-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
enable ipv6 networks #8143
enable ipv6 networks #8143
Conversation
90684c8
to
ce03bca
Compare
9df2d01
to
873df99
Compare
rootless-cni-infra needs to be started with IPv6-enabled slirp4netns? |
I was trying to find the problem, thanks. |
why the previous test, for IPv4 only, works then? |
@AkihiroSuda it fails because of this
do you know how can I enable ip6tables kernel modules on CI? |
b0a5818
to
cd86c75
Compare
any idea why this is failing now? |
@mccv1r0 can you take a look at this too? |
@aojea There's a PR fixing this. Will pass after it gets merged. |
@@ -63,6 +67,19 @@ Create a network named *newnet* that uses *192.5.0.0/16* for its subnet. | |||
/etc/cni/net.d/newnet.conflist | |||
``` | |||
|
|||
Create a dual-stack network named *newDualnet* that uses an IPv6 range *2001:db8::/64* for its subnet. | |||
The IPv4 range is autogenerated. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why use 2001:db8::/64
? Can't the IPv6 range can be autogenerated too? Preferably from a ULA and not a global range that someday might belong to someone?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is the current docker behaviour, you have to specify the IPv6 range to create the network, the 2001:db8::/64
is just for documentation purposes, the user can specify any range meanwhile there is no conflict
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For docs it makes sense to use IPv6 Address Prefix Reserved for Documentation
When using create, maybe generate IPv6 prefix (from ULA) when the prefix is not supplied by user? I know docker doesn't do this but docker also doesn't have rootless either. We can improve on docker. Otherwise unless a prefix is provided to the users, they'll just take 2001:db8::/64
because it was in the doc.
Today, for IPv4, every podman system uses 10.88.0.0/16. I'm suggesting that this conflict be avoided with IPv6.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should probably add a default-prefix field in containers.conf for storing a v6 prefix to use (and, for that matter, an IPv4 prefix - I believe we are presently hardcoding our auto-assigned v4 prefixes to be the first open /24 in 10.89.0.0/16)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When containers.conf
is created for the first time, I suggest to use a Pseudo-Random Global ID to pick the prefix. The Subnet ID for each network can pick the first open value from there.
If user re-install, they get new ULA, which is what happens with CPE gear that follow RFC7084 get factory reset.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The CLI is not strictly required to be Docker compatible, but we try to match them wherever possible for consistency and ease of migration; when we break compatibility, we should do so with good reason.
The REST API's compat endpoints are required to be strictly Docker compatible.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I personally think that changing the defaults or the behaviour respect docker should not be on the scope of this PR, since that will require more discussion, i.e, Michael suggestion is really interesting #8143 (comment) but that differs from IPv4 behaviour, where you always have a well-known-subnet and most CIs and user leverage (is kind of an API right now)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes lets talk about changes of defaults in a different PR. I am fine with adding something to containers.conf to implement the change. If @mccv1r0 defaults is a better idea, we could switch to that default and then allow users to switch containers.conf into Docker mode.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wait, do we use the same /64 for every new v6 network by default? I think we do need some logic to increment that if we already have a network with that subnet, otherwise we wait until CNI tries to start a container in the network to blow up with an error...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Current pr implement the docker behaviour, there is no defaulting for ipv6 subnets #8143 (comment)
I'm happy to keep contributing and follow up this discussion in a new pr/issue/meeting
#8143 (comment)
/approve |
/retest |
@aojea: Cannot trigger testing until a trusted user reviews the PR and leaves an In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
That's not what I got out of the manpages? They mention a specific subnet. I'm OK with merging this assuming the mention of the subnet in the manpages is removed, and a test for two networks with the same subnet is added. |
clarified the manpage and added testcases for creation of network with duplicate subnets |
LGTM Needs one more to merge - @containers/podman-maintainers PTAL |
Tests don't look happy.... |
enable the ipv6 flag in podman network to be able to create dual-stack networks for containers. This is required to be compatible with docker, where --ipv6 really means dual stack. podman, unlike docker, support IPv6 only containers since 07e3f1b. Signed-off-by: Antonio Ojea <[email protected]>
add e2e test that checks that is not possible to create different networks with the same subnet, in IPv6 neither in IPv4 Signed-off-by: Antonio Ojea <[email protected]>
The IPv6 e2e tests on the CI for rootles mode fails because it needs the ip6tables modules loaded. Example error: stdout="", stderr="failed to list chains: running [/sbin/ip6tables -t nat -S --wait]: exit status 3: modprobe: can't change directory to '/lib/modules': No such file or directory\nip6tables v1.8.4 (legacy): can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)\nPerhaps ip6tables or your kernel needs to be upgraded.\n\n" Signed-off-by: Antonio Ojea <[email protected]>
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: aojea, mccv1r0, rhatdan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/lgtm |
at least the rh job fails with the following error
|
When I use
Should I manually set the ipv6 address for the host instead of obtaining it automatically? And the ISP of my home network only provides me with random IPv6 prefixes and IPv6-PD. Does podman support this? |
that subnet is not very common and in a reserved range, https://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xhtml I suggest to go with an ULA subnet as in the example and the docs I´ve added
the ipv6 of the host depends on your network, what you define with the
podman defines a network in your host, is on the user to decide how and which technology to use to cascade the ISP prefixes to the host where podman is running |
Don't mind, that is just an example, just to cover up the global unicast address I actually use.
podman is running But in fact, if podman cannot automatically obtain the ipv6 prefix, maybe in my network environment, ipv6 cannot be used at all, after all, the prefixes distributed by ISP are always changing. |
@mccv1r0 WDYT? |
Yes set it manually. There isn't support for obtaining it automatically. What your ISP is doing is typical. How one obtains an IPv6 address from ISP, IT department, Cloud etc. is out of scope for podman. DHCPv6 Prefix Delegation helps, but not everyone uses DHCP. DHCPv6 is also performed on interface that podman has no idea about, and using a DHCPv6 client that is very dependent on what was installed on the specific version of Linux itself. It could be possible someday to pick one DHCPv6 client (Network Manager?) and automate things such that a delegated prefix gets used by an invocation of |
Although the networks I use now are dual-stack networks, maybe in the future, only ipv6 only networks may be available. If podman cannot automatically obtain an ipv6 address, how can I use podman on my home network in the future? |
Excuse me, until now, there is still no progress in setting the ipv6 address automatically? |
If you don't require static v6 IPs, dual-stack v4 and v6 and single-stack v6 are both working fine right now. |
enable the ipv6 flag in podman network to be able to create dual-stack network for containers.
This is required to be compatible with docker, where --ipv6 really means dual stack.
podman, unlike docker, support IPv6 only containers since 07e3f1b.
How to use it
$ podman network create --ipv6 --subnet fd00:ff:123::/112 test /home/aojea/.config/cni/net.d/test.conflist
Signed-off-by: Antonio Ojea [email protected]
Fixes: #7302