New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding IPv6 network support to docker daemon #8947
Conversation
Hi @MalteJ - this looks good to me - much more comprehensive than my patch (support for both IPv4 & IPv6 at the same time, whereas I was going to do that patch-by-patch). The big thing that isn't in this patch seems to be the iptables stuff (which is mostly just because you have to use "ip6tables" for IPv6 tables). Do you want to incorporate that into this patch, or shall we try to land them separately? Also, I skip the first IPv6 IP in the ip allocator, whereas you deliberately didn't. Are you OK with skipping the first IPv6? |
@justinsb thank you! Why do you want to skip the first IP in the range? Is it used by your gateway? |
The additional container IPv6 implementation can be found at https://github.com/MalteJ/docker/commits/ipv6-container Best, |
71144ea
to
df610a3
Compare
If I assign an IPv6 range to the bridge, I will typically use ::1 for the bridge IP. But I am then happy for the first docker instance to be ::2. (At least I don't know of a reason why not.) If we don't skip the first one then I have to specify both --bip and --fixed-cidr (and I lose some of the bip range because fixed-cidr has to be a subnet). Does this make sense? Am I missing something?
I'm not sure either... @jfrazelle ? |
I just don't assign a global IPv6 to the bridge. In the container I am using the bridge's link-local address as gateway. @jfrazelle recommended to push the container IPv6 into this PR as a separate commit. |
Ohh, looks like the last commit has broken some tests. |
You should be able to test it anyway.
and create a container
and on the docker host
|
let me make sure the build server has ipv6 support |
I suspect the tests fail because there is something wrong with the code or the tests. |
hmm ya looks like its failing creating the bridge, same for me locally as well, and both the build server and my host have ipv6 support |
@@ -58,6 +59,9 @@ func TestAllocatePortDetection(t *testing.T) { | |||
|
|||
// Init driver | |||
job := eng.Job("initdriver") | |||
job.Stderr.Add(os.Stderr) | |||
job.Stdout.Add(os.Stdout) | |||
job.SetenvBool("EnableIPv6", true) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we should probably have a test with and a test without, also this is the test that is failing
I have reverted to the original test. I have added further documentation. |
I tried to run this implementation on Digital Ocean but their IPv6 networking does not fit my approach. On Digital Ocean you use a part (16 addresses / 4 bits) of a /64 network. But this part of the /64 network is not a subnet. You are just allowed to use those 16 IPs. This means you are expected to respond to ndp neighbor solicitation requests for those 16 IPs. There is no route set up that uses your VM as a gateway for this subnet. The result: My approach does not work on DigitalOcean. How do you think about this? There is a german IaaS provider (www.jiffybox.de) that gives you a /56 subnet for your VM. Here everything works fine. |
This said, I think I have forgotten to implement adding the route to the fixed-cidr-v6 on the docker host machine. |
Hi @MalteJ - let's coordinate a plan here: I'm happy to merge my patch into yours - I guess I should propose a patch on your repo with my ip6tables changes. Does that sound good to you? I have an OVH box which has a /64 which I can try this out on. I've also been trying this on EC2 using protocol 41. I have a busy day, but hopefully I can get to this tonight. Does that work? |
@justinsb sounds great! :) |
ping @skottler do you think digital ocean will be supporting this soon? |
Yup, looks like digitalocean's IPv6 support is incomplete. Maybe something @progrium is interested in as well and could help to fix :) |
Hi @LK4D4 I have merged the current master to this PR and resolved the conflicts. Hopefully the tests are still green. @SvenDowideit yeah, I haven't thought of this until now. |
// Enable IPv6 on the bridge | ||
procFile := "/proc/sys/net/ipv6/conf/" + iface.Name + "/disable_ipv6" | ||
if err := ioutil.WriteFile(procFile, []byte{'0', '\n'}, 0644); err != nil { | ||
return fmt.Errorf("Unable to enable IPv6 addresses on bridge: %s\n", err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should output start with a lower case character?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
don't know!? should it?
OK, I have tweaked the docs a bit to give some info about the accept_ra issue. |
I tried also to run tests with daemon |
@@ -55,9 +57,11 @@ func (config *Config) InstallFlags() { | |||
flag.BoolVar(&config.EnableIptables, []string{"#iptables", "-iptables"}, true, "Enable Docker's addition of iptables rules") | |||
flag.BoolVar(&config.EnableIpForward, []string{"#ip-forward", "-ip-forward"}, true, "Enable net.ipv4.ip_forward") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is now doing not only this.
I can add a ipv6 server into our jenkins matrix as well :) |
Thanks @MalteJ ❤️ I think the information you've added would give me the appropriate warning (and information) I'd need before I jumped into this head-first. 👍 |
@@ -75,6 +76,7 @@ expect an integer, and they can only be specified once. | |||
--ip-forward=true Enable net.ipv4.ip_forward |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here too pls :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
4232dd2
to
50ddcf1
Compare
Signed-off-by: Malte Janduda <mail@janduda.net>
OK, merged, rebased and it's green again :) |
LGTM |
Adding IPv6 network support to docker daemon
🎉 awesome work @MalteJ ! |
Great to see this PR getting merged. Thanks to all who participated! |
👍 🎉 |
|
||
hw[0] ^= 0x2 | ||
|
||
return fmt.Sprintf("fe80::%x%x:%xff:fe%x:%x%x/64", hw[0], hw[1], hw[2], hw[3], hw[4], hw[5]), nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probable source of the problem #13211: "%x%x" with (0x1,0x2) will return the same ipv6 as (0x0,0x12)
It looks like you guys were planning to merge ip6tables changes with this pull request but it never happened. Why didn't it happen and can we merge the ip6tables pull request now? #8896 |
@justinsb Why didn't your ip6tables patch get merged in with this? |
This PR adds IPv6 support to the docker daemon.
Features:
--ipv6
and--fixed-cidr-v6
fe80::1/64
. This IP will be used by the containers as gateway.Missing:
Test and Documentation.
Follow-up PR for enabling the container to use IPv6. (I have the code but still have to clean it up a bit and create a PR).
I wanted to add them but #8896 popped up and I thought it would be a good idea to provide my code so we can compare and pick the best of both.
Update 2014-11-04