WIP: IPv6 support

[guillaumerose]

This PR adds IPv6 support. I still need to refactor some code esp. the 2 hacks needed.

At least, we have something working!

[openshift-ci]

@guillaumerose: PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[rhatdan]

@guillaumerose Are you still working on this?

[guillaumerose]

No, not anymore but it was working fine. A user tested it also with success.

[rhatdan]

Care to update it?
@gbraad @baude PTAL

[gbraad]

I do not see a compelling benefit for our VM setup.

---

The rebase is quite trivial, but we do not have much time on our end to experiment with this. as mentioned it is not a compelling change for us. OpenShift has to run in a dual stack setup and has to use OVN-Kubernetes cluster network provider, which in our tests consumes a lot more resources (which causes the current defaults to be insufficient).

[praveenkumar]

It need rebase and also WIP so better someone who have bit info around ipv6 test/review it.

[ghost]

@gbraad the value is that this would just prepare the codebase for the future. ipv4 is a relic of the past that's on life support because it's "good enough" right now while companies struggle to get subnet assignments.

[gbraad]

I understand, but there is no one on my team who can reserve time for this in the coming weeks. As this is not something we can use now. It will actually adversely affect us if we fully support this. Our prio is on filesharing to running on Arm/M1.

Note: routes are exposed on the local machine for crc. The internal network (vm) is mostly abstracted from the user. This is why the benefits arent as big on our end.

The only requests we received were around 'testing' and 'getting experience', though our primary usecase is for development of applications running on the cluster.

---

Added to sprint 223 of CRC; but can't promise we will work on this.

[gbraad]

It need rebase and also WIP so better someone who have bit info around ipv6 test/review it.

The 'hacks' remains a commit without clear definition what made them called as such.

[ghost]

It's definitely nowhere near urgent to get this rolled out. In December, I could put some effort into this. This was something I tried working on last year, but I ran out of time last year.

[gbraad]

We prioritized this as part of the crc Podman bundle. Definitely will happen before December. Might ask you for testing/confirmation. After my PTO have to reinstall my router and switch anyway due to a mistake so will make Ipv6 a priority 😝.

[ghost]

Might ask you for testing/confirmation.

Definitely happy to help out with that. Even though I left Red Hat earlier this year, I still have a vested personal interest in tools like gvproxy.

[gbraad]

I still have a vested personal interest in tools like gvproxy.

What are you using it for?

[ghost]

Been working on using Apple's virtualization framework in place of QEMU for some stability + performance gains to be had with the virtiofs support. Qemu hasn't been very fun since upgrading to the M1 in my experience, but I have a desire to continue using podman over Docker Desktop.

Also have a code base that I'll be revisiting from last December where I began working on a re-write for gvproxy. It's not exactly secure, because of the access to 192.168.127.1 inside of containers.

[gbraad]

@protosam We have a driver for this, vfkit that uses vz. However we recently had to fork this driver as the upstream owner is not very helpful: crc-org/crc#3362 it might be an idea to talk to @cfergeau.

[ghost]

@gbraad Will follow up in that issue. I'm open to contributing on an eco-system around the vz code base, because I'm already using it.

[cfergeau]

I've rebased this branch in https://github.com/cfergeau/gvisor-tap-vsock/tree/ipv6 it builds but I haven't tested it.

[balajiv113]

Any plans for this feature ??

I tried this patch with latest but facing issues not able to resolve it 😕

[cfergeau]

Feature is planned, but very low priority at the moment :-/

[sanmai-NL]

@cfergeau Why is it low priority? IPv6 is very essential and basic on nowadays' Internet?

[gbraad]

@sanmai-NL The nowadays internet is still mostly IPv4 based. As an example, GitHub does not even have an IPv6 address, so it means you have to run a hybrid stack (or proxy).

Since we have to prioritize tasks to work on, we have decided first to resolve the virtualization of Podman Machine on macOS and moving to vfkit (instead of Qemu); we experienced issues with qemu+virtio. After this we will first refactor the codebase and improve the buffers. IPv6 will happen at some point, just need to be more strategic. Hope you understand.

Do you have a specific usecase that otherwise will not work?

[max06]

Do you have a specific usecase that otherwise will not work?

Our company network is IPv6 only. Which makes pulling from our internal registry impossible using Podman Desktop (and Docker Desktop) on mac. Just found out the hard way.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: guillaumerose
Once this PR has been reviewed and has the lgtm label, please assign evidolob for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[cfergeau]

I’ve force pushed @karta0807913 to the ipv62 branch this PR was opened for.
This will make the improved/up to date code more visible. I’ve slightly split/reordered the commits in @karta0807913’s branch.

