Slirp4netns with ipv6 set net.ipv6.conf.default.accept_dad=0

Duplicate Address Detection slows the ipv6 setup down for 1-2 seconds. Since slirp4netns is run it is own namespace and not directly routed we can skip this to make the ipv6 address immediately available. We change the default to make sure the slirp tap interface gets the correct value assigned so DAD is disabled for it. Also make sure to change this value back to the original after slirp4netns is ready in case users rely on this sysctl. Fixes containers#11062 Signed-off-by: Paul Holzinger <[email protected]>
mheon · Nov 12, 2021 · a67bf0f · a67bf0f
1 parent 47afa6d
commit a67bf0f
Show file tree

Hide file tree

Showing 2 changed files with 59 additions and 0 deletions.
diff --git a/libpod/networking_slirp4netns.go b/libpod/networking_slirp4netns.go
@@ -16,6 +16,7 @@ import (
 	"syscall"
 	"time"
 
+	"github.com/containernetworking/plugins/pkg/ns"
 	"github.com/containers/podman/v3/pkg/errorhandling"
 	"github.com/containers/podman/v3/pkg/rootless"
 	"github.com/containers/podman/v3/pkg/rootlessport"
@@ -58,6 +59,8 @@ type slirp4netnsNetworkOptions struct {
 	outboundAddr6       string
 }
 
+const ipv6ConfDefaultAcceptDadSysctl = "/proc/sys/net/ipv6/conf/default/accept_dad"
+
 func checkSlirpFlags(path string) (*slirpFeatures, error) {
 	cmd := exec.Command(path, "--help")
 	out, err := cmd.CombinedOutput()
@@ -297,6 +300,39 @@ func (r *Runtime) setupSlirp4netns(ctr *Container) error {
 	}
 	cmd.Stdout = logFile
 	cmd.Stderr = logFile
+
+	var slirpReadyChan (chan struct{})
+
+	if netOptions.enableIPv6 {
+		slirpReadyChan = make(chan struct{})
+		defer close(slirpReadyChan)
+		go func() {
+			err := ns.WithNetNSPath(netnsPath, func(_ ns.NetNS) error {
+				// Duplicate Address Detection slows the ipv6 setup down for 1-2 seconds.
+				// Since slirp4netns is run it is own namespace and not directly routed
+				// we can skip this to make the ipv6 address immediately available.
+				// We change the default to make sure the slirp tap interface gets the
+				// correct value assigned so DAD is disabled for it
+				// Also make sure to change this value back to the original after slirp4netns
+				// is ready in case users rely on this sysctl.
+				orgValue, err := ioutil.ReadFile(ipv6ConfDefaultAcceptDadSysctl)
+				if err != nil {
+					return err
+				}
+				err = ioutil.WriteFile(ipv6ConfDefaultAcceptDadSysctl, []byte("0"), 0644)
+				if err != nil {
+					return err
+				}
+				// wait for slirp to finish setup
+				<-slirpReadyChan
+				return ioutil.WriteFile(ipv6ConfDefaultAcceptDadSysctl, orgValue, 0644)
+			})
+			if err != nil {
+				logrus.Warnf("failed to set net.ipv6.conf.default.accept_dad sysctl: %v", err)
+			}
+		}()
+	}
+
 	if err := cmd.Start(); err != nil {
 		return errors.Wrapf(err, "failed to start slirp4netns process")
 	}
@@ -310,6 +346,9 @@ func (r *Runtime) setupSlirp4netns(ctr *Container) error {
 	if err := waitForSync(syncR, cmd, logFile, 1*time.Second); err != nil {
 		return err
 	}
+	if slirpReadyChan != nil {
+		slirpReadyChan <- struct{}{}
+	}
 
 	// Set a default slirp subnet. Parsing a string with the net helper is easier than building the struct myself
 	_, ctr.slirp4netnsSubnet, _ = net.ParseCIDR(defaultSlirp4netnsSubnet)

diff --git a/test/e2e/run_networking_test.go b/test/e2e/run_networking_test.go
@@ -357,6 +357,26 @@ var _ = Describe("Podman run networking", func() {
 		Expect(ncBusy).To(ExitWithError())
 	})
 
+	It("podman run slirp4netns verify net.ipv6.conf.default.accept_dad=0", func() {
+		session := podmanTest.Podman([]string{"run", "--network", "slirp4netns:enable_ipv6=true", ALPINE, "ip", "addr"})
+		session.Wait(30)
+		Expect(session).Should(Exit(0))
+		// check the ipv6 setup id done without delay (https://github.com/containers/podman/issues/11062)
+		Expect(session.OutputToString()).To(ContainSubstring("inet6 fd00::"))
+
+		const ipv6ConfDefaultAcceptDadSysctl = "/proc/sys/net/ipv6/conf/all/accept_dad"
+
+		cat := SystemExec("cat", []string{ipv6ConfDefaultAcceptDadSysctl})
+		cat.Wait(30)
+		Expect(cat).Should(Exit(0))
+		sysctlValue := cat.OutputToString()
+
+		session = podmanTest.Podman([]string{"run", "--network", "slirp4netns:enable_ipv6=true", ALPINE, "cat", ipv6ConfDefaultAcceptDadSysctl})
+		session.Wait(30)
+		Expect(session).Should(Exit(0))
+		Expect(session.OutputToString()).To(Equal(sysctlValue))
+	})
+
 	It("podman run network expose host port 18082 to container port 8000 using slirp4netns port handler", func() {
 		session := podmanTest.Podman([]string{"run", "--network", "slirp4netns:port_handler=slirp4netns", "-dt", "-p", "18082:8000", ALPINE, "/bin/sh"})
 		session.Wait(30)