Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't configure IPv6 addr/gw when IPv6 disabled. #47521

Merged
merged 1 commit into from
Mar 7, 2024
Merged

Don't configure IPv6 addr/gw when IPv6 disabled. #47521

merged 1 commit into from
Mar 7, 2024

Conversation

robmry
Copy link
Contributor

@robmry robmry commented Mar 6, 2024
edited

- What I did

In 25.x, a container started with --sysctl=net.ipv6.conf.all.disable_ipv6=1 did not end up with IPv6 addresses on its interfaces.

#47062 delays setup of network interfaces until after the OS sandbox has been created, so that the container can be inspected for a ::1 interface (initially, in order to exclude IPv6 entries from /etc/hosts). So, interfaces were previously configured after the runtime has applied the sysctl setting, now they're configured afterwards.

Until #47406 makes it in, IPv6 addresses are still allocated if a container is connected to an IPv6 network. The code that adds an IPv6 address also enables IPv6 on the interface.

That didn't matter when it happened before the runtime applied the sysctl to disable IPv6, now it does.

- How I did it

Don't add an IPv6 address or gateway to a container that's got IPv6 disabled.

- How to verify it

New integration test, without this change it fails with ...

=== RUN   TestDisableIPv6Addrs/IPv6_disabled
    bridge_test.go:659: assertion failed:
        --- inet6
        +++ →
          []string{
        - 	"inet6 fda0:ef3d:6430:abcd::2",
        - 	"inet6 fe80::42:acff:fe18:2",
          }

- Description for the changelog

Do not attempt to configure an IPv6 address or gateway in a container that's got IPv6 disabled.

@robmry robmry self-assigned this Mar 6, 2024
@robmry robmry added area/networking kind/bugfix PR's that fix bugs area/networking/ipv6 Issues related to ipv6 labels Mar 6, 2024
@robmry
Don't configure IPv6 addr/gw when IPv6 disabled.
ef5295c 
When IPv6 is disabled in a container by, for example, using the --sysctl
option - an IPv6 address/gateway is still allocated. Don't attempt to
apply that config because doing so enables IPv6 on the interface.

Signed-off-by: Rob Murray <rob.murray@docker.com>
@robmry robmry force-pushed the no_ipv6_addr_when_ipv6_disabled branch from 5a6c7cc to ef5295c Compare March 6, 2024 18:33
@robmry robmry marked this pull request as ready for review March 6, 2024 18:53
@vvoland vvoland added this to the 26.0.0 milestone Mar 7, 2024
@vvoland vvoland merged commit 66adfc7 into moby:master Mar 7, 2024
127 of 128 checks passed
@thaJeztah thaJeztah mentioned this pull request Mar 25, 2024
Merged
@robmry robmry mentioned this pull request Mar 27, 2024
Merged
@robmry robmry deleted the no_ipv6_addr_when_ipv6_disabled branch March 27, 2024 16:33
@vvoland vvoland mentioned this pull request Mar 28, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@corhere corhere corhere approved these changes

@vvoland vvoland vvoland approved these changes

@akerouanton akerouanton Awaiting requested review from akerouanton

Assignees

@robmry robmry

Labels
area/networking/ipv6 Issues related to ipv6 area/networking kind/bugfix PR's that fix bugs
Projects
None yet
Milestone
26.0.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@robmry @corhere @vvoland