a month or two ago when I installed it. uname -a outputs […]6.12.25+rpt-rpi-v8[…]. /etc/os-release contains “Debian GNU/Linux 12 (bookworm)”.

tychosmoose@piefed.social on 11 Aug 17:25 collapse

Ok, so it's probably using NetworkManager. I would try disabling it in /etc/NetworkManager/NetworkManager.conf by adding a block like:

[ipv6]
addr-gen-mode=stable-privacy
method=disabled

Then sudo systemctl restart NetworkManager.
Can't say for sure if this will work. I dislike using NetworkManager on my servers so I can't test if this works. But hopefully the before/after of ip addr is different.

Although it looks like your ip addr output posted an hour or so ago doesn't show any ipv6 addressing. Maybe the problem is solved now.

Zagorath@aussie.zone on 12 Aug 00:33 collapse

Unfortunately not.

 docker run hello-world
Unable to find image 'hello-world:latest' locally
docker: Error response from daemon: Get "https://registry-1.docker.io/v2/library/hello-world/manifests/sha256:ec153840d1e635ac434fab5e377081f17e0e15afab27beb3f726c3265039cfff": dial tcp [2600:1f18:2148:bc00:eff:d3ae:b836:fa07]:443: connect: network is unreachable

Run 'docker run --help' for more information
tychosmoose@piefed.social on 12 Aug 02:14 collapse

Well crap. Do you have no ipv6 address now in ip addr?

Guess I gave Docker too much benefit of the doubt and assumed it should failover to v4 once v6 was disabled. Bad assumption on my part.

Could it be a DNS problem? If you dig registry-1.docker.io +short does it return an ipv4 or v6 address?

It looks like there have been sporadic reports of problems from people since last year.

Zagorath@aussie.zone on 12 Aug 02:21 next collapse

Do you have no ipv6 address now in ip addr

Just comparing it by eye, there’s no change.

zag@raspberrypi:~ $ man dig
No manual entry for dig
zag@raspberrypi:~ $ which dig
zag@raspberrypi:~ $ sudo apt install dig
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
E: Unable to locate package dig

But if I ping it

$ ping registry-1.docker.io
PING registry-1.docker.io (107.20.112.188) 56(84) bytes of data.
tychosmoose@piefed.social on 12 Aug 03:31 collapse

It's in the dnsutils package.

Zagorath@aussie.zone on 12 Aug 04:31 collapse 
52.207.69.161
52.21.128.203
3.224.238.37
44.218.153.24
54.210.249.78
18.232.25.125
52.72.195.97
54.161.169.181
MysteriousSophon21@lemmy.world on 12 Aug 10:18 collapse

Try adding {“ipv6”: false} to your /etc/docker/daemon.json file (create it if it doesnt exist), then restart docker with sudo systemctl restart docker - this forces docker to use IPv4 only.

tychosmoose@piefed.social on 12 Aug 22:24 collapse

This flag seems to only disable ipv6 on the default Docker bridge network, not daemon-wide. At least per this discussion.

MangoPenguin@lemmy.blahaj.zone on 11 Aug 14:08 next collapse

Even if it has an IPv6 address that can’t route, it’s odd that the OS isn’t falling back to IPv4.

But disabling IPv6 in the OS should fix it, as this is not a docker problem.

Zagorath@aussie.zone on 11 Aug 14:28 collapse

But disabling IPv6 in the OS should fix it

I’ve already followed the instructions I could find to do that, but it didn’t work. Either disabling IPv6 isn’t the solution, or the instructions for how to disable it are incomplete. (You can see comments elsewhere in the thread for more detail.)

mlfh@lemmy.sdf.org on 11 Aug 14:49 collapse

Can you give us the full output of the following commands?

ip addr

sysctl net.ipv6.conf.all.disable_ipv6

Zagorath@aussie.zone on 11 Aug 15:33 collapse 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether b8:27:eb:93:9b:06 brd ff:ff:ff:ff:ff:ff
    inet 192.168.20.40/24 brd 192.168.20.255 scope global dynamic noprefixroute eth0
       valid_lft 81876sec preferred_lft 81876sec
3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
    link/ether b8:27:eb:c6:ce:53 brd ff:ff:ff:ff:ff:ff
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
    link/ether ce:3e:0d:9b:fa:14 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever

net.ipv6.conf.all.disable_ipv6 = 1
cereals@discuss.tchncs.de on 12 Aug 05:59 collapse

Check your DHCP Server and disable DHCPv6. The raspi shouldn’t get a ipv6 then and you won’t have this problem in the future with other devices.

edit: and restart the pi after disabling DHCPv6

Zagorath@aussie.zone on 12 Aug 08:27 collapse

DHCP server as in on my router?

<img alt="“IPv6 LAN Auto Configuration” with everything “Off” or “Disable”" src="https://aussie.zone/pictrs/image/96c7ed85-bc59-46f3-9250-5e67f9a87348.png">

Still get exactly the same error.