[vyasgun]

Tested on macOS with vfkit. Verified IPv6 is working as expected:

[fedora@vfkit-vm-2 ~]$ ip -6 addr show dev enp0s1
2: enp0s1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    altname enx5a94efe40cee
    inet6 fd00::2/128 scope global dynamic noprefixroute
       valid_lft 28572sec preferred_lft 14172sec
    inet6 fd00::5894:efff:fee4:cee/64 scope global dynamic noprefixroute
       valid_lft 86171sec preferred_lft 14171sec
    inet6 fe80::5894:efff:fee4:cee/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
[fedora@vfkit-vm-2 ~]$ ip -6 route show default
default via fe80::1 dev enp0s1 proto ra metric 100 pref medium
[fedora@vfkit-vm-2 ~]$ ping6 -c 2 fd00::1
PING fd00::1 (fd00::1) 56 data bytes
64 bytes from fd00::1: icmp_seq=1 ttl=64 time=0.329 ms
64 bytes from fd00::1: icmp_seq=2 ttl=64 time=0.349 ms

--- fd00::1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1036ms
rtt min/avg/max/mdev = 0.329/0.339/0.349/0.010 ms

[karta0807913]

Hello @cfergeau. I believe I've removed all the hacks from the original branch.
For my understanding, the hacks include:

Hardcoded IPv6 host address:

https://github.com/guillaumerose/gvisor-tap-vsock/blob/ad3efa432587e6c2bdf370a3fd5cf793bca1f4e4/pkg/tap/link.go#L133-L142
I simply changed this to a configurable IP:
https://github.com/guillaumerose/gvisor-tap-vsock/blob/26f60ee15b615778df4a97ad1c5396d8caeb1797/pkg/tap/link.go#L137-L146

No IPv6 neighbor discovery, only internet access was possible

So, I added the entire IPv6 component stack, including:

1. DHCPv6
2. DNS (including IPv4 address conversion)
3. RA (Force it to use DHCPv6)

P.S. Please help me re-push the branch. I used my work email to commit accidentally.

[cfergeau]

P.S. Please help me re-push the branch. I used my work email to commit accidentally.

@karta0807913 This should now be all good, I’ve used "karta0807913" and your gmail address in all commits. Let me know if I missed some places.
I’ve picked up your latest change and added them to this PR, the history is different in this branch and yours, but the content is the same, except for a go module difference which you can solve on your end with go mod tidy && go mod vendor.

We’ll need Signed-off-by on the commits that you made though, https://github.com/containers/gvisor-tap-vsock/pull/59/checks?check_run_id=62962141326 has some details, can you add this?

[karta0807913]

We’ll need Signed-off-by on the commits that you made though, https://github.com/containers/gvisor-tap-vsock/pull/59/checks?check_run_id=62962141326 has some details, can you add this?

thanks @cfergeau. I have updated my ipv6 branch and fixed the unit test errors.

Also, I think some of the lint errors can be ignored. For example, pkg/tap/switch.go:313:15: G115: integer overflow conversion int -> uint8 (gosec) is a false positive because the size of IP.Mask won't exceed 255. What do you think? Can I ignore them?

[cfergeau]

Also, I think some of the lint errors can be ignored. For example, pkg/tap/switch.go:313:15: G115: integer overflow conversion int -> uint8 (gosec) is a false positive because the size of IP.Mask won't exceed 255. What do you think? Can I ignore them?

You could add a //nolint annotation with a comment that it’s a false positive and won’t exceed 255.
An alternative is to add a size check

if prefixLen < 0 || prefixLen > math.MaxUint8 {
	log.Error(err)
} 

[cfergeau]

https://pkg.go.dev/net/netip#Addr seems to offer similar features?

[cfergeau]

Would using https://pkg.go.dev/net/netip#Prefix instead of net.IPNet make this code simpler?

[cfergeau]

https://djosephsen.github.io/posts/ipnet/ gives some details about these different APIs

[karta0807913]

all done. :)

P.S. i cannot push on branch guillaumerose:ipv62. so i update on my branch

[arikon]

@guillaumerose @cfergeau @karta0807913 @vyasgun Thank you for your work on this PR!

I tried to use gvproxy from @karta0807913 branch with podman on Apple Silicon M3 MacBook Pro, and want to share results with you.

Steps to reproduce:

1. Build gvproxy from this repo/branch: https://github.com/karta0807913/gvisor-tap-vsock/tree/ipv6
2. Replace gvproxy in podman directory, installed using brew install podman here: /opt/homebrew/Cellar/podman/5.7.1/libexec/podman/gvproxy
3. On podman VM (podman machine ssh): tcpdump -ni enp0s1 icmp6
4. On another ssh session of podman VM (podman machine ssh): curl -6 -vk --connect-timeout 5 https://[2a02:6b8:0:3400:0:7ff3:0:2]/ (IP here is IPv6-only host)

So to results:

tcpdump output:

