RTNETLINK answers: Permission denied

[ProfChaos]

Hi!

EDIT: I downgraded to 17.0.3.1 which was the previous version I had installed and everything is running fine again. It would be nice to find the problem with the new version of docker-ce though

After I ran apt upgrade(Docker CE was updated) today docker restarted the containers and after the restart I have not been able to run this container again. I keep getting this error message RTNETLINK answers: Permission denied.

Packages

Start-Date: 2017-07-01  14:07:14
Commandline: apt upgrade
Requested-By: dan (1000)
Upgrade: uuid-runtime:amd64 (2.29-1ubuntu2, 
2.29-1ubuntu2.1), 
libfdisk1:amd64 (2.29-1ubuntu2, 2.29-1ubuntu2.1), 
libmount1:amd64 (2.29-1ubuntu2, 2.29-1ubuntu2.1), 
util-linux:amd64 (2.29-1ubuntu2, 2.29-1ubuntu2.1), 
grub-legacy-ec2:amd64 (0.7.9-113-g513e99e0-0ubuntu1~17.04.1, 0.7.9-153-g16a7302f-0ubuntu1~17.04.1), 
nplan:amd64 (0.20, 0.23~17.04.1), 
mount:amd64 (2.29-1ubuntu2, 2.29-1ubuntu2.1), 
libblkid1:amd64 (2.29-1ubuntu2, 2.29-1ubuntu2.1), 
libuuid1:amd64 (2.29-1ubuntu2, 2.29-1ubuntu2.1), 
libsmartcols1:amd64 (2.29-1ubuntu2, 2.29-1ubuntu2.1), 
bsdutils:amd64 (1:2.29-1ubuntu2, 1:2.29-1ubuntu2.1), 
docker-ce:amd64 (17.03.1~ce-0~ubuntu-xenial, 17.06.0~ce-0~ubuntu)
End-Date: 2017-07-01  14:07:36

I have tried to remove the image and container and rebooted the computer with no luck.

This is how I start the container

docker run -it -d --restart unless-stopped --cap-add=NET_ADMIN --device /dev/net/tun --name vpn -v /home/media/vpn/vpn:/vpn -e FIREWALL='11865' dperson/openvpn-client

These are the logs I get from the container

Sat Jul  1 20:53:19 2017 OPTIONS IMPORT: --ifconfig/up options modified
Sat Jul  1 20:53:19 2017 OPTIONS IMPORT: route options modified
Sat Jul  1 20:53:19 2017 OPTIONS IMPORT: route-related options modified
Sat Jul  1 20:53:19 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Jul  1 20:53:19 2017 OPTIONS IMPORT: peer-id set
Sat Jul  1 20:53:19 2017 OPTIONS IMPORT: adjusting link_mtu to 1625
Sat Jul  1 20:53:19 2017 OPTIONS IMPORT: data channel crypto options modified
Sat Jul  1 20:53:19 2017 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Jul  1 20:53:19 2017 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Jul  1 20:53:19 2017 ROUTE_GATEWAY 172.17.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:11:00:02
Sat Jul  1 20:53:19 2017 GDG6: remote_host_ipv6=n/a
Sat Jul  1 20:53:19 2017 ROUTE6: default_gateway=UNDEF
Sat Jul  1 20:53:19 2017 TUN/TAP device tun0 opened
Sat Jul  1 20:53:19 2017 TUN/TAP TX queue length set to 100
Sat Jul  1 20:53:19 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=1
Sat Jul  1 20:53:19 2017 /sbin/ip link set dev tun0 up mtu 1500
Sat Jul  1 20:53:19 2017 /sbin/ip addr add dev tun0 10.8.0.5/16 broadcast 10.8.255.255
Sat Jul  1 20:53:19 2017 /sbin/ip -6 addr add fdda:d0d0:cafe:1194::1003/64 dev tun0
RTNETLINK answers: Permission denied
Sat Jul  1 20:53:19 2017 Linux ip -6 addr add failed: external program exited with error status: 2
Sat Jul  1 20:53:19 2017 Exiting due to fatal error

I've been trying to figure it out all day. Thanks

[dperson]

I'm not on 17.03.1, and can't reproduce the error. Is there any chance that you've disabled IPv6 on your host system?

