Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GCE instances with IPv6 issues #185

Closed
joshuacox opened this issue Jan 18, 2018 · 3 comments
Closed

GCE instances with IPv6 issues #185

joshuacox opened this issue Jan 18, 2018 · 3 comments

Comments

@joshuacox
Copy link

I've tried with ubuntu 16.04,17.10 and centos7 with the same errors, these pastes are from the centos7 instance.

docker run --name=freeipa \
-d \
-e IPA_SERVER_IP=10.1.0.2 \
-e IPA_SERVER_INSTALL_OPTS="--subject O=IPA.LOCAL 20180118030342" \
-p 10.1.0.2:80:80 -p 10.1.0.2:443:443 -p 10.1.0.2:389:389 -p 10.1.0.2:636:636 -p 10.1.0.2:88:88 -p 10.1.0.2:464:464 \
-p 10.1.0.2:88:88/udp -p 10.1.0.2:464:464/udp -p 10.1.0.2:123:123/udp -p 10.1.0.2:7389:7389 \
-p 10.1.0.2:9443:9443 -p 10.1.0.2:9444:9444 -p 10.1.0.2:9445:9445 \
-p 10.1.0.2:53:53/udp -p 10.1.0.2:53:53 \
-h id.example.com \
-e PASSWORD=password \
-v /sys/fs/cgroup:/sys/fs/cgroup:ro \
--tmpfs /run --tmpfs /tmp \
-t freeipa/freeipa-server:fedora-27

[root@id ~]# docker logs b26
systemd 234 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN default-hierarchy=hybrid)
Detected virtualization docker.
Detected architecture x86-64.
Set hostname to <id.example.com>.
system.slice: Failed to set invocation ID on control group /docker/b26792580430a5efe781ceb5dac655fbeeb81db5918e2eb4d4c925d9bedf75d4/system.slice, ignoring: Operation not permitted
systemd-journald.service: Failed to set invocation ID on control group /docker/b26792580430a5efe781ceb5dac655fbeeb81db5918e2eb4d4c925d9bedf75d4/system.slice/systemd-journald.service, ignoring: Operation not permitted
systemd-tmpfiles-setup.service: Failed to set invocation ID on control group /docker/b26792580430a5efe781ceb5dac655fbeeb81db5918e2eb4d4c925d9bedf75d4/system.slice/systemd-tmpfiles-setup.service, ignoring: Operation not permitted
Thu Jan 18 02:53:37 UTC 2018 /usr/sbin/ipa-server-configure-first 
ipapython.admintool: ERROR    IPv6 stack is enabled in the kernel but there is no interface that has ::1 address assigned. Add ::1 address resolution to 'lo' interface. You might need to enable IPv6 on the interface 'lo' in sysctl.conf.
ipapython.admintool: ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
FreeIPA server configuration failed.

lo on the host does have inet6 ::1

[root@id ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1460 qdisc pfifo_fast state UP qlen 1000
    link/ether ee:e1:ea:e0:00:02 brd ff:ff:ff:ff:ff:ff
    inet 10.1.0.2/32 brd 10.1.0.2 scope global dynamic eth0
       valid_lft 78228sec preferred_lft 78228sec
    inet6 fe80::4001:aff:fe80:2/64 scope link 
       valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP 
    link/ether 02:42:81:93:96:99 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:81ff:fe93:9699/64 scope link 
       valid_lft forever preferred_lft forever
15: veth6119239@if14: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP 
    link/ether fa:88:a0:64:3f:a2 brd ff:ff:ff:ff:ff:ff link-netnsid 1
    inet6 fe80::f888:a0ff:fe64:3fa2/64 scope link 
       valid_lft forever preferred_lft forever

ping6 works:

[root@id ~]# ping6 ::1 -c 3
PING ::1(::1) 56 data bytes
64 bytes from ::1: icmp_seq=1 ttl=64 time=0.065 ms
64 bytes from ::1: icmp_seq=2 ttl=64 time=0.070 ms
64 bytes from ::1: icmp_seq=3 ttl=64 time=0.123 ms

--- ::1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.065/0.086/0.123/0.026 ms
@adelton
Copy link
Collaborator

adelton commented Jan 18, 2018

The FreeIPA installer reports the situation as it finds it inside of the container. So the interfaces on the host are not that relevant, unless you use --net host.

Could you try to run

docker run --rm -ti fedora:27 bash -c 'dnf install -y /usr/sbin/ip && ip a'

and show the output?

Incidently, hack for similar situation was added recently via freeipa/freeipa#1395 / https://pagure.io/freeipa/issue/7323 but it's in a version which is not yet in Fedora 27.

@adelton
Copy link
Collaborator

adelton commented Jan 18, 2018

https://docs.docker.com/engine/userguide/networking/default_network/ipv6/ suggests that running the docker daemon with --ipv6 might enable the IPv6 stack. Could you give that a try as well?

@joshuacox
Copy link
Author

joshuacox commented Jan 18, 2018
edited 

Installed:
  iproute.x86_64 4.14.1-4.fc27             iproute-tc.x86_64 4.14.1-4.fc27      libmnl.x86_64 1.0.4-4.fc27     
  linux-atm-libs.x86_64 2.5.1-19.fc27     

Complete!
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
4: eth0@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever

adding in ipv6

# cat /etc/docker/daemon.json 
{
        "ipv6": true,
        "fixed-cidr-v6": "2001:db8:1::/64"
}

systemctl restart docker and run your test:

Complete!
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
6: eth0@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 2001:db8:1::242:ac11:2/64 scope global nodad 
       valid_lft forever preferred_lft forever
    inet6 fe80::42:acff:fe11:2/64 scope link 
       valid_lft forever preferred_lft forever

looks good, and now FreeIPA works as well

thanks @adelton Cheers! Closing, let me know if I can run any other tests or document anything.

zultron added a commit to zultron/freeipa-cloud-prov that referenced this issue Jul 9, 2018
@zultron
docker daemon.json: enable ipv6 in containers
790f843 
FreeIPA now needs loopback network device IPV6 support.

freeipa/freeipa-container#185
@adelton adelton mentioned this issue Nov 5, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@adelton @joshuacox