talos icon indicating copy to clipboard operation
talos copied to clipboard
verified publisher icon siderolabs

move ghcr.io/siderolabs/* images to registry accessible from ipv6 only hosts

Open jlgeering opened this issue 3 years ago • 6 comments

Feature Request

ghcr.io has no AAAA record / is not accessible directly from ipv6 only machines, thus ghcr.io/siderolabs/kubelet cannot be downloaded, kublet doesn't start

NB for someone trying this, to get to this point, ipv6 nameservers and ntp servers have to be configured, for example:

machine:
    network:
        nameservers:
            # see https://1.1.1.1/dns/ => Setup on ... => "Router"
            # - 1.1.1.1
            - 2606:4700:4700::1111
            - 2606:4700:4700::1001
            # see https://developers.google.com/speed/public-dns/docs/using
            # - 8.8.8.8
            - 2001:4860:4860::8888
            - 2001:4860:4860::8844
    time:
        servers:
            # https://linuxreviews.org/IPv6-listening_NTP_servers
            - 2.pool.ntp.org
            - time.cloudflare.com

Description

Would you mind hosting to finished images on gcr.io or mirroring to some registry with ipv6 enabled and setup?

Context

Hetzner is now offering ipv6 only machines (ipv4 costs extra)

jlgeering avatar Sep 18 '22 18:09 jlgeering

list of images from https://github.com/siderolabs/talos/releases/tag/v1.2.2 (or talosctl images)

ghcr.io/siderolabs/flannel:v0.19.2
ghcr.io/siderolabs/install-cni:v1.2.0-1-g116c5a9
docker.io/coredns/coredns:1.9.3
gcr.io/etcd-development/etcd:v3.5.4
k8s.gcr.io/kube-apiserver:v1.25.0
k8s.gcr.io/kube-controller-manager:v1.25.0
k8s.gcr.io/kube-scheduler:v1.25.0
k8s.gcr.io/kube-proxy:v1.25.0
ghcr.io/siderolabs/kubelet:v1.25.0
ghcr.io/siderolabs/installer:v1.2.2
k8s.gcr.io/pause:3.6

problematic:

  • ghcr.io/siderolabs/*
  • docker.io/coredns/coredns => maybe possible to switch to registry.ipv6.docker.com (but that is ipv6 only)

jlgeering avatar Sep 18 '22 19:09 jlgeering

note to self - for docker.io we might be able to use mirror.gcr.io (configuration see https://www.talos.dev/v1.2/reference/configuration/#registrymirrorconfig and https://www.talos.dev/v1.2/advanced/air-gapped/#closing-notes)

another option might be to use a NAT64 gateway, maybe in combination with dns64, see https://developers.google.com/speed/public-dns/docs/dns64

jlgeering avatar Sep 18 '22 19:09 jlgeering

as a temp workaround, I switched to using https://nat64.net/

jlgeering avatar Sep 18 '22 19:09 jlgeering

I wonder if you could raise this issue with GitHub itself?

I fully agree it should be IPv6-available, but we can't do much on our side. Mirroring is something we could certainly do.

smira avatar Sep 19 '22 11:09 smira

looks like I forgot to include a link to the github issue I found: https://github.com/community/community/discussions/10539

=> basically, github doesn't seem to be in a hurry to make ipv6 work across their whole infra (to put it mildly)

jlgeering avatar Sep 19 '22 11:09 jlgeering

May be this helps. But you need to push all images to docker-hub... Unfortunately, many SaaS do not support IPv6.

  registries:
    mirrors:
      k8s.gcr.io:
        endpoints:
          - https://registry.k8s.io
          - https://k8s.gcr.io
      docker.io:
        endpoints:
          - https://registry.ipv6.docker.com
          - https://registry-1.docker.io

sergelogvinov avatar Sep 19 '22 15:09 sergelogvinov

This issue is stale because it has been open 180 days with no activity. Remove stale label or comment or this will be closed in 7 days.

github-actions[bot] avatar Jul 04 '24 01:07 github-actions[bot]

This issue was closed because it has been stalled for 7 days with no activity.

github-actions[bot] avatar Jul 09 '24 01:07 github-actions[bot]