Podman default network doesn't support IPv4/IPv6 dual stack

[xiaoyar]

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind feature /network

Description

Because the 'network.default_subnet' option in containers.conf can only take either an IPv4 CIDR string or an IPv6 CIDR string, the default network can only be either IPv4 only or IPv6 only. On the other hand, other networks created by podman network create can be IPv4 only, IPv6 only, or IPv4/IPv6 dual stack. We may need the default network to support dual stack when the host network is dual stack. Is it possible to make the default network to also support IPv4/IPv6 dual stack?

Steps to reproduce the issue:

It's the default network, we can observe the behavior by default.

Describe the results you received:

• When 'network.default_subnet' is specified as an IPv4 CIDR, the default network is IPv4 only
• When 'network.default_subnet' is specified as an IPv6 CIDR, the default network is IPv6 only
• We cannot specify both IPv4 and IPv6 to 'network.default_subnet'

Describe the results you expected: e.g. some possible approaches

• specify 'network.default_subnet' in containers.conf multiple times with IPv4 CIDR and/or IPv6 CIDR, just like we can specify '--subnet' option multiple times when calling podman network create
• make 'default_subnet' a list of IPv4 CIDR or IPv6 CIDR strings

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

Client:       Podman Engine
Version:      4.2.0-dev
API Version:  4.2.0-dev
Go Version:   go1.17.7
Git Commit:   653e87dd4c6103e91724e5aa6afa4c78c2ae1922
Built:        Tue Jun 28 22:26:10 2022
OS/Arch:      linux/amd64

Output of podman info --debug:

host:
  arch: amd64
  buildahVersion: 1.27.0-dev
  cgroupControllers:
  - cpuset
  - cpu
  - cpuacct
  - blkio
  - memory
  - devices
  - freezer
  - net_cls
  - perf_event
  - net_prio
  - hugetlb
  - pids
  - rdma
  cgroupManager: systemd
  cgroupVersion: v1
  conmon:
    package: conmon-2.1.2-2.el8.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.2, commit: '
  cpuUtilization:
    idlePercent: 99.88
    systemPercent: 0.05
    userPercent: 0.07
  cpus: 4
  distribution:
    distribution: '"rocky"'
    version: "8.6"
  eventLogger: journald
  hostname: vrarocky3523.rsv.ven.veritas.com
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 4.18.0-372.9.1.el8.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 7421812736
  memTotal: 8140427264
  networkBackend: netavark
  ociRuntime:
    name: crun
    package: crun-1.4.5-1.el8.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.4.5
      commit: c381048530aa750495cf502ddb7181f2ded5b400
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /bin/slirp4netns
    package: slirp4netns-1.1.8-2.el8.x86_64
    version: |-
      slirp4netns version 1.1.8
      commit: d361001f495417b880f20329121e3aa431a8f90f
      libslirp: 4.4.0
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.2
  swapFree: 8589930496
  swapTotal: 8589930496
  uptime: 1h 44m 56.00s (Approximately 0.04 days)
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
  - quay.io
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: vfs
  graphOptions: {}
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 97658605568
  graphRootUsed: 21218099200
  graphStatus: {}
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 1
  runRoot: /run/containers/storage
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 4.2.0-dev
  Built: 1656473170
  BuiltTime: Tue Jun 28 22:26:10 2022
  GitCommit: 653e87dd4c6103e91724e5aa6afa4c78c2ae1922
  GoVersion: go1.17.7
  Os: linux
  OsArch: linux/amd64
  Version: 4.2.0-dev

Package info (e.g. output of rpm -q podman or apt list podman):

Build with the latest code from Github

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/main/troubleshooting.md)

Yes

Additional environment details (AWS, VirtualBox, physical, etc.):

[839735495]

Hi @xiaoyar I also meet a similar issue and got reply from others. https://github.com/containers/podman/issues/14747

For netavark, create a json file /etc/containers/networks/podman.json to define dual stack network For cni, create /etc/cni/net.d/podman.conflist

Maybe there is no cli command for it, we have to change the backend config file.

Hope this can help you

[xiaoyar]

Actually, I am not looking for a workaround, instead I want to confirm if Podman default network can support dual stack in a proper way, e.g. by specifying correct options in containers.conf.

[Luap99]

This is not a workaround, it is currently the only way to do it. Adding a new default_ipv6_subnet is doable but not sure how much benefit this has. I would like to avoid adding config settings for this when you can just create/edit the actual network config file yourself.

[mheon]

Given we don't actually create the default network as a file anymore, it seems like it could be valuable?

