docker: enable IPv6 networking, use a specific IPv4 subnet

And also add documentation on how to use IPv6. The proposed setup relies
on NAT66, which is not good, but it works on any host with IPv6
connectivity. The documentation explains how to configure routed IPv6.

By using an IPv4 subnet in class E, we ensure that it is very unlikely
users will have overlap between their Docker setup and their production
network. This way, no need to change the Docker daemon configuration.

console/data/docs/04-operations.md

@@ -707,3 +707,62 @@ drop the following tables:
 - any `flows_XXXXXvN_raw` and `flows_XXXXXvN_raw_consumer` when another table exists with a higher `N` value
 
 These tables do not contain data. If you make a mistake, you can restart the orchestrator to recreate them.
+
+## Docker
+
+The default Docker Compose setup is meant to get started quickly. However, you
+can keep it for production setup as well.
+
+### Composability
+
+The `.env` file selects the Docker Compose files that are assembled to have a
+complete setup. Look at the comments for some guidance. You should avoid to
+modify any existing files, except `docker/docker-compose-local.yml`, which
+should contain your local setup.
+
+This file can override parts of the configuration. You can check the final
+configuration with `docker compose config`. Scalars and lists are replaced,
+while dictionaries are merged. This makes removing values from a dictionary
+difficult.
+
+You can disable some services by using profiles:
+
+```yaml
+services:
+  akvorado-inlet:
+    profiles: ["disabled"]
+```
+
+### Networking
+
+The default setup comes with both IPv4 and IPv6 enabled, using the NAT setup.
+For IPv6 to work correctly, you either need Docker Engine v27 or more recent, or
+you need to set `ip6tables` to `true` in `/etc/docker/daemon.json`.
+
+If you prefer to keep Docker default configuration, you can add this snippet to
+`docker/docker-compose-local.yml`:
+
+```yaml
+networks:
+  default:
+    ipv6_enable: false
+    ipam:
+      config: []
+```
+
+If you can route an IPv6 network to the Docker host, you can use the following
+snippet after putting the right subnet and gateway. This requires Docker Engine
+v27 or more recent.
+
+```yaml
+networks:
+  default:
+    driver: bridge
+    driver_opts:
+      com.docker.network.bridge.gateway_mode_ipv6: routed
+    ipam:
+      driver: default
+      config:
+        - subnet: 2001:db8::/64
+          gateway: 2001:db8::1
+```

console/data/docs/05-troubleshooting.md

@@ -257,22 +257,6 @@ If you don't get an answer, there may be several causes:
 
 - the community is incorrect and you need to fix it
 - the exporter is not configured to answer to SNMP requests
-- the exporter IP address is incorrect and you may have to clear the conntrack
-  entries with `conntrack -D -p udp --orig-port-dst 2055` (this should be done
-  automatically by the `conntracker-fixer` process, but it does not hurt to try)
-  or disable Docker userland proxy (see below snippet)
-- the Docker subnet (`docker network inspect akvorado_default --format '{{range
-  .IPAM.Config}}{{.Subnet}}{{end}}'`) overlaps your exporter IPs
-
-For both last issues, you can add this to `/etc/docker/daemon.json` and restart
-Docker:
-
-```json
-{
- "default-address-pools": [{"base":"240.0.0.0/16","size":24}],
- "userland-proxy": false
-}
-```
 
 Finally, check if flows are sent to ClickHouse successfully. Use this command:
 

console/data/docs/99-changelog.md

@@ -12,6 +12,8 @@ identified with a specific icon:
 
 ## Unreleased
 
+- 💥 *docker*: enforce a specific IPv4 subnet (in the reserved class E)
+- 🌱 *docker*: add IPv6 configuration
 - 🌱 *outlet*: insert asynchronously when flow count is low
 - 🌱 *docker*: expose Kafka UI (read-only) to the public endpoint
 

docker/docker-compose.yml

@@ -1,4 +1,13 @@
 ---
+networks:
+  default:
+    enable_ipv4: true
+    enable_ipv6: true
+    ipam:
+      config:
+        - subnet: 247.16.12.0/24
+        - subnet: fd1c:8ce2:6fb:1::/64
+
 volumes:
   akvorado-kafka:
   akvorado-geoip: