Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docker: fix an issue on net.ipv6.conf.all.disable_ipv6 #1023

Merged
merged 3 commits into from Oct 11, 2019

Conversation

@yatch
Copy link
Member

commented Aug 8, 2019

Issue

We currently try to change net.ipv6.conf.all.disable_ipv6 to 0 by .profile, but it doesn't work.

$ docker run -ti contiker/contiki-ng
sysctl: setting key "net.ipv6.conf.all.disable_ipv6": Read-only file system
user@57f569a70c56:~/contiki-ng$

Here is another example:

$ docker run -ti contiker/contiki-ng sysctl net.ipv6.conf.all.disable_ipv6
net.ipv6.conf.all.disable_ipv6 = 1

Solution

As per the official documentation of Docker, --sysctl should be passed to docker run for this purpose:

The --sysctl sets namespaced kernel parameters (sysctls) in the container. For example, to turn on IP forwarding in the containers network namespace, run this command:

What does this PR do?

This PR proposes to remove the sysctl command from .profile. The Wiki page will be updated accordingly, adding --sysctl net.ipv6.conf.all.disable_ipv6=0 to contiker aliases.

Demo

$ docker run --sysctl net.ipv6.conf.all.disable_ipv6=0 -ti contiker/contiki-ng sysctl net.ipv6.conf.all.disable_ipv6
net.ipv6.conf.all.disable_ipv6 = 0

Version Info

$ docker image ls | grep contiki-ng
contiker/contiki-ng    latest              8307892c9c77        9 months ago        3.32GB

$ docker version
Client: Docker Engine - Community
 Version:           19.03.1
 API version:       1.40
 Go version:        go1.12.5
 Git commit:        74b1e89
 Built:             Thu Jul 25 21:18:17 2019
 OS/Arch:           darwin/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          19.03.1
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.12.5
  Git commit:       74b1e89
  Built:            Thu Jul 25 21:17:52 2019
  OS/Arch:          linux/amd64
  Experimental:     true
 containerd:
  Version:          v1.2.6
  GitCommit:        894b81a4b802e4eb2a91d1ce216b8817763c29fb
 runc:
  Version:          1.0.0-rc8
  GitCommit:        425e105d5a03fabd737a126ad93d62a9eeede87f
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683

This issue is confirmed on Docker for Windows as well.

@yatch yatch force-pushed the yatch:pr/docker-sysctl branch from d9afcd8 to c1a1bee Aug 8, 2019
@yatch yatch changed the title docker: fix a issue on net.ipv6.conf.all.disable_ipv6 docker: fix an issue on net.ipv6.conf.all.disable_ipv6 Aug 8, 2019
@yatch

This comment has been minimized.

Copy link
Member Author

commented Aug 9, 2019

Seems the sysctl command line in .profile is effective in the docker environment on Travis... Removing the command caused test failures. I add before_script section in .travis.yml so as to enable IPv6 in containers for testing.

@yatch

This comment has been minimized.

Copy link
Member Author

commented Aug 9, 2019

Hmm... The test failed because of this...

opened tun device ``/dev/tun0''
SIOCSIFADDR: Permission denied

I got green on my Travis account, though... https://travis-ci.org/yatch/contiki-ng/builds/569843872

@jeppenodgaard

This comment has been minimized.

Copy link
Contributor

commented Aug 23, 2019

Hmm... The test failed because of this...

opened tun device ``/dev/tun0''
SIOCSIFADDR: Permission denied

I got green on my Travis account, though... https://travis-ci.org/yatch/contiki-ng/builds/569843872

I've seen that error before. Adding these options might fix it:
-v "/dev/:/dev/" --cap-add NET_ADMIN --net=host

@g-oikonomou

This comment has been minimized.

Copy link
Member

commented Aug 31, 2019

I'm note sure when / why this started happening, nor whether this is a proper way of fixing this. But I can confirm the bug; it is quite disruptive and we need to fix it somehow

@simonduq

This comment has been minimized.

Copy link
Member

commented Sep 20, 2019

IPv6 and tun in Docker is always difficult. Running with full privileges should work (as we do now in Travis), but has downsides obviously.

I don't think we can solve this in before_script, as this will run outside of the container.

What worked for me before, when trying to avoid --privileged, was: --cap-add=NET_ADMIN --device=/dev/net/tun --sysctl net.ipv6.conf.all.disable_ipv6=0. Net-admin required for both Tun and IPv6, and the specific tun dev also needs giving explicit access

@g-oikonomou g-oikonomou added this to the Version 4.4 milestone Sep 21, 2019
@simonduq

This comment has been minimized.

Copy link
Member

commented Oct 4, 2019

@yatch ?

@yatch

This comment has been minimized.

Copy link
Member Author

commented Oct 4, 2019

I'll be back to this next week, hopefully Monday.

@g-oikonomou g-oikonomou changed the base branch from develop to release-4.4 Oct 4, 2019
@g-oikonomou

This comment has been minimized.

Copy link
Member

commented Oct 4, 2019

Changed base to branch release-4.4. Rebase possibly required.

@yatch yatch force-pushed the yatch:pr/docker-sysctl branch 5 times, most recently from 49c35e7 to fbb4761 Oct 7, 2019
@yatch

This comment has been minimized.

Copy link
Member Author

commented Oct 8, 2019

This PR is ready. But, the test failed because of Issue #1084. So, this PR depends on PR #1085.

@yatch

This comment has been minimized.

Copy link
Member Author

commented Oct 11, 2019

FYI: contiker alias definitions in the wiki page have been updated: https://github.com/contiki-ng/contiki-ng/wiki/Docker/_history

yatch added 2 commits Aug 8, 2019
net.ipv6.conf.all.disable_ipv6 cannot be changed by a login
shell. Passing --sysctl option to docker run does so.
@yatch yatch force-pushed the yatch:pr/docker-sysctl branch from fbb4761 to c5f9328 Oct 11, 2019
@g-oikonomou

This comment has been minimized.

Copy link
Member

commented Oct 11, 2019

This is going to be the next one to merge. Is it ready?

@yatch

This comment has been minimized.

Copy link
Member Author

commented Oct 11, 2019

Yes, it's ready. I've rebased the branch, and I'm waiting for Travis to get green...

@g-oikonomou g-oikonomou merged commit 605dd5e into contiki-ng:release-4.4 Oct 11, 2019
1 check passed
1 check passed
continuous-integration/travis-ci/pr The Travis CI build passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.