Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Explicitly enable IPv6 sysctl #113

Merged
merged 1 commit into from
Feb 14, 2018
Merged

Explicitly enable IPv6 sysctl #113

merged 1 commit into from
Feb 14, 2018

Conversation

nyren
Copy link
Contributor

@nyren nyren commented Feb 1, 2018

If CNI is about to configure an IPv6 address, make sure IPv6 is not disabled through the "disable_ipv6" sysctl setting.

This is a workaround for Docker 17.x which sets disable_ipv6=1 for all interfaces even if ipv6 is enabled in Docker.

Please see containernetworking/cni#531 for a more detail discussion of the issue.

dcbw
dcbw reviewed Feb 7, 2018
View reviewed changes
pkg/ipam/ipam_linux.go Outdated
// an IPv6 address to the interface
if !has_enabled_ipv6 && ipc.Version == "6" {
// Enable IPv6 for the interface being configured as well as
// loopback "lo", "all" and "default"
Copy link
Member

@dcbw dcbw Feb 7, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any particular reason to do this for lo, all, and default? It may not be wanted/needed on other interfaces created by other CNI chains executing for the same container. Also if we want 'lo' to have IPv6 enabled, then that should probably be decided by the loopback plugin, not here. eg, loopback should call ConfigureIface() with an IPv6 LL address.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are right, for all and default I do not have any particularly strong reason. My reasoning was that it would be better to have the default to be "IPv6-enabled" but this is not something CNI need to enforce.

Regarding the loopback interface lo I could not get the kube-dns pod to run without IPv6 enabled on lo. If I understood correctly, kube-dns uses 3 containers sharing the same network NS, and the containers use the loopback device for internal communication. When running kube-dns with IPv6 it expects ::1 (IPv6 on loopback) to be available.

I think it is fairly reasonable to assume that applications running IPv6 would expect IPv6 to be available on loopback.

I have updated the pull-request to only enable IPv6 for lo and the interface being configured by CNI. Thanks for the feedback!

@squeed
Copy link
Member

squeed commented Feb 12, 2018
edited
Loading

Man, it's frustrating that we have to fix this in CNI... Bah. Thanks for taking care of this.

Anyways, could you add some code to only touch the sysctl if needed? There are some environments where the /proc/sys is read-only, but it's OK because we don't need to change anything.

@squeed
Copy link
Member

squeed commented Feb 12, 2018

Looking at our sysctl library, I seen now that it's really weird. That varadic function doesn't really make sense. I think it needs a rewrite. I can take care of this, if you like.

@nyren
Copy link
Contributor Author

nyren commented Feb 12, 2018

Yes, totally agree, really frustrating.

The code should only hit the sysctl if an IPv6 address is about to be configured, no unit tests unfortunately but I tested it manually. The implementation also make sure to only write the sysctl once per interface.

Regarding read-only /proc/sys the code should then just silently fail (I intentionally do not check the return value of the sysctl function) with the reasoning that we will fail later anyway. A way to log a warning would be nice though.

I am quite the n00b when it comes to go programming so if there is anything that needs to be fixed in the sysctl library I would gladly hand it over to you :)

The patch seems to work at least, I have a 20+ nodes cluster which happily runs IPv6-only kubernetes with CNI bridge on Docker 17.12 now.

@nyren
Copy link
Contributor Author

nyren commented Feb 12, 2018

Ah, you mean reading back the sysctl first and only writing if necessary? Sure, I can fix that. Do you think it is safe to error out if the write fails then?

@nyren
Explicitly enable IPv6 sysctl
08ec299 
If CNI is about to configure an IPv6 address, make sure IPv6 is not
disabled through the "disable_ipv6" sysctl setting.

This is a workaround for Docker 17.06 and later which sets
disable_ipv6=1 for all interfaces even if ipv6 is enabled in Docker.
@nyren
Copy link
Contributor Author

nyren commented Feb 13, 2018

Pull request updated to only write the disable_ipv6 sysctl if necessary. The implementation will now return an error if it is unable to write the sysctl. Hope it does not break things.

I had a look at the Sysctl() implementation and the variadic looks OK to me. If you want to read a value you run value, err := sysctl.Sysctl("net.ipv6.conf.whatever") and to write a new value _, err := sysctl.Sysctl("net.ipv6.conf.whatever", "new_value"). Seems to work that way at least :)

Btw, there is no logging framework available in CNI at the moment, right?

@abhijitherekar
Copy link

abhijitherekar commented Feb 13, 2018
edited
Loading

Hey Nyren,

I am still not following even if the sysctl is present how can you write to the /proc/sys file-system of a POD as its only read-only.??

It will always fail. right?

@nyren
Copy link
Contributor Author

nyren commented Feb 14, 2018

@abhijitherekar let us continue the discussion on why things works as they do in containernetworking/cni#531. Best to keep the pull request comments focused on the implementation details.

However, if you did test the patch and it failed, then of course let me know here.

squeed
squeed reviewed Feb 14, 2018
View reviewed changes
pkg/ipam/ipam_linux.go
// Read current sysctl value
value, err := sysctl.Sysctl(ipv6SysctlValueName)
if err != nil || value == "0" {
// FIXME: log warning if unable to read sysctl value
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indeed, we don't currently have a logging strategy. It's not a big deal right now; if this fails, then the address will either apply or fail.

squeed
squeed approved these changes Feb 14, 2018
View reviewed changes
Copy link
Member

@squeed squeed left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested; LGTM

@squeed
Copy link
Member

squeed commented Feb 14, 2018

Need a second maintainer to approve.

@squeed
Copy link
Member

squeed commented Feb 14, 2018

Gonna try and pull this in to the v0.7.0 release.

@squeed squeed added this to the v0.7.0 milestone Feb 14, 2018
@matthewdupre matthewdupre merged commit dd8ff8a into containernetworking:master Feb 14, 2018
@cpuguy83 cpuguy83 mentioned this pull request Nov 13, 2018
Closed
@telmich
Copy link

telmich commented Dec 22, 2018

Hello,

I was wondering whether this has been included into k8s 1.13 or whether/how to get this change? It sems I am affected by this docker "bug", too.

@nickolaev nickolaev mentioned this pull request May 2, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dcbw dcbw dcbw left review comments

@matthewdupre matthewdupre matthewdupre approved these changes

@squeed squeed squeed approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v0.7.0
Development

Successfully merging this pull request may close these issues.
6 participants
@nyren @squeed @abhijitherekar @telmich @matthewdupre @dcbw