Enable IPv6 support by default

[saschagrunert]

/kind feature

Description

IPv6 support needs currently explicitly enabled by --sysctl net.ipv6.conf.all.disable_ipv6=0.

That's the same behavior like in docker and I'm wondering if we want to change it to a more sane default?

If you're fine with that I'd like to submit a PR, otherwise feel free to close this.

[rhatdan]

I like turning it on by default. But what if a Admin wants this turned off by default?
Should we check how the system is configured and then set the settings within the container to match?

[rhatdan]

@saschagrunert Where do I see this disabled?

sudo podman run fedora cat /proc/sys/net/ipv6/conf/all/disable_ipv6
0

[mheon]

I think our first steps here are probably throwing IPv6 support into the default CNI config we ship, and enabling the flag for static IPv6 addresses - which, AFAIK, is still blocked on verifying CNI 0.8.1 is available everywhere and building new test images with it.

[saschagrunert]

@saschagrunert Where do I see this disabled?

sudo podman run fedora cat /proc/sys/net/ipv6/conf/all/disable_ipv6
0

Interestingly, it really seems not disabled by default. I guess the main issue is what @mheon mentioned. A CNI config like this seems not to work right now:

{
    "cniVersion": "0.3.0",
    "name": "podman",
    "plugins": [
      {
        "type": "bridge",
        "bridge": "cni1",
        "isGateway": true,
        "ipMasq": true,
        "ipam": {
          "routes": [
            { "dst": "0.0.0.0/0" },
            { "dst": "1100:201::1/24" }
          ],
          "ranges": [
            [{ "subnet": "172.88.0.0/16" }],
            [{ "subnet": "1100:201::/24" }]
          ]
        }
      },
      {
        "type": "portmap",
        "capabilities": {
          "portMappings": true
        }
      }
    ]
}

> sudo podman run -it debian:stretch ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
3: eth0@if90: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether e2:a2:86:8f:19:e1 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::e0a2:86ff:fe8f:19e1/64 scope link tentative
       valid_lft forever preferred_lft forever

If we leverage the latest OCICNI version then it should be possible to provide the same dual stack IPv6 support like in CRI-O, right?

[mheon]

Yep, once we have CNI updated properly, we can update OCICNI and get v6 support enabled.

[saschagrunert]

Yep, once we have CNI updated properly, we can update OCICNI and get v6 support enabled.

Alright, I see that we have another issue open on that topic: #3245

I will close this one in favor of the other.

[daiaji]

@mheon Will the future default IPv6 support be implemented through nat6, or will DHCPv6 get a subnet and assign IPv6 address to container?
Or set the "fixed-cidr-v6" parameter like docker to automatically distribute IPv6 addresses?
Nat6 may be too evil🥶

[mheon]

Definitely not NAT. Right now, I think our approach might be requiring users to manually configure v6 subnets manually (maybe provide a range in the configuration file that podman network create can pick out of).