runq icon indicating copy to clipboard operation
runq copied to clipboard

Published 20 hours ago verified publisher icon gotoz

Enable IPv6 support in VM when IPv6 address is assigned

Open yoheiueda opened this issue 4 years ago • 4 comments

When we enable IPv6 support in Docker, a runq container fails to start. https://docs.docker.com/config/daemon/ipv6/

# docker run --runtime runq --rm busybox ip addr show eth0
[init(1) 7291815] permission denied
main.setupNetwork
	/runq/cmd/init/network.go:74
main.runInit
	/runq/cmd/init/main.go:140
main.main
	/runq/cmd/init/main.go:48
runtime.main
	/usr/local/go/src/runtime/proc.go:204
runtime.goexit
	/usr/local/go/src/runtime/asm_s390x.s:779

This is because default sysctl settings defined in cfg.go disable IPv6 support in VM. https://github.com/gotoz/runq/blob/d013e878cc2f35d23b4e85f5ac60ff9a872f27c4/internal/cfg/cfg.go#L23-L32

To enable IPv6 in runq, we explicitly need to specify sysctl option as follows.

# docker run --runtime runq --rm --sysctl net.ipv6.conf.all.disable_ipv6=0 --sysctl net.ipv6.conf.default.disable_ipv6=0 busybox ip addr show eth0
2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether ee:17:03:1a:3d:1a brd ff:ff:ff:ff:ff:ff
    inet 172.31.0.2/16 brd 172.31.255.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 2001:db8:1::242:ac1f:2/64 scope global flags 02
       valid_lft forever preferred_lft forever
    inet6 fe80::42:acff:fe1f:2/64 scope link tentative
       valid_lft forever preferred_lft forever

This behavior is inconvenient when IPv6 is enabled.

This patch enables IPv6 support in runq when proxy detects a IPv6 address.

yoheiueda avatar Sep 11 '20 05:09 yoheiueda

Thanks @yoheiueda for this PR. Can you please add a simple test case with with 2 runq containers talking to each other via IPv6 similar to the existing test case in net.sh ?

pmorjan avatar Sep 16 '20 09:09 pmorjan

OK, I will add a test case to net.sh

yoheiueda avatar Sep 17 '20 05:09 yoheiueda

It turns out that we need to configure mavctap to let it pass multicast packets correctly in order to make IPv6 working.

https://superuser.com/questions/944678/how-to-configure-macvtap-to-let-it-pass-multicast-packet-correctly#1033768

With libvirt, we can enable it by setting trustGuestRxFilters="yes". I need further investigation on how to enable it without libvirt.

I also noticed that we should not copy link-local addresses from host to guest. https://en.wikipedia.org/wiki/Link-local_address#IPv6

yoheiueda avatar Oct 01 '20 05:10 yoheiueda

I did some experiments with multicast in the past. There is a netlink function: https://godoc.org/github.com/vishvananda/netlink#LinkSetAllmulticastOn

pmorjan avatar Oct 01 '20 06:10 pmorjan

Stale PR

yoheiueda avatar Apr 27 '23 08:04 yoheiueda