17.04 / 17.05: The disappearance of the link-local & loopback ipv6 addresses

[euank]

Description

After upgrading to 17.04-ce or 17.05-ce, I no longer have a link-local ipv6 address by default (with ipv6 not enabled).

I think this might be an intentional change related to #20569, but I also think it's not entirely well thought out and is dangerously backwards incompatible.

Here's a simple example of something that no longer works:

func main() {
	conn, _ := net.Listen("tcp", ":8080")
	_, err := net.Dial("tcp", conn.Addr().String())
	if err != nil {
		fmt.Printf("did not expect error, but got: %v", err)
	}
}

The above program is available as euank/ipv6-repro:latest

The problem is that a program thinks ipv6 is available because it's enabled in my kernel, but docker has broken ipv6; it tries to listen on both (woo!), but unknowingly can't listen on ipv6 since docker tore it down when creating the netns. The program doesn't know that and will still happily think it's listening on both and .Addr() gives the ipv6 formatted address as a result.

Furthermore, if I just want a link local address (and don't want to allocate routable addresses), there's no way to configure the default bridge network to do so. Enabling ipv6 requires that I have a range of addresses to assign, but all I want is link-local addresses as we got by default before.

The workaround I've found is the following: docker run --sysctl net.ipv6.conf.all.disable_ipv6=0 euank/ipv6-repro:latest

Steps to reproduce the issue:

1. docker run euank/ipv6-repro:latest

2. docker run busybox ip addr

Describe the results you received:

1. did not expect error, but got: dial tcp [::]:8080: connect: cannot assign requested address

2. 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1
       link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
       inet 127.0.0.1/8 scope host lo
          valid_lft forever preferred_lft forever
   128: eth0@if129: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue 
       link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
       inet 172.17.0.2/16 scope global eth0
          valid_lft forever preferred_lft forever
   

Describe the results you expected:

1. No error, as was true in previous versions of docker (1.12.x, 1.13, 17.03)

2. 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1
       link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
       inet 127.0.0.1/8 scope host lo
          valid_lft forever preferred_lft forever
       inet6 ::1/128 scope host 
          valid_lft forever preferred_lft forever
   128: eth0@if129: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue 
       link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
       inet 172.17.0.2/16 scope global eth0
          valid_lft forever preferred_lft forever
       inet6 fe80::42:acff:fe11:2/64 scope link tentative 
          valid_lft forever preferred_lft forever
   

Additional information you deem important (e.g. issue happens only occasionally):

Output of docker version:

Client:
 Version:      17.05.0-ce
 API version:  1.29
 Go version:   go1.7.5
 Git commit:   89658be
 Built:        Thu May  4 22:14:18 2017
 OS/Arch:      linux/amd64

Server:
 Version:      17.05.0-ce
 API version:  1.29 (minimum version 1.12)
 Go version:   go1.7.5
 Git commit:   89658be
 Built:        Thu May  4 22:14:18 2017
 OS/Arch:      linux/amd64
 Experimental: false

Default fedora installation with ipv6 enabled on the host, config_ipv6 in the kernel, all that jazz.

[cpuguy83]

ping @aboch
Should we make an exception for the --ipv6 setting when the user sets the sysctl?

[euank]

@cpuguy83 The real solution IMO is to have 3 levels of granularity for ipv6:

1. default - link local ipv6 addresses are provided, the user doesn't have to carve out routable ipv6 addresses for containers. This matches the behavior in 1.12.6
2. off - the user explicitly said ipv6=off, there are neither link local nor routable ipv6 addresses. This is the current default
3. on + routable - the user specifies ipv6=on and specifies addresses to assign to containers, link local + routable ipv6 addresses are assigned.

Right now we're being forced to pick between 2 and 3 because ipv6=on completely arbitrarily requires specifying a range of addresses. Restoring 1 while allowing 2 fixes what the original PR intended to do IMO.

[tianon]

+1 -- losing even ::1 from the lo interface was really surprising behavior, and not at all easy to get back the old link-local-only behavior

(and I could've sworn it should've caused a resurgence of docker-library/php#194, but I tried and tried and couldn't get it to do so 😕)

[euank]

@tianon That doesn't resurge because apparently disabling ipv6 in a specifc netns doesn't prevent listening on ipv6; the go repro above succeeds to listen on ipv6 happily, but then is unable to connect on that address it was able to listen on. The php process happily listens on both when ipv6 is enabled on the host, but not in that netns.

If poorly written (php) code decided to do something like netstat -l to parse out what php was listening on and connect to that, then it would fail.

[SpComb]

To clarify re the title and description of this issue: I don't think losing the fe80::/64 link-local on the container eth0 interface is necessarily an issue. It's losing the ::1/128 loopback address on the lo interface that causes problems?

[euank]

Good call @SpComb, I clarified the issue title.

My example that broke was based on a real piece of code that broke. Indeed, that bit of code only needed lo's loopback address.

I agree that losing the loopback address is the bigger problem, but I still think that losing eth0's link-local address is a bug. I think the option to retain it, even without assigning routable addresses, is a feature worth having (and that used to work fine too.

[aboch]

Thanks @SpComb and @euank for the extra clarification.

A premise: If we do not find a better solution, we can revert the change in time for 17.06.

Now, I would really like to preserve the no ipv6 addresses if -ipv6==false. I feel that how it was working in the past where --ipv6=false was not in fact respected must be fixed.

The ipv6 link-local address on container's lo iface can be fixed. ATM, I am thinking to preserve it (even when --ipv6=false) if ipv6 is enabled on the host.

For the linux created link-local address on container's interfaces, ATM I am thinking that can be preserved when user creates the network with --ipv6 but does not specify any ipv6 --subnet. As of now, this failed by libnetwork core because the default IPAM driver is not able to autonomously provide a IPv6 subnet for the network.
So this requries changes in libnetwork core to be more lenient if the IPAM driver does not give us an IPv6 subnet.

To recap:

• docker network create abc; docker run --network abc ; => lo has ll v6 addr if V6 is enabled on host
• docker network create --ipv6 abc; docker run --network abc ... => lo and ethX have ll v6 addr
• docker network create --ipv6 --subnet 2001:db8::/64 abc; docker run --network abc ... => lo and ethX have ll v6 addr, ethX will have addr from v6 pool.

WDYT ?