# sudo tcpdump -ni enp0s1 -vv icmp6
dropped privs to tcpdump
tcpdump: listening on enp0s1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
11:51:49.239918 IP6 (hlim 255, next-header ICMPv6 (58), payload length 32) fd00::2 > ff02::1:ff00:1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::1
	  source link-address option (1), length 8 (1): 5a:94:ef:e4:0c:ee
	    0x0000:  5a94 efe4 0cee
11:51:50.286313 IP6 (hlim 255, next-header ICMPv6 (58), payload length 32) fd00::2 > ff02::1:ff00:1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::1
	  source link-address option (1), length 8 (1): 5a:94:ef:e4:0c:ee
	    0x0000:  5a94 efe4 0cee
11:51:51.311262 IP6 (hlim 255, next-header ICMPv6 (58), payload length 32) fd00::2 > ff02::1:ff00:1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::1
	  source link-address option (1), length 8 (1): 5a:94:ef:e4:0c:ee
	    0x0000:  5a94 efe4 0cee
11:52:50.018201 IP6 (hlim 255, next-header ICMPv6 (58), payload length 32) fd00::2 > ff02::1:ff00:1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::1
	  source link-address option (1), length 8 (1): 5a:94:ef:e4:0c:ee
	    0x0000:  5a94 efe4 0cee
11:52:51.024624 IP6 (hlim 255, next-header ICMPv6 (58), payload length 32) fd00::2 > ff02::1:ff00:1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::1
	  source link-address option (1), length 8 (1): 5a:94:ef:e4:0c:ee
	    0x0000:  5a94 efe4 0cee
11:52:52.046314 IP6 (hlim 255, next-header ICMPv6 (58), payload length 32) fd00::2 > ff02::1:ff00:1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::1
	  source link-address option (1), length 8 (1): 5a:94:ef:e4:0c:ee
	    0x0000:  5a94 efe4 0cee
11:53:53.420391 IP6 (hlim 255, next-header ICMPv6 (58), payload length 32) fe80::fb99:872d:7a83:dec6 > ff02::1:ff00:1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::1
	  source link-address option (1), length 8 (1): 5a:94:ef:e4:0c:ee
	    0x0000:  5a94 efe4 0cee
11:54:53.148541 IP6 (hlim 255, next-header ICMPv6 (58), payload length 32) fd00::2 > ff02::1:ff00:1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::1
	  source link-address option (1), length 8 (1): 5a:94:ef:e4:0c:ee
	    0x0000:  5a94 efe4 0cee
11:54:54.158798 IP6 (hlim 255, next-header ICMPv6 (58), payload length 32) fd00::2 > ff02::1:ff00:1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::1
	  source link-address option (1), length 8 (1): 5a:94:ef:e4:0c:ee
	    0x0000:  5a94 efe4 0cee
11:54:55.182480 IP6 (hlim 255, next-header ICMPv6 (58), payload length 32) fd00::2 > ff02::1:ff00:1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::1
	  source link-address option (1), length 8 (1): 5a:94:ef:e4:0c:ee
	    0x0000:  5a94 efe4 0cee
11:55:58.696527 IP6 (hlim 255, next-header ICMPv6 (58), payload length 32) fe80::fb99:872d:7a83:dec6 > ff02::1:ff00:1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::1
	  source link-address option (1), length 8 (1): 5a:94:ef:e4:0c:ee
	    0x0000:  5a94 efe4 0cee
11:56:17.490925 IP6 (hlim 255, next-header ICMPv6 (58), payload length 32) fd00::2 > ff02::1:ff00:1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::1
	  source link-address option (1), length 8 (1): 5a:94:ef:e4:0c:ee
	    0x0000:  5a94 efe4 0cee
11:56:18.510259 IP6 (hlim 255, next-header ICMPv6 (58), payload length 32) fd00::2 > ff02::1:ff00:1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::1
	  source link-address option (1), length 8 (1): 5a:94:ef:e4:0c:ee
	    0x0000:  5a94 efe4 0cee
11:56:19.536668 IP6 (hlim 255, next-header ICMPv6 (58), payload length 32) fd00::2 > ff02::1:ff00:1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::1
	  source link-address option (1), length 8 (1): 5a:94:ef:e4:0c:ee
	    0x0000:  5a94 efe4 0cee
11:56:43.562896 IP6 (hlim 255, next-header ICMPv6 (58), payload length 32) 2a02:6b8:0:3400:0:7ff3:0:2 > fe80::fb99:872d:7a83:dec6: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::fb99:872d:7a83:dec6
	  source link-address option (1), length 8 (1): 5a:94:ef:e4:0c:dd
	    0x0000:  5a94 efe4 0cdd
11:56:43.563061 IP6 (hlim 255, next-header ICMPv6 (58), payload length 24) fe80::fb99:872d:7a83:dec6 > 2a02:6b8:0:3400:0:7ff3:0:2: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is fe80::fb99:872d:7a83:dec6, Flags [solicited]
11:56:49.039219 IP6 (hlim 255, next-header ICMPv6 (58), payload length 32) fe80::fb99:872d:7a83:dec6 > 2a02:6b8:0:3400:0:7ff3:0:2: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2a02:6b8:0:3400:0:7ff3:0:2
	  source link-address option (1), length 8 (1): 5a:94:ef:e4:0c:ee
	    0x0000:  5a94 efe4 0cee
11:56:50.063178 IP6 (hlim 255, next-header ICMPv6 (58), payload length 32) fe80::fb99:872d:7a83:dec6 > 2a02:6b8:0:3400:0:7ff3:0:2: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2a02:6b8:0:3400:0:7ff3:0:2
	  source link-address option (1), length 8 (1): 5a:94:ef:e4:0c:ee
	    0x0000:  5a94 efe4 0cee
11:56:51.086688 IP6 (hlim 255, next-header ICMPv6 (58), payload length 32) fe80::fb99:872d:7a83:dec6 > 2a02:6b8:0:3400:0:7ff3:0:2: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2a02:6b8:0:3400:0:7ff3:0:2
	  source link-address option (1), length 8 (1): 5a:94:ef:e4:0c:ee
	    0x0000:  5a94 efe4 0cee
11:56:56.233742 IP6 (hlim 255, next-header ICMPv6 (58), payload length 32) fd00::2 > ff02::1:ff00:1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::1
	  source link-address option (1), length 8 (1): 5a:94:ef:e4:0c:ee
	    0x0000:  5a94 efe4 0cee
11:56:57.295801 IP6 (hlim 255, next-header ICMPv6 (58), payload length 32) fd00::2 > ff02::1:ff00:1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::1
	  source link-address option (1), length 8 (1): 5a:94:ef:e4:0c:ee
	    0x0000:  5a94 efe4 0cee
11:56:58.320148 IP6 (hlim 255, next-header ICMPv6 (58), payload length 32) fd00::2 > ff02::1:ff00:1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::1
	  source link-address option (1), length 8 (1): 5a:94:ef:e4:0c:ee
	    0x0000:  5a94 efe4 0cee
11:57:59.364807 IP6 (hlim 255, next-header ICMPv6 (58), payload length 32) fe80::fb99:872d:7a83:dec6 > ff02::1:ff00:1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::1
	  source link-address option (1), length 8 (1): 5a:94:ef:e4:0c:ee
	    0x0000:  5a94 efe4 0cee
^C
23 packets captured
23 packets received by filter
0 packets dropped by kernel

