talos icon indicating copy to clipboard operation
talos copied to clipboard

Published 20 hours ago verified publisher icon siderolabs

network: automatically set accept_ra when using SLAAC

Open Ulexus opened this issue 3 years ago • 11 comments

Feature Request

If a user is receiving their IPv6 address via SLAAC, it is very likely that they are also expecting to receive routes via Router Advertisements. The default kernel behaviour, however, is to ignore router advertisements if ip_forwarding is enabled. This is done because usually when ip_forwarding is enabled, the node is acting as a router, so such routes will be otherwise configured.

In Kubernetes, however, while the node is technically a router, people expect to operate it as a node. Thus, we should also accept router advertisements on any host interface which obtains a SLAAC address.

In order to do this, we need to set net.ipv6.conf.<interface_name>.accept_ra to 2 instead of the default 1.

Description

Ulexus avatar Jun 24 '21 21:06 Ulexus

Any chance we can pick this up for v0.14?

anthr76 avatar Nov 22 '21 22:11 anthr76

@anthr76 we don't have this scheduled for 0.14 most probably, but this should be updateable via .machine.sysctls in the machine configuration

smira avatar Nov 24 '21 14:11 smira

This is useful so kubernetes nodes themselves also have IPv6 connectivity between each other, especially in IPv6-only deployments. Same applies to https://github.com/talos-systems/talos/issues/3840.

Also note some CNIs (such as flannel) seem to require dualstack on the nodes to provide dualstack for pods.

flokli avatar Feb 07 '22 09:02 flokli

Party!

telmich avatar Feb 08 '22 16:02 telmich

Unfortunately is not working.

# sysctl net.ipv6.conf.eth1.accept_ra
net.ipv6.conf.eth1.accept_ra = 1
# sysctl net.ipv6.conf.all.accept_ra
net.ipv6.conf.all.accept_ra = 1
# sysctl net.ipv6.conf.default.accept_ra
net.ipv6.conf.default.accept_ra = 2

Maybe it will work directly for special interface net.ipv6.conf.eth0.accept_ra=2

sergelogvinov avatar Mar 08 '22 19:03 sergelogvinov

Ugh. Well, that certainly makes things more complicated.

Ulexus avatar Mar 08 '22 19:03 Ulexus

I wonder why it would work for net.ipv6.conf.default.forwarding but not net.ipv6.conf.default.accept_ra...

Ulexus avatar Mar 08 '22 19:03 Ulexus

Proposal:

Depend on cloud providers (platform) we need to disable/enable slaac to the interface.

for example add an option to the LinkSpecs.net.talos.dev resource:

https://github.com/siderolabs/talos/blob/91a49c4e7c0495794a991ab7742cd06339ce072d/pkg/machinery/resources/network/link_spec.go#L23-L34

like:

	// IPv6 accept router advertisement.
	AcceptRA bool `yaml:"acceptRa,omitempty"`

AcceptRA is boolean, and false => accept_ra=0, true => accept_ra=3, by default AcceptRA will be true for all non local interfaces (!lo,!dummy)

To override the default value we can add the param in machine-config.

  network:
    interfaces:
      - interface: eth1
        disabledRA: true

sergelogvinov avatar May 13 '22 05:05 sergelogvinov

https://github.com/systemd/systemd/blob/bc33789a06e5a727fa4662b0dfcbe02ef7e46687/man/systemd.network.xml#L727-L753

smira avatar Sep 19 '22 17:09 smira

RA implementation in Go: https://github.com/mdlayher/ndp

smira avatar Sep 19 '22 17:09 smira

Any updates?

maxpain avatar Mar 07 '24 09:03 maxpain