Docker and KVM on the same host and networking

  If you are trying to get Docker and KVM to work on the same host then you will find that the networking is a  bit icky. You'll need to tell iptables to allow forwarding on your network interface. As I always to things using a bridge (makes it easier to change network card if needed), I use br0 in this example. cat <<EOF | sudo tee /etc/systemd/system/restore-iptables-rules.service > /dev/null [Unit] Description = Apply iptables rules [Service] Type=oneshot ExecStart=/bin/sh -c 'iptables -A FORWARD -i br0 -o br0 -j ACCEPT' [Install] EOF   Then you need to enable it and restart the service (I'd restart the host): sudo systemctl daemon-reload \ && sudo systemctl enable restore-iptables-rules.service \ && sudo systemctl start restore-iptables-rules.service   That should be it, now your KVM guests will be able to reach the network. (there, of cause will be other things like enabling of forwarding which is als

Docker: ipvlan (ipv6)

 Due to macvlan instability, I moved my "public" network from macvlan to ipvlan. While I was doing this, I ran in to a problem which caused my no end of grief. No matter what I did, I could not get my ipv6 to work, ipv4 did work, but not ipv6. I was following bobcares:Alpine Docker enable IPv6 : How to? instructions to the letter, or so I thought.  My configuration was: docker network create -d ipvlan -o parent=eth0 \ --subnet \ --gateway \ --subnet "fd80:1::/64" \ --gateway "fd80:1::1" \ --ipv6 \ public   No matter what I would, it did not work. Then suddenly I rememberd, in another setup (which also took a while to get working), I had to move "-o parent=eth0" to the end, like: docker network create -d ipvlan \ --subnet \ --gateway \ --subnet "fd80:1::/64" \ --gateway "fd80:1::1" \ --ipv6 \ -o parent=eth0 pu

Docker: macvlan crashing

I have been using macvlan for a very long time, and have had no problems what so ever. Now suddenly I started having an issue which would lock up my box (I'm running +25 containers), the box would run for everything from 15 minutes to 24 hours (sometimes longer) but it would lock up. The only notification I would get would be an exception like this in dmesg: Oct 21 00:51:10 <box> kernel: [22600.504145] ------------[ cut here ]------------ Oct 21 00:51:10 <box> kernel: [22600.504183] WARNING: CPU: 0 PID: 303960 at net/netfilter/nf_conntrack_core.c:1123 __nf_conntrack_confirm+0x3ff/0x480 [nf_conntrack] Oct 21 00:51:10 <box> kernel: [22600.504186] Modules linked in: tcp_diag udp_diag inet_diag xt_nat xt_tcpudp veth macvlan xt_conntrack nft_chain_nat xt_MASQUERADE nf_nat nf_conntrack_netlink nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xfrm_user nft_counter xt_addrtype nft_compat nf_tables nfnetlink br_netfilter overlay bridge stp llc mlx5_core(OE) mlxfw(OE) mlxdevm(O

Kviknet and IPv6

 I decided to switch ISP, mainly due to Hiper (Danish) was using a VLAN for their connection which made pfSense and my APU3 board require a reboot everytime I changed anything. Kviknet has a good reputation (wonder why) in Denmark, they are not cheap and they have the same opening hours as everyone else - meaning until 16:30 and closed during weekends. I sometimes wonder how companies who need 24/7 internet get on with that ... well it's Denmark. Kviknet has an interesting way to do IPv6, your router get and SLAAC assigned IPv6 address on the public side (wan) and you get a ::/48 network from Kviknet to use on your lan.  To some degree it does make sense, you can then configure your lan with static addresses as you see fit, and for dynamic assignment you use RA stateless dhcp *) ... which works for everything.  (I need to get my piHole configured with an static IPv6 so that I can use that ...). pfSense is a pain, I do like it, but they are light years behind their main competitor