curl output:

# curl -6 -vk --connect-timeout 5 https://[2a02:6b8:0:3400:0:7ff3:0:2]/
*   Trying [2a02:6b8:0:3400:0:7ff3:0:2]:443...
* connect to 2a02:6b8:0:3400:0:7ff3:0:2 port 443 from fd00::2 port 44830 failed: No route to host
* Failed to connect to 2a02:6b8:0:3400:0:7ff3:0:2 port 443 after 3059 ms: Could not connect to server
* closing connection #0
curl: (7) Failed to connect to 2a02:6b8:0:3400:0:7ff3:0:2 port 443 after 3059 ms: Could not connect to server

The problem is IPv6-only host is not reacheable from VM.
NDP is not working.

---

This workaround helps on VM (podman machine ssh):

root@localhost:~# ip -6 neigh replace fe80::1 lladdr 5a:94:ef:e4:0c:dd dev enp0s1 nud permanent
root@localhost:~# ip -6 neigh show dev enp0s1
fe80::1 lladdr 5a:94:ef:e4:0c:dd PERMANENT
fd00::1 lladdr 5a:94:ef:e4:0c:dd STALE
2a01:230:2::a5 FAILED

After that curl for IPv6-only host started to work:

# curl -6 -vk --connect-timeout 5 https://[2a02:6b8:0:3400:0:7ff3:0:2]/
*   Trying [2a02:6b8:0:3400:0:7ff3:0:2]:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256 / x25519 / id-ecPublicKey
* ALPN: server accepted http/1.1
* Server certificate:
...[skipped]...
* Connected to 2a02:6b8:0:3400:0:7ff3:0:2 (2a02:6b8:0:3400:0:7ff3:0:2) port 443
* using HTTP/1.x
> GET / HTTP/1.1
> Host: [2a02:6b8:0:3400:0:7ff3:0:2]
> User-Agent: curl/8.15.0
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 404 Not found
< Content-Length: 0
<
* Connection #0 to host 2a02:6b8:0:3400:0:7ff3:0:2 left intact

[karta0807913]

hi @arikon. thanks for your testing! i made a mistake that we should also accepts the ICMPv6 package from the link local address fe80::1. NDP is working on my computer now. please help me test the podman again. thanks!

[openshift-ci]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.