Ignore kernel-assigned LL addrs when selecting "bip6"

robmry · robmry · commit 56eb47c622b8 · 2024-12-04T18:19:41.000Z
Commit facb232 aligned the way the default bridge's IPv6 subnet and gateway addresses are selected with IPv4. Part of that involved looking at addresses already on the bridge, along with daemon config options. But, for IPv6, the kernel will assign a link-local address to the bridge. Make sure that address is ignored when selecting "bip6" when it's not explicitly specified. This is made slightly complicated because we allow fixed-cidr-v6 to be a link-local subnet (either the standard "fe80::/64", or any other non-overlapping LL subnet in "fe80::/10"). Following this change, if fixed-cidr-v6 is (or is included by) "fe80::/64", the bridge's kernel-assigned LL address may be used as the network's gateway address - even though it may also get an IPAM-assigned LL address. Signed-off-by: Rob Murray <rob.murray@docker.com>
diff --git a/daemon/daemon_unix.go b/daemon/daemon_unix.go
@@ -12,6 +12,7 @@ import (
 	"path/filepath"
 	"runtime"
 	"runtime/debug"
+	"slices"
 	"strconv"
 	"strings"
 	"sync"
@@ -1190,6 +1191,15 @@ func selectBIP(
 	if err != nil {
 		return nil, nil, errors.Wrap(err, "list bridge addresses failed")
 	}
+	// For IPv6, ignore the kernel-assigned link-local address. Remove all
+	// link-local addresses, unless fixed-cidr-v6 has the standard link-local
+	// prefix. (If fixed-cidr-v6 is the standard LL prefix, the kernel-assigned
+	// address is likely to be used instead of an IPAM assigned address.)
+	if family == netlink.FAMILY_V6 && (fCidrIP == nil || !isStandardLL(fCidrIP)) {
+		bridgeNws = slices.DeleteFunc(bridgeNws, func(nlAddr netlink.Addr) bool {
+			return isStandardLL(nlAddr.IP)
+		})
+	}
 	if len(bridgeNws) > 0 {
 		// Pick any address from the bridge as a starting point.
 		nw := bridgeNws[0].IPNet
@@ -1238,6 +1248,16 @@ func selectBIP(
 	return bIP, bIPNet, nil
 }
 
+// isStandardLL returns true if ip is in fe80::/64 (the link local prefix is fe80::/10,
+// but only fe80::/64 is normally used - however, it's possible to ask IPAM for a
+// link-local subnet that's outside that range).
+func isStandardLL(ip net.IP) bool {
+	if ip == nil {
+		return false
+	}
+	return ip.Mask(net.CIDRMask(64, 128)).Equal(net.ParseIP("fe80::"))
+}
+
 // Remove default bridge interface if present (--bridge=none use case)
 func removeDefaultBridgeInterface() {
 	if lnk, err := nlwrap.LinkByName(bridge.DefaultBridgeName); err == nil {
diff --git a/integration/daemon/daemon_linux_test.go b/integration/daemon/daemon_linux_test.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"net"
 	"net/netip"
+	"slices"
 	"testing"
 
 	"github.com/docker/docker/api/types/network"
@@ -14,6 +15,7 @@ import (
 	"github.com/vishvananda/netlink"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
+	"gotest.tools/v3/poll"
 	"gotest.tools/v3/skip"
 )
 
@@ -111,6 +113,29 @@ func TestDaemonDefaultBridgeIPAM_Docker0(t *testing.T) {
 				{Subnet: "fdd1:8161:2d2c::/56", IPRange: "fdd1:8161:2d2c::/64", Gateway: "fdd1:8161:2d2c::8888"},
 			},
 		},
+		{
+			name: "link-local fixed-cidr-v6",
+			daemonArgs: []string{
+				"--fixed-cidr", "192.168.176.0/24",
+				"--fixed-cidr-v6", "fe80::/64",
+			},
+			expIPAMConfig: []network.IPAMConfig{
+				{Subnet: "192.168.176.0/24", IPRange: "192.168.176.0/24"},
+				{Subnet: "fe80::/64", IPRange: "fe80::/64", Gateway: llGwPlaceholder},
+			},
+		},
+		{
+			name:               "nonstandard link-local fixed-cidr-v6",
+			initialBridgeAddrs: []string{"192.168.176.88/20", "fe80:1234::88/56"},
+			daemonArgs: []string{
+				"--fixed-cidr", "192.168.176.0/24",
+				"--fixed-cidr-v6", "fe80:1234::/64",
+			},
+			expIPAMConfig: []network.IPAMConfig{
+				{Subnet: "192.168.176.0/20", IPRange: "192.168.176.0/24", Gateway: "192.168.176.88"},
+				{Subnet: "fe80:1234::/56", IPRange: "fe80:1234::/64", Gateway: "fe80:1234::88"},
+			},
+		},
 		{
 			name:               "fixed-cidr within old bridge subnet with new bip",
 			initialBridgeAddrs: []string{"192.168.176.88/20", "fdd1:8161:2d2c::/56"},
@@ -233,6 +258,30 @@ func TestDaemonDefaultBridgeIPAM_UserBr(t *testing.T) {
 				{Subnet: "fdd1:8161:2d2c:10::/60", IPRange: "fdd1:8161:2d2c:11::/64", Gateway: "fdd1:8161:2d2c:10::8888"},
 			},
 		},
+		{
+			name:               "link-local fixed-cidr-v6",
+			initialBridgeAddrs: []string{"192.168.176.88/20"},
+			daemonArgs: []string{
+				"--fixed-cidr", "192.168.176.0/24",
+				"--fixed-cidr-v6", "fe80::/64",
+			},
+			expIPAMConfig: []network.IPAMConfig{
+				{Subnet: "192.168.176.0/20", IPRange: "192.168.176.0/24", Gateway: "192.168.176.88"},
+				{Subnet: "fe80::/64", IPRange: "fe80::/64", Gateway: llGwPlaceholder},
+			},
+		},
+		{
+			name:               "nonstandard link-local fixed-cidr-v6",
+			initialBridgeAddrs: []string{"192.168.176.88/20", "fe80:1234::88/56"},
+			daemonArgs: []string{
+				"--fixed-cidr", "192.168.176.0/24",
+				"--fixed-cidr-v6", "fe80:1234::/64",
+			},
+			expIPAMConfig: []network.IPAMConfig{
+				{Subnet: "192.168.176.0/20", IPRange: "192.168.176.0/24", Gateway: "192.168.176.88"},
+				{Subnet: "fe80:1234::/56", IPRange: "fe80:1234::/64", Gateway: "fe80:1234::88"},
+			},
+		},
 		{
 			name:               "fixed-cidr bigger than bridge subnet",
 			initialBridgeAddrs: []string{"192.168.176.88/24"},
@@ -310,6 +359,11 @@ func TestDaemonDefaultBridgeIPAM_UserBr(t *testing.T) {
 	}
 }
 
+// llGwPlaceholder can be used as a value for "Gateway" in expected IPAM config,
+// before comparison with actual results it'll be replaced by the kernel assigned
+// link local IPv6 address for the bridge.
+const llGwPlaceholder = "ll-gateway-placeholder"
+
 type defaultBridgeIPAMTestCase struct {
 	name               string
 	bridgeName         string
@@ -333,7 +387,7 @@ func testDefaultBridgeIPAM(ctx context.Context, t *testing.T, tc defaultBridgeIP
 		defer cleanup()
 
 		host.Do(t, func() {
-			createBridge(t, tc.bridgeName, tc.initialBridgeAddrs)
+			llAddr := createBridge(t, tc.bridgeName, tc.initialBridgeAddrs)
 
 			var dArgs []string
 			if !tc.ipv4Only {
@@ -365,7 +419,13 @@ func testDefaultBridgeIPAM(ctx context.Context, t *testing.T, tc defaultBridgeIP
 
 			insp, err := c.NetworkInspect(ctx, network.NetworkBridge, network.InspectOptions{})
 			assert.NilError(t, err)
-			assert.Check(t, is.DeepEqual(insp.IPAM.Config, tc.expIPAMConfig))
+			expIPAMConfig := slices.Clone(tc.expIPAMConfig)
+			for i := range expIPAMConfig {
+				if expIPAMConfig[i].Gateway == llGwPlaceholder {
+					expIPAMConfig[i].Gateway = llAddr.String()
+				}
+			}
+			assert.Check(t, is.DeepEqual(insp.IPAM.Config, expIPAMConfig))
 		})
 	})
 }
@@ -386,7 +446,10 @@ func newHostInL3Seg(t *testing.T, name, ip4, ip6 string) (networking.Host, func(
 	return l3.Hosts[hostname], func() { l3.Destroy(t) }
 }
 
-func createBridge(t *testing.T, ifName string, addrs []string) {
+// createBridge creates a bridge device named ifName, brings it up, waits for
+// the kernel to assign a link-local IPv6 address, assigns addrs, and returns
+// the kernel-assigned LL address.
+func createBridge(t *testing.T, ifName string, addrs []string) net.IP {
 	t.Helper()
 
 	// Get a netlink handle in this netns.
@@ -399,14 +462,35 @@ func createBridge(t *testing.T, ifName string, addrs []string) {
 			Name: ifName,
 		},
 	}
-
 	err = nlh.LinkAdd(link)
 	assert.NilError(t, err)
+
+	// Bring the interface up, and wait for the kernel to assign its link-local
+	// address (to cause maximum confusion - the LL address shouldn't be selected
+	// as "bip6").
+	brLink, err := nlh.LinkByName(ifName)
+	assert.NilError(t, err)
+	err = nlh.LinkSetUp(brLink)
+	assert.NilError(t, err)
+	var llAddr net.IP
+	poll.WaitOn(t, func(t poll.LogT) poll.Result {
+		addrs, err := nlh.AddrList(brLink, netlink.FAMILY_V6)
+		if err != nil {
+			return poll.Error(err)
+		}
+		if len(addrs) == 0 {
+			return poll.Continue("no IPv6 addresses")
+		}
+		llAddr = addrs[0].IP
+		return poll.Success()
+	})
+
 	for _, addr := range addrs {
 		ip, ipNet, err := net.ParseCIDR(addr)
 		assert.NilError(t, err)
 		ipNet.IP = ip
 		err = nlh.AddrAdd(link, &netlink.Addr{IPNet: ipNet})
 		assert.NilError(t, err)
 	}
+	return llAddr
 }
