New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Expose bridge IPv6 setting to docker network inspect
#17513
Expose bridge IPv6 setting to docker network inspect
#17513
Conversation
I think this is @mavenugo related? |
@@ -419,6 +419,7 @@ func initBridgeDriver(controller libnetwork.NetworkController, config *Config) e | |||
netlabel.DriverMTU: strconv.Itoa(config.Mtu), | |||
bridge.EnableIPMasquerade: strconv.FormatBool(config.Bridge.EnableIPMasq), | |||
bridge.EnableICC: strconv.FormatBool(config.Bridge.InterContainerCommunication), | |||
netlabel.EnableIPv6: strconv.FormatBool(config.Bridge.EnableIPv6), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
netOption
is really a collection of per network specific options. We consider EnableIPv6
a driver specific option instead, which is why it is being passed down separately from the network options.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't understand the distinction. Unless I've misread the libnetwork code, it all ends up as properties on the network struct...so I'm not sure what it means to be 'driver specific'.
Regardless, this is just making the default bridge construction be more similar to manually created networks (for consistency).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To elaborate more:
root@lp01679:/usr/bin# docker network create -o com.docker.network.enable_ipv6=true newbridge
13fc7ada2827d349d21a2c32fdd5a6fec32b6c0b8f591b7ec80d1dc4156146e1
root@lp01679:/usr/bin# docker network inspect newbridge
[...]
"options": {
"com.docker.network.enable_ipv6": "true"
}
}
]
root@lp01679:/usr/bin# ip addr
[...]
394: br-13fc7ada2827: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN
link/ether 02:42:8b:20:12:de brd ff:ff:ff:ff:ff:ff
inet 172.18.0.1/16 scope global br-13fc7ada2827
valid_lft forever preferred_lft forever
inet6 fe80::1/64 scope link tentative
valid_lft forever preferred_lft forever
root@lp01679:/usr/bin# docker network rm newbridge
root@lp01679:/usr/bin# docker network create -o com.docker.network.enable_ipv6=false newbridge
410ec2597a8ed01125fc113ab1c51c37e55d481df2d82a50bd731b95702cfa0f
root@lp01679:/usr/bin# docker network inspect newbridge
[...]
"options": {
"com.docker.network.enable_ipv6": "false"
}
}
]
root@lp01679:/usr/bin# ip addr
[...]
395: br-410ec2597a8e: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN
link/ether 02:42:71:ff:88:ed brd ff:ff:ff:ff:ff:ff
inet 172.18.0.1/16 scope global br-410ec2597a8e
valid_lft forever preferred_lft forever
i.e. you can detect ipv6 on a manually created network by looking at labels. It doesn't make sense to me that the default bridge would be a special case.
In fact, this is the only place in Docker where NetworkOptionGeneric
is used! Although some of the labels might partition into driver-specific options, network specific options and generic options, that's a decision for the libnetwork internals to make.
Of course, I've only been playing around libnetwork for a day, so I may be misunderstanding.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@aidanhs apologies on the delayed response. As you know libnetwork doesn't work on driver specific options/labels. Driver options are transparently sent to the drivers/plugins. Whereas libnetwork handles some of the generic labels such as enable_ipv6
to provide driver independent functionality. In this case, enable_ipv6
is used to update DNS records. That is the history behind keeping the enable_ipv6 flag as a driver independent flag (but still send it to the driver after libnetwork processing).
Having said that, I think there is an issue for user-defined networks wherein libnetwork doesn't process the this flag. I will confirm.
@mrjana can add more details to this.
8990aa7
to
2ca5002
Compare
Maybe some commentary will help clarify this PR:
If the reviewer believes that consistency is a good thing (i.e. agrees with these two points) then I think this PR is a step forward. From a libnetwork design point of view, I'm not convinced that consumers of the library should be worrying about what kind of option something is, or how it's implemented behind the scenes - you just know that you want a network with setting S set to a value V. As things currently stand, libnetwork doesn't offer any guidance for choosing what type of option is appropriate (nor is anything enforced, nor are different types of options treated differently - both |
2ca5002
to
8990aa7
Compare
@tiborvass @aidanhs as explained in #17513 (comment), this is a libnetwork options processing design especially providing a way for driver specific vs driver independent options. We had a few issues with this in the past (due to the labels vs options support). |
8990aa7
to
62e27de
Compare
Just so I'm completely clear, you're saying that the split between driver specific and driver independent options (i.e. forcing them to be two different parameters to libnetwork) was a decision made to resolve some issues related to labels vs options? The problem is that library consumers (like docker) now need to keep their own record of which options are driver specific/independent. This issue (
As it happens the flag is actually processed for user networks, despite their creation not conforming to the intended design (where options should be split before being passed) - https://github.com/docker/docker/blob/3d82564c7a6ae139879b869a987bf9274ed0275d/daemon/network.go#L103. I assume this is a (happy) accident - when I read the libnetwork code a while ago, it seemed to treat driver-specific and driver-independent options in the same way, it just had a list of settings it would look out for. You can see some evidence of this working by comparing the output of
Note the extra inet6 address for the latter. Just as a reminder of the issue I actually want fixed: I appreciate your responses and look forward to the response from @mrjana, but if you're sure that you're not going to merge the PR in its current state then I encourage you to just close it - I will raise an appropriate issue against docker and you can decide how to resolve it in line with your preferred design. |
ping @mrjana can you have a look at this one please? thanks! |
@aidanhs @mavenugo Let me give some context on what we actually want to do here regardless of what state the current implementation is in. Before 1.9 we only had default bridge and hence all the optional flags that were meant for the bridge driver were either just provided as a daemon option if it applies to all containers using bridge or in One such daemon option is So the decision we made is that all the existing daemon wide networking options which existed pre-1.9 will only be applicable to default bridge network(with the exception of some options which are truly global and will apply to all bridge networks) For all the other non-default bridge networks these options have to specified during the network create time. So in theory we should have Once we have the So to me the design roughly should like this:
Thoughts? |
@mrjana thanks for the clarification and your suggestion make sense to me. |
Makes sense.
