release: v1.18.0-beta.3 — v4-only fallback for hosts without usable IPv6#245
Merged
release: v1.18.0-beta.3 — v4-only fallback for hosts without usable IPv6#245
Conversation
On hosts that have IPv6 in the kernel but no global or ULA v6 address on any interface (headless QEMU/KVM VMs, containers, v6less networks), netavark cannot reliably hold the ULA gateway on the rootless bridge. aardvark-dns then fails to bind [fd00:1e7d::1]:53 with EADDRNOTAVAIL and a subset of service containers (commonly nginx, postgres, meilisearch) exit with status 1 and stay in failed state after lerd install. EnsureNetwork and RecreateNetwork (was MigrateNetworkToIPv6) now probe /proc/net/if_inet6 + /proc/sys/net/ipv6/conf/all/disable_ipv6 and create the lerd network v4-only when no non-loopback, non-link-local v6 address is present. Existing mismatched networks are recreated in place on the next install: dual-stack on a v6less host becomes v4-only, v4-only on a host that has v6 is promoted to dual-stack as before. Upgrade path from 1.17.1 on a v6less host is a no-op (no recreate, no container churn).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Third beta on the 1.18 line. One fix.
On hosts that have IPv6 in the kernel but no global or ULA v6 address on any interface (typical in headless QEMU or KVM VMs, containers, and networks without v6 DHCP), netavark cannot reliably hold the ULA gateway on the rootless bridge, so aardvark dns fails to bind fd00:1e7d::1 port 53 with EADDRNOTAVAIL and a subset of service containers (usually nginx, postgres, meilisearch) exit with status 1 and stay in failed state after lerd install.
The dual stack migration from beta.1 assumed every host could hold a v6 ULA, so v4 only networks from 1.17.1 were force migrated to dual stack regardless of the host's actual v6 state. This change adds a HostHasUsableIPv6 probe that reads /proc/net/if_inet6 and the disable_ipv6 sysctl, and gates dual stack creation on the probe. Hosts with a global or ULA v6 address still get dual stack, hosts without stay or get moved to v4 only. Existing mismatched networks are recreated in place on lerd install, so a dual stack network on a v6 less host becomes v4 only on the next install, and a v4 only network on a host that has v6 is promoted to dual stack just like before. Upgrading from 1.17.1 on a v6 less host is a no op, same v4 only network, no container churn.
Renamed MigrateNetworkToIPv6 to RecreateNetwork since the target schema now depends on the host.