Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

enable ipv6 networks #8143

Merged
merged 3 commits into from
Nov 10, 2020
Merged

enable ipv6 networks #8143

merged 3 commits into from
Nov 10, 2020

Conversation

aojea
Copy link
Contributor

@aojea aojea commented Oct 25, 2020

enable the ipv6 flag in podman network to be able to create dual-stack network for containers.

This is required to be compatible with docker, where --ipv6 really means dual stack.

podman, unlike docker, support IPv6 only containers since 07e3f1b.

How to use it

  • Create a network
$ podman network create --ipv6 --subnet fd00:ff:123::/112 test
/home/aojea/.config/cni/net.d/test.conflist
  • Run a container in the new created network and check the ips and routes assigned
$ podman/bin/podman run -it --network test alpine ash
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
3: eth0@if4: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP 
    link/ether e6:3d:d7:4f:77:6c brd ff:ff:ff:ff:ff:ff
    inet 10.88.2.2/24 brd 10.88.2.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fd00:ff:123::2/112 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::e43d:d7ff:fe4f:776c/64 scope link 
       valid_lft forever preferred_lft forever
/ # ip route
default via 10.88.2.1 dev eth0 
10.88.2.0/24 dev eth0 scope link  src 10.88.2.2 
/ # ip -6 route
fd00:ff:123::/112 dev eth0  metric 256 
fe80::/64 dev eth0  metric 256 
default via fd00:ff:123::1 dev eth0  metric 1024 
ff00::/8 dev eth0  metric 256 

Signed-off-by: Antonio Ojea [email protected]

Fixes: #7302

@aojea aojea force-pushed the dual branch 2 times, most recently from 90684c8 to ce03bca Compare October 25, 2020 19:26
@aojea aojea changed the title enable ipv6 network configuration options enable ipv6 network Oct 25, 2020
@aojea aojea changed the title enable ipv6 network enable ipv6 networks Oct 25, 2020
@rhatdan
Copy link
Member

rhatdan commented Oct 25, 2020

Thanks @aojea
LGTM if tests pass.
@containers/podman-maintainers PTAL
@mheon @baude PTAL

@aojea aojea force-pushed the dual branch 5 times, most recently from 9df2d01 to 873df99 Compare October 25, 2020 22:51
@AkihiroSuda
Copy link
Collaborator

rootless-cni-infra needs to be started with IPv6-enabled slirp4netns?
https://github.com/containers/podman/blob/master/libpod/rootless_cni_linux.go#L285

@aojea
Copy link
Contributor Author

aojea commented Oct 26, 2020

rootless-cni-infra needs to be started with IPv6-enabled slirp4netns?
https://github.com/containers/podman/blob/master/libpod/rootless_cni_linux.go#L285

I was trying to find the problem, thanks.
I will take back the "skip" then, and it can be done in another PR

@aojea
Copy link
Contributor Author

aojea commented Oct 26, 2020

rootless-cni-infra needs to be started with IPv6-enabled slirp4netns?

why the previous test, for IPv4 only, works then?

@aojea
Copy link
Contributor Author

aojea commented Oct 26, 2020

@AkihiroSuda it fails because of this

[/sbin/ip6tables -t nat -S --wait]: exit status 3: modprobe: can't change directory to '/lib/modules': No such file or directory\nip6tables v1.8.4 (legacy): can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)\nPerhaps ip6tables or your kernel needs to be upgraded.\n\n"

do you know how can I enable ip6tables kernel modules on CI?

@aojea aojea force-pushed the dual branch 3 times, most recently from b0a5818 to cd86c75 Compare October 26, 2020 10:27
@aojea
Copy link
Contributor Author

aojea commented Oct 26, 2020

any idea why this is failing now?
PR title check / update_pr (pull_request_target

@dcbw
Copy link
Contributor

dcbw commented Oct 26, 2020

@mccv1r0 can you take a look at this too?

@QiWang19
Copy link
Contributor

any idea why this is failing now?
PR title check / update_pr (pull_request_target

@aojea There's a PR fixing this. Will pass after it gets merged.