This is a way forward and it's better from the status quo, so +1 from that point of view. However, my personal vague feeling is that labels are great! Why create another way of passing options down to drivers when you have an extensible, decent method already available to you? .ini files are just a string -> string set of keys and values, and they work pretty well for general configuration - I'm not sure what making ipv6 a first-class option buys you. If you like Or is it about the conceptual difference between labels and options (which I've not yet quite grasped)? |
@aidanhs I think the term If there is some option which is driver independent, then that should be really a first class option in docker api and cli. If you agree with the above rough sketch, can you please rework the PR to address the design or close this one and create another one which addresses the problem the correct way? |
Ping @aidanhs! Thanks :-) |
I see, so you're coming at it from the point of view that the number of driver-independent options is finite (and small), so they can all be supported as first-class values without asking too much of libnetwork consumers to keep track of them. I'm not sure I 100% agree with the proposed route (and feel that you may end up redesigning how options work), but I understand the justification and can see it's an improvement so I'll make the required changes to this PR so forward progress can be made. People actually using libnetwork can then give feedback in the future for incremental improvement. While I'm making the changes, I'm curious - what is the significance of the unique |
@aidanhs Thanks for moving this forward.
|
ping @aidanhs what's the status on this one; are you still working on this? |
59e8e36
to
1db8dd1
Compare
Thanks @mavenugo! |
Signed-off-by: Aidan Hobson Sayers <aidanhs@cantab.net>
7f6512c
to
dfb0065
Compare
LGTM |
1 similar comment
LGTM |
@aidanhs This is going to need docs. |
Signed-off-by: Aidan Hobson Sayers <aidanhs@cantab.net>
I've just added docs as a followup commit for ease of review. |
Thanks! Moving to docs review. |
@@ -134,7 +135,13 @@ The following are those options and the equivalent docker daemon flags used for | |||
| `com.docker.network.bridge.enable_icc` | `--icc` | Enable or Disable Inter Container Connectivity | | |||
| `com.docker.network.bridge.host_binding_ipv4` | `--ip` | Default IP when binding container ports | | |||
| `com.docker.network.mtu` | `--mtu` | Set the containers network MTU | | |||
| `com.docker.network.enable_ipv6` | `--ipv6` | Enable IPv6 networking | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure what removing this from there though ? It's still a valid option when creating a bridge network right ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The context is the paragraph above
When creating a custom network, the default network driver (i.e.
bridge
) has additional options that can be passed. The following are those options and the equivalent docker daemon flags used for docker0 bridge:
com.docker.network.enable_ipv6
is no longer a valid 'driver option' (also known as 'label') and it will be ignored, so I've removed this line. Instead, --ipv6
is a valid option for all networks.
@aidanhs There is a few update to do in the /cc @thaJeztah |
|
||
| Argument | Equivalent | Description | | ||
|--------------|------------|------------------------------------------| | ||
| `--internal` | - | Restricts external access to the network | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What does the "equivalent" column relate to here? Is that the daemon flag?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, docker network create
takes in few more flags that are applicable to any driver such as subnet
, ip-range
, gateway
& others. They are all already documented in docs/reference/commandline/network_create.md
. am not sure if we need to repeat it here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@thaJeztah yes, this is in the context of the table above which says "and the equivalent docker daemon flags used for docker0 bridge" above it.
@mavenugo true. Want me to remove them? If so, I'll add a sentence above the exiting table saying something like "There are also arguments to docker network create
applicable to any network driver, which can be found on the reference page for that command."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@aidanhs thanks. Actually, the table is infact useful for those who like to compare the existing daemon flags with the network
flags. So, maybe you can include all the options and compare them ?
For example --ip-range
is equivalent to --fixed-cidr
, the --subnet
is equivalent to the subnet in bip
, etc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We may want to add a small bit to explain "what" they're equivalent to (i.e. that the "equivalent" column shows the equivalent docker daemon
option)?
Okay, we discussed this; to prevent more rebase hell, well merge this, and look at the final changes in a follow up LGTM |
docs LGTM. Let's follow up with another PR to add more information to that table with other options. |
Expose bridge IPv6 setting to `docker network inspect`
Using
docker network inspect bridge
.Before:
After: