New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
macvlan, ipvlan: generate unsolicited ARP/ND advertisements on link up? #47176
Comments
Annoyingly, |
I suspect that the kernel's support for generating unsolicited IPv6 neighbor advertisements is slightly less broken than the IPv4 equivalent. Linux implements Duplicate Address Detection in kernelspace, and when IPv4 Address Conflict Detection (RFC 5227), an extension to ARP, is a very recent development in the IPv4 world. Nobody has bothered to implement it in kernelspace as it can be implemented by a For macvlan, ipvlan and bridge endpoints, I think we should:
Overlay network endpoints would also benefit from unsolicited advertisements, however due to the architecture of the driver it is not possible to successfully perform ACD using ARP or DAD using IPv6-ND. ARP traffic transmitted to the overlay network will reach other containers running on the same node, but not reach any container on any other node. If we want to implement address conflict detection, it will have to be done over the overlay network control plane instead of the data plane. Unsolicited advertisements are just as useful in overlay networks for eagerly updating neighbor table caches, but will have to be "proxied" through the overlay network's control plane to the other nodes. |
Description
We should get the kernel to send unsolicited IPv4 ARP and IPv6 Neighbor Discovery advertisements when bringing up macvlan and ipvlan container links. That would allow (at least) L2 switches to eagerly update their forwarding tables when a container link's MAC address changes, or a container with a static MAC address is rescheduled onto a node connected to a different switch port. Otherwise the containers will be unreachable from the network until the stale forwarding entries expire.
(The following is all speculation as the user has not yet responded.) I suspect that the author of the linked PR is using either the macvlan or ipvlan driver, tried setting the
net.ipv6.conf.all.ndisc_notify
sysctl in the container config and found it to be effective only when the interface's IPv6 address is added with the optimistic DAD option. Optimistic DAD would have worked around the issue of user-specified container sysctls getting applied afterlibnetwork-setkey
by delaying the sending of unsolicited ND advertisements until after the container runtime setsndisc_notify
. The kernel sends an unsolicited ND advertisement whenndisc_notify
is enabled and an address becomes no longer tentative, which happens after duplicate address detection completes. Optimistic DAD likely delays things long enough that the container runtime can win the race to setndisc_notify
before the kernel sets the address as not-tentative most of the time.With #47062 changing the order of operations such that user sysctls are applied before any network links are brought up, users would be able to opt in using
docker run --sysctl net.ipv6.default.ndisc_notify=1
without any workarounds or hacks. However, I posit that users should not have to opt in;net.ipv4.conf.<iface>.arp_notify=1
andnet.ipv6.conf.<iface>.ndisc_notify=1
should be unconditionally set by libnetwork. I cannot think of any downside. Either the unsolicited advertisements are accepted by peers and a restarted/moved/rescheduled container's networking Just Works, or they are ignored and nothing happens differently from today.(cc @psaab)
The text was updated successfully, but these errors were encountered: