Skip to content

Don't configure IPv6 addr/gw when IPv6 disabled.#47521

Merged
vvoland merged 1 commit intomoby:masterfrom
robmry:no_ipv6_addr_when_ipv6_disabled
Mar 7, 2024
Merged

Don't configure IPv6 addr/gw when IPv6 disabled.#47521
vvoland merged 1 commit intomoby:masterfrom
robmry:no_ipv6_addr_when_ipv6_disabled

Conversation

@robmry
Copy link
Contributor

@robmry robmry commented Mar 6, 2024
edited
Loading

- What I did

In 25.x, a container started with --sysctl=net.ipv6.conf.all.disable_ipv6=1 did not end up with IPv6 addresses on its interfaces.

#47062 delays setup of network interfaces until after the OS sandbox has been created, so that the container can be inspected for a ::1 interface (initially, in order to exclude IPv6 entries from /etc/hosts). So, interfaces were previously configured after the runtime has applied the sysctl setting, now they're configured afterwards.

Until #47406 makes it in, IPv6 addresses are still allocated if a container is connected to an IPv6 network. The code that adds an IPv6 address also enables IPv6 on the interface.

That didn't matter when it happened before the runtime applied the sysctl to disable IPv6, now it does.

- How I did it

Don't add an IPv6 address or gateway to a container that's got IPv6 disabled.

- How to verify it

New integration test, without this change it fails with ...

=== RUN   TestDisableIPv6Addrs/IPv6_disabled
    bridge_test.go:659: assertion failed:
        --- inet6
        +++ →
          []string{
        - 	"inet6 fda0:ef3d:6430:abcd::2",
        - 	"inet6 fe80::42:acff:fe18:2",
          }

- Description for the changelog

Do not attempt to configure an IPv6 address or gateway in a container that's got IPv6 disabled.

@robmry robmry self-assigned this Mar 6, 2024
@robmry robmry added area/networking Networking kind/bugfix PR's that fix bugs area/networking/ipv6 Networking labels Mar 6, 2024
@robmry
Don't configure IPv6 addr/gw when IPv6 disabled.
ef5295c 
When IPv6 is disabled in a container by, for example, using the --sysctl
option - an IPv6 address/gateway is still allocated. Don't attempt to
apply that config because doing so enables IPv6 on the interface.

Signed-off-by: Rob Murray <[email protected]>
@robmry robmry force-pushed the no_ipv6_addr_when_ipv6_disabled branch from 5a6c7cc to ef5295c Compare March 6, 2024 18:33
@robmry robmry requested review from akerouanton and corhere March 6, 2024 18:53
@robmry robmry marked this pull request as ready for review March 6, 2024 18:53
@vvoland vvoland added this to the 26.0.0 milestone Mar 7, 2024
@vvoland vvoland merged commit 66adfc7 into moby:master Mar 7, 2024
@thaJeztah thaJeztah mentioned this pull request Mar 25, 2024
Merged
@robmry robmry mentioned this pull request Mar 27, 2024
Merged
@robmry robmry deleted the no_ipv6_addr_when_ipv6_disabled branch March 27, 2024 16:33
@vvoland vvoland mentioned this pull request Mar 28, 2024
Merged
@austinvazquez austinvazquez mentioned this pull request Aug 11, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@corhere corhere corhere approved these changes

@vvoland vvoland vvoland approved these changes

@akerouanton akerouanton Awaiting requested review from akerouanton

Assignees

@robmry robmry

Labels

area/networking/ipv6 Networking area/networking Networking kind/bugfix PR's that fix bugs

Projects

None yet

Milestone

26.0.0

Development

Successfully merging this pull request may close these issues.

3 participants

@robmry @corhere @vvoland