$ sudo docker exec -it docker_vpn_1 bash
root@4530574803ee:/# ip -6 addr add fdda:d0d0:cafe:1194::1003/64 dev tun0

root@4530574803ee:/# ip addr show dev tun0
2: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none 
    inet 10.74.10.6 peer 10.74.10.5/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fdda:d0d0:cafe:1194::1003/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::44c:5cd:f0df:5c7/64 scope link flags 800 
       valid_lft forever preferred_lft forever

[ProfChaos]

I don't think I've turned it off, it works fine when I downgrade docker-ce

$ cat /proc/sys/net/ipv6/conf/all/disable_ipv6
0

17.03.1 works fine:

root@662fc4b74550:/# ip addr show dev tun0
2: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none
    inet 10.8.0.3/16 brd 10.8.255.255 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fdda:d0d0:cafe:1194::1001/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::7bba:18d2:9f59:b815/64 scope link flags 800
       valid_lft forever preferred_lft forever

I tried upgrading to 17.06.0 again:

root@662fc4b74550:/# ip addr show dev tun0
Device "tun0" does not exist.
root@662fc4b74550:/# /sbin/ip -6 addr add fdda:d0d0:cafe:1194::1008/64 dev tun0
Cannot find device "tun0"

[dperson]

Hmm, I wonder if it's being turned off in the container (in the newest docker), if you don't setup IPv6 addressing for your docker network? What does the following show you:

for i in $(sudo docker network ls | awk '!/NET/ {print $2}'); do
    echo $i:
    sudo docker network inspect $i | grep IPv6
done

[ProfChaos]

It's the same for 17.03.1 and 17.06.0

$ for i in $(sudo docker network ls | awk '!/NET/ {print $2}'); do
>     echo $i:
>     sudo docker network inspect $i | grep IPv6
> done
bridge:
        "EnableIPv6": false,
                "IPv6Address": ""
                "IPv6Address": ""
                "IPv6Address": ""
host:
        "EnableIPv6": false,
                "IPv6Address": ""
none:
        "EnableIPv6": false,

[dperson]

Due to a change in docker, you have to --ipv6 and provide a --fixed-cidr-v6, otherwise IPv6 is disabled automatically inside the containers. See the answer from aboch moby/moby#32433

[geota]

I had this issue as well, the following fixed it for me per deprson's recommendation:

{"ipv6": true, "fixed-cidr-v6": "2001:db8:1::/64"}

You can also explicitly enable via sysctl by adding the following to your docker-compose or passing it as a flag to docker run.

      sysctls:
          - net.ipv6.conf.all.disable_ipv6=0

[ProfChaos]

Got it working by adding --sysctl net.ipv6.conf.all.disable_ipv6=0 to the docker run command.

[Annapurna610]

Thanks you so much, @geota . It worked for us as well. We were facing the same issue where the tunnels in the . containers were unable to get ipv6 addresses.

[PersistentCloud]

But with this solution you cannot use port forwarding for your ipv6 address. Is there any other solution?

[mcd92]

Last week, my container stopped connecting. After generating new config files on the VPN server, contacting the support team, reading more about ovpn config files and looking a couple hours on the internet, I finally found the solution here, from @ProfChaos.

Thank you very much, by the way!

I wish the mentioned parameter were standard, or at least alerted in the docker description.

[Mattescantcode]

Got it working by adding --sysctl net.ipv6.conf.all.disable_ipv6=0 to the docker run command.

you have no idea how long ive been looking for an answer to this, thanks you :)

[liyihuang]

I spent half day on this didn't think that's caused by ipv6 is disabled