@@ -63,6 +67,19 @@ Create a network named *newnet* that uses *192.5.0.0/16* for its subnet.
/etc/cni/net.d/newnet.conflist
```

Create a dual-stack network named *newDualnet* that uses an IPv6 range *2001:db8::/64* for its subnet.
The IPv4 range is autogenerated.
Copy link
Collaborator

@mccv1r0 mccv1r0 Oct 26, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why use 2001:db8::/64? Can't the IPv6 range can be autogenerated too? Preferably from a ULA and not a global range that someday might belong to someone?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is the current docker behaviour, you have to specify the IPv6 range to create the network, the 2001:db8::/64is just for documentation purposes, the user can specify any range meanwhile there is no conflict

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For docs it makes sense to use IPv6 Address Prefix Reserved for Documentation

When using create, maybe generate IPv6 prefix (from ULA) when the prefix is not supplied by user? I know docker doesn't do this but docker also doesn't have rootless either. We can improve on docker. Otherwise unless a prefix is provided to the users, they'll just take 2001:db8::/64 because it was in the doc.

Today, for IPv4, every podman system uses 10.88.0.0/16. I'm suggesting that this conflict be avoided with IPv6.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should probably add a default-prefix field in containers.conf for storing a v6 prefix to use (and, for that matter, an IPv4 prefix - I believe we are presently hardcoding our auto-assigned v4 prefixes to be the first open /24 in 10.89.0.0/16)

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When containers.conf is created for the first time, I suggest to use a Pseudo-Random Global ID to pick the prefix. The Subnet ID for each network can pick the first open value from there.

If user re-install, they get new ULA, which is what happens with CPE gear that follow RFC7084 get factory reset.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The CLI is not strictly required to be Docker compatible, but we try to match them wherever possible for consistency and ease of migration; when we break compatibility, we should do so with good reason.

The REST API's compat endpoints are required to be strictly Docker compatible.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I personally think that changing the defaults or the behaviour respect docker should not be on the scope of this PR, since that will require more discussion, i.e, Michael suggestion is really interesting #8143 (comment) but that differs from IPv4 behaviour, where you always have a well-known-subnet and most CIs and user leverage (is kind of an API right now)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes lets talk about changes of defaults in a different PR. I am fine with adding something to containers.conf to implement the change. If @mccv1r0 defaults is a better idea, we could switch to that default and then allow users to switch containers.conf into Docker mode.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wait, do we use the same /64 for every new v6 network by default? I think we do need some logic to increment that if we already have a network with that subnet, otherwise we wait until CNI tries to start a container in the network to blow up with an error...

Copy link
Contributor Author

@aojea aojea Nov 9, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Current pr implement the docker behaviour, there is no defaulting for ipv6 subnets #8143 (comment)

I'm happy to keep contributing and follow up this discussion in a new pr/issue/meeting
#8143 (comment)

@rhatdan
Copy link
Member

rhatdan commented Oct 26, 2020

/approve

@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 26, 2020
@aojea
Copy link
Contributor Author

aojea commented Oct 27, 2020

/retest

@openshift-ci-robot
Copy link
Collaborator

@aojea: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

In response to this:

/retest

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@aojea
Copy link
Contributor Author

aojea commented Nov 9, 2020

One last comment on IPv6 default subnet selection - I don't think we have to figure out autogeneration, but I do think we need to ensure that we don't make networks with duplicate IPv6 subnets. If I call podman network create --ipv6 twice and do not specify a subnet, either the second call should error that the default subnet is in use and you have to select a new one, or it should automatically select another subnet not in use.

podman network create --ipv6 without a subnet is an error, same as docker does

@mheon
Copy link
Member

mheon commented Nov 9, 2020

That's not what I got out of the manpages? They mention a specific subnet. I'm OK with merging this assuming the mention of the subnet in the manpages is removed, and a test for two networks with the same subnet is added.

@aojea
Copy link
Contributor Author

aojea commented Nov 9, 2020

That's not what I got out of the manpages? They mention a specific subnet. I'm OK with merging this assuming the mention of the subnet in the manpages is removed, and a test for two networks with the same subnet is added.

clarified the manpage and added testcases for creation of network with duplicate subnets

@mheon
Copy link
Member

mheon commented Nov 9, 2020

LGTM

Needs one more to merge - @containers/podman-maintainers PTAL

@TomSweeneyRedHat
Copy link
Member

Tests don't look happy....

enable the ipv6 flag in podman network to be able to create
dual-stack networks for containers.

This is required to be compatible with docker, where --ipv6
