Closed dcbw closed 7 years ago
cc @rosenhouse @squaremo @tomdee
Thanks for the summary @dcbw . I can re-work my PR once we have a decision.
@dcbw @steveeJ was wondering if it would make sense to get on a google hangout to decide this?
@dcbw wanted to chime in here, not sure it is the right place. I trust you will guide me otherwise if I should direct this post elsewhere. I work for Comcast and run much of the company's IPv6 related efforts. I was involved in some of our work to add support for IPv6 into OpenStack a while back. Somethings that may need to be considered from our point of view as broad adopter of IPv6 are IPv6 only containers and container networking. Additionally, regarding the IP provisioning process there have been many interesting advancements (some of which we have deployed) that might be worth considering as they pertain to IPv6 addressing and configuration. For example, have we looked at the use of IPv6 router advertisements for the assignment of addresses, prefixes, and configuration information in lieu or in addition to the use of DHCPv6?
I will pause here to see if I should direct these posts elsewhere. I am very much interested in contributing to the advancement of IPv6 support for containers, container networking, and Kubernetes.
Any idea when IPv6 support is targetted for CNI?
Please prioritize this. Nowadays IPv6 support is becoming common among the providers (like aws, scaleway, Hetzner, Online.net). Our company is becoming IPv6 only network for internal traffic due to easiness of doing cross cloud setup securely. (For example, as on aws, globally routable IPv6 range can be configured on VPC level. This makes easy to do cross providers setup securely as we already know ip6 address range for any machine on that VPC. It especially helps for autoscaling).
@rahulwa this is certainly next on the list. Part of the process is gathering use cases. Some questions for you (and anyone else who would like to chime in):
@squeed The immediate use cases for us is currently:
@squeed: We need this ASAP as well.
Poor Man's Dual-Stack:
Depending on distro, Linux is set to use IPv6 out of the box; else we set it up:
$ sudo ip link add name ds-example type bridge
$ sudo ip link show ds-example
107: ds-example: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/ether 32:f1:e7:03:d4:9f brd ff:ff:ff:ff:ff:ff
$ sudo ip addr add 192.168.0.1/24 dev ds-example
$ sudo ip addr show ds-example
107: ds-example: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
link/ether 32:f1:e7:03:d4:9f brd ff:ff:ff:ff:ff:ff
inet 192.168.0.1/24 scope global ds-example
valid_lft forever preferred_lft forever
inet6 fe80::30f1:e7ff:fe03:d49f/64 scope link tentative
valid_lft forever preferred_lft forever
$
Based on the HW Addr at link creation time, I now have a Link Local Address. SLAAC will also create an address (not shown above) based off the same HW Addr as soon as the prefix is advertised.
We use SLAAC since CNI currently doesn't let us "statically" create an IPv6 address. To reach the router, either the physical link is added to the Linux bridge (macvlan doesn't need this step) or we run a radvd container that just advertises /64 to the CNI network.
As shown, we need to create IPv4 address for this. Just being able to create IPv6 "interface" such that LL and SLAAC can kick in would be a start.
Having Static IPv6 per interface is a must. Ideally, we can statically configure multiple addresses. For NFV, the static address would be Link Local fe80::1, allowing containers to hard code their default router "default via fe80::1". For the real world, global, ULA or both.
HTH
@squeed Our use cases matched with @radhus on 1 and 3 points. But on point 2, most likely we are going to use DHCP-PD (if i understood correctly), as aws assigns one /64 /128 ipv6 address for each machines. And we are trying to run kubernetes on top of those machines so we need to make further subnets. for readability,
Thanks for the input. I'll be offline for a week; please feel free to continue commenting.
I suspect we'll have to extend the spec to allow multiple IPAM fields.
Separately, I see the use for a SLAAC ipam plugin that does nothing but return the generated IP.
Do you intend to run in a dual-stack environment?
Yes, but single stack ipv6 is more important than dual-stack
How will you allocate addresses to each host?
stateful dhcpv6
Do you expect to run SLAAC?
No
Do you expect to run DHCP-PD?
No
Do you intend to run an overlay network?
No
This has pretty much been done now, and remaining issues are in https://github.com/containernetworking/plugins
There are a number of considerations:
ipam
section. @achanda has done some of the work already.There are a number of PRs open that fix all of these in different ways.
My suggested plan of action on these is to: