search

gotoz / runq

run regular Docker images in KVM/Qemu
Apache License 2.0
802 stars 45 forks source link

Enable IPv6 support in VM when IPv6 address is assigned #12

Closed yoheiueda closed 1 year ago

yoheiueda commented 4 years ago

When we enable IPv6 support in Docker, a runq container fails to start. https://docs.docker.com/config/daemon/ipv6/

# docker run --runtime runq --rm busybox ip addr show eth0
[init(1) 7291815] permission denied
main.setupNetwork
    /runq/cmd/init/network.go:74
main.runInit
    /runq/cmd/init/main.go:140
main.main
    /runq/cmd/init/main.go:48
runtime.main
    /usr/local/go/src/runtime/proc.go:204
runtime.goexit
    /usr/local/go/src/runtime/asm_s390x.s:779

This is because default sysctl settings defined in cfg.go disable IPv6 support in VM. https://github.com/gotoz/runq/blob/d013e878cc2f35d23b4e85f5ac60ff9a872f27c4/internal/cfg/cfg.go#L23-L32

To enable IPv6 in runq, we explicitly need to specify sysctl option as follows.

# docker run --runtime runq --rm --sysctl net.ipv6.conf.all.disable_ipv6=0 --sysctl net.ipv6.conf.default.disable_ipv6=0 busybox ip addr show eth0
2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether ee:17:03:1a:3d:1a brd ff:ff:ff:ff:ff:ff
    inet 172.31.0.2/16 brd 172.31.255.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 2001:db8:1::242:ac1f:2/64 scope global flags 02
       valid_lft forever preferred_lft forever
    inet6 fe80::42:acff:fe1f:2/64 scope link tentative
       valid_lft forever preferred_lft forever

This behavior is inconvenient when IPv6 is enabled.

This patch enables IPv6 support in runq when proxy detects a IPv6 address.

pmorjan commented 4 years ago

Thanks @yoheiueda for this PR. Can you please add a simple test case with with 2 runq containers talking to each other via IPv6 similar to the existing test case in net.sh ?

yoheiueda commented 4 years ago

OK, I will add a test case to net.sh

yoheiueda commented 4 years ago

It turns out that we need to configure mavctap to let it pass multicast packets correctly in order to make IPv6 working.

https://superuser.com/questions/944678/how-to-configure-macvtap-to-let-it-pass-multicast-packet-correctly#1033768

With libvirt, we can enable it by setting trustGuestRxFilters="yes". I need further investigation on how to enable it without libvirt.

I also noticed that we should not copy link-local addresses from host to guest. https://en.wikipedia.org/wiki/Link-local_address#IPv6

pmorjan commented 4 years ago

I did some experiments with multicast in the past. There is a netlink function: https://godoc.org/github.com/vishvananda/netlink#LinkSetAllmulticastOn

yoheiueda commented 1 year ago

Stale PR