[xiaoyar]

Somehow I still feel it's a workaround, if we use this approach in product code, the code will have to be aware of which network backend is used, that means,

• If the network backend is changed, the code need to change accordingly
• Even if the "network.network_config_dir" in containers.conf is changed, the code also need to change

However, if we can specify both IPv4 subnet and IPv6 subnet in containers.conf, the product code can still keep network backend agnostic.

If it's not doable to make it in containers.conf, is it possible to leverage podman network command to customize the default network? e.g. Introduce a new sub command podman network modify or podman network update to edit the existing network?

[Luap99]

Adding new commands to modify existing networks sounds very hard to support and not something I would recommend anyone to do. If you have running containers on the network things can go bad quickly if you modify it (same if you modify it in containers.conf).

Adding a new default_ipv6_subnet field to containers.conf make sense but I do not like adding fields for all settings, e.g. dns.

[xiaoyar]

Okay, let's give up the idea to introduce a new podman network sub command to modify existing networks.

Any other approach, other than adding a new default_ipv6_subnet option in containers.conf, besides manually generating/editing network config file of default network, any other approach, to make default network properly support dual stack?

[xiaoyar]

Is it possible to let podman network create modify the configuration of default network?

That means, when the specified network is the default network, podman network create should modify the configuration of default network, instead of reporting an error like "network already exists".

[github-actions[bot]]

A friendly reminder that this issue had no activity for 30 days.

[rhatdan]

@mheon @Luap99 Could you answer @xiaoyar's question?

[baude]

you would need to delete the default network and just recreate it i think?

[mheon]

IMO, the answer here is to make default network configuration part of containers.conf (or some other config file). The current situation (manually generating a network config file and editing it) does not seem like a viable long-term solution given its complexity.

[xiaoyar]

@baude

you would need to delete the default network and just recreate it i think?

The problem is, it's not allowed to delete the default network.

# podman network rm podman
Error: default network podman cannot be removed

@mheon , I totally agree with you, "making default network configuration in containers.conf also support IPv6" is the original purpose of opening this issue ticket. What do you think, @Luap99 ? Do you think it's feasible to go that way?

[github-actions[bot]]

A friendly reminder that this issue had no activity for 30 days.

[rhatdan]

@Luap99 Waiting for an answer from you.

[Luap99]

As said before I am fine with adding an ipv6 subnet field to containers.conf. What I do not want are fields for every single network setting because that is already possible if you create the config file manually.

[mheon]

Then we really ought to make the process of producing the config file manually either easier, or better documented, because it is a frequent question.

[rhatdan]

Can we ship a configuration file with everything commented out?

[xiaoyar]

Thank you, @rhatdan , @mheon , @Luap99 . So, if I am reading correctly, we are going to introduce a new variable, such as default_subnet6, in containers.conf, so that the default podman network can support pure IPv4(only default_subnet in containers.conf), pure IPv6(only default_subnet6 in containers.conf), and IPv4/IPv6 dual stack(both default_subnet and default_subnet6 in containers.conf)? Do you have ETA for this, in which version of Podman will this be included?

[kgfathur]

Any workaround for this issue? On the system with disabled IPv6, it cause issue. we cannot run container with default network.

[root@bip-ctrl01-l1-rx ~]# sysctl net.ipv6.conf.all.disable_ipv6
net.ipv6.conf.all.disable_ipv6 = 1
[root@bip-ctrl01-l1-rx ~]#
[root@bip-ctrl01-l1-rx ~]# podman network inspect podman
[
     {
          "name": "podman",
          "id": "2f259bab93aaaaa2542ba43ef33eb990d0999ee1b9924b557b7be53c0b7a1bb9",
          "driver": "bridge",
          "network_interface": "podman0",
          "created": "2022-11-22T23:52:57.188882939+07:00",
          "subnets": [
               {
                    "subnet": "10.255.255.0/24",
                    "gateway": "10.255.255.1"
               },
               {
                    "subnet": "fc00:2222:3333::/64",
                    "gateway": "fc00:2222:3333::1"
               }
          ],
          "ipv6_enabled": true,
          "internal": false,
          "dns_enabled": false,
          "ipam_options": {
               "driver": "host-local"
          }
     }
]
[root@bip-ctrl01-l1-rx ~]#
[root@bip-ctrl01-l1-rx ~]# podman run --rm --detach busybox:latest /bin/sleep 5
Error: netavark: failed to configure bridge and veth interface: failed while configuring network interface: failed to set ip address to podman0: Permission denied (os error 13)
[root@bip-ctrl01-l1-rx ~]#

[Luap99]

@kgfathur I don't understand what your point is? This issue is about no easy way to enable ipv6 on the default network.

If you manually add ipv6 subnets to your default network then yes it will not work if you disable ipv6 on your host.

[james-lawrence]

honestly podman should be able to detect the hosts network stack and mirror its capabilities by default. this is issue is pretty ug from a usability standpoint.