really means dual stack.

podman, unlike docker, support IPv6 only containers since
07e3f1b.

Signed-off-by: Antonio Ojea <[email protected]>
Antonio Ojea added 2 commits November 10, 2020 11:03
add e2e test that checks that is not possible to create
different networks with the same subnet, in IPv6 neither
in IPv4

Signed-off-by: Antonio Ojea <[email protected]>
The IPv6 e2e tests on the CI for rootles mode fails because
it needs the ip6tables modules loaded.

Example error:

stdout="", stderr="failed to list chains: running [/sbin/ip6tables -t nat -S --wait]: exit status 3: modprobe: can't change directory to '/lib/modules': No such file or directory\nip6tables v1.8.4 (legacy): can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)\nPerhaps ip6tables or your kernel needs to be upgraded.\n\n"

Signed-off-by: Antonio Ojea <[email protected]>
@openshift-ci-robot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aojea, mccv1r0, rhatdan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@mheon
Copy link
Member

mheon commented Nov 10, 2020

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Nov 10, 2020
@aojea
Copy link
Contributor Author

aojea commented Nov 10, 2020

rdoproject.org/github-check — github-check status: failure

at least the rh job fails with the following error

Problem: problem with installed package podman-catatonit-2.0.5-5.module+el8.3.0+8221+97165c3f.x86_64

  • package podman-catatonit-2.0.5-5.module+el8.3.0+8221+97165c3f.x86_64 requires podman = 2.0.5-5.module+el8.3.0+8221+97165c3f, but none of the providers can be installed
  • cannot install both podman-2.2.0-1605002806.gitaabf28a1.el8.x86_64 and podman-2.0.5-5.module+el8.3.0+8221+97165c3f.x86_64
  • conflicting requests

@daiaji
Copy link

daiaji commented Dec 16, 2020

When I use podman network create --ipv6 --subnet 1::/86 test to create a network, I always get this error...

Error: network 1::/86 is being used by a network interface

Should I manually set the ipv6 address for the host instead of obtaining it automatically?

And the ISP of my home network only provides me with random IPv6 prefixes and IPv6-PD. Does podman support this?

@aojea
Copy link
Contributor Author

aojea commented Dec 16, 2020

--subnet 1::/86

that subnet is not very common and in a reserved range, https://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xhtml

I suggest to go with an ULA subnet as in the example and the docs I´ve added

$ podman network create --ipv6 --subnet fd00:ff:123::/112 test
/home/aojea/.config/cni/net.d/test.conflist

Should I manually set the ipv6 address for the host instead of obtaining it automatically?

the ipv6 of the host depends on your network, what you define with the podman network create is the subnet that podman will create to run its containers

And the ISP of my home network only provides me with random IPv6 prefixes and IPv6-PD. Does podman support this?

podman defines a network in your host, is on the user to decide how and which technology to use to cascade the ISP prefixes to the host where podman is running

@daiaji
Copy link

daiaji commented Dec 16, 2020

--subnet 1::/86

Don't mind, that is just an example, just to cover up the global unicast address I actually use.

podman defines a network in your host, is on the user to decide how and which technology to use to cascade the ISP prefixes to the host where

podman is running
Is there any documentation? I want to see.

But in fact, if podman cannot automatically obtain the ipv6 prefix, maybe in my network environment, ipv6 cannot be used at all, after all, the prefixes distributed by ISP are always changing.

@rhatdan
Copy link
Member

rhatdan commented Dec 17, 2020

@mccv1r0 WDYT?

@mccv1r0
Copy link
Collaborator

mccv1r0 commented Dec 17, 2020

Should I manually set the ipv6 address for the host instead of obtaining it automatically?

And the ISP of my home network only provides me with random IPv6 prefixes and IPv6-PD. Does podman support this?

Yes set it manually. There isn't support for obtaining it automatically.

What your ISP is doing is typical. How one obtains an IPv6 address from ISP, IT department, Cloud etc. is out of scope for podman. DHCPv6 Prefix Delegation helps, but not everyone uses DHCP. DHCPv6 is also performed on interface that podman has no idea about, and using a DHCPv6 client that is very dependent on what was installed on the specific version of Linux itself.

It could be possible someday to pick one DHCPv6 client (Network Manager?) and automate things such that a delegated prefix gets used by an invocation of podman network create but nothing in the works yet.

@daiaji
Copy link

daiaji commented Dec 20, 2020

Although the networks I use now are dual-stack networks, maybe in the future, only ipv6 only networks may be available. If podman cannot automatically obtain an ipv6 address, how can I use podman on my home network in the future?
But no matter what, I look forward to relevant progress

@aojea aojea mentioned this pull request May 24, 2021
@daiaji
Copy link

daiaji commented Jul 29, 2021

Excuse me, until now, there is still no progress in setting the ipv6 address automatically?

@mheon
Copy link
Member

mheon commented Jul 29, 2021

If you don't require static v6 IPs, dual-stack v4 and v6 and single-stack v6 are both working fine right now.

@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 22, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 22, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. ok-to-test
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Podman vs Docker networking: IPv4, IPv6 and Dual Stack