Autodetect IPv6 connectivity from minion to master #39289
Conversation
|
Note that currently this can cause funny outcomes when salt master is running on dual-stack machine, but only listens on legacy IPv4. I see no other way around it other than actually trying to connect to salt master in |
|
Added a second commit where we actually try to connect before considering the address valid. This makes it work in all combinations: v4 only, v6 only and dual stack (even if only one IP family is actually listening for connections). |
salt/utils/__init__.py
Outdated
| break | ||
| except: |
There was a problem hiding this comment.
No bare exceptions, please. Could you change this to except Exception:?
|
Yes. I checked again with ipv4 only master and no With added logging: diff --git a/salt/transport/zeromq.py b/salt/transport/zeromq.py
index 20c7ba88cc..8cecb7d678 100644
--- a/salt/transport/zeromq.py
+++ b/salt/transport/zeromq.py
@@ -376,6 +376,7 @@ class AsyncZeroMQPubChannel(salt.transport.mixins.auth.AESPubClientMixin, salt.t
if not self.auth.authenticated:
yield self.auth.authenticate()
self.publish_port = self.auth.creds['publish_port']
+ print("connecting", self.master_pub)
self._socket.connect(self.master_pub)
@property |
|
Ok, I see what happened. I changed connection detection to actually make a connection and fixed logging as a bonus. Let's see if this works. |
bobrik
force-pushed
the
autodetect-ipv6
branch
from
e4bc7d4
to
af95786
Compare
|
Syndic tests are failing now. This is because tests are checking configuration and do not spawn any listeners on syndic master port. Not really sure what's the best way forward. |
bobrik
force-pushed
the
autodetect-ipv6
branch
from
7e814ba
to
e8a2cc0
Compare
|
@cachedout it's passing tests now. Please take another look. |
salt/utils/__init__.py
Outdated
| break | ||
| if not addr: | ||
| except Exception: | ||
| pass |
There was a problem hiding this comment.
Broad exceptions with a pass statement always scare me. What sort of exceptions are we expecting here? Can we narrow this down?
There was a problem hiding this comment.
I managed to narrow it down to socket.error. Sometimes it's socket.gaierror, but socket.error covers that:
>>> import socket
>>> socket.gaierror
<class 'socket.gaierror'>
>>> issubclass(socket.gaierror, socket.error)
True
| @@ -81,9 +81,10 @@ The option can can also be set to a list of masters, enabling | |||
| ``ipv6`` | |||
| -------- | |||
|
|
|||
| Default: ``False`` | |||
| Default: ``None`` | |||
There was a problem hiding this comment.
Could you explain the reasoning for this please? I like to ensure we have a solid explanation for changing defaults. :]
There was a problem hiding this comment.
The reasoning is to enable IPv6 connectivity automatically if user doesn't override the setting. If master address resolves to IPv6 and responds on that address, we take advantage of that immediately.
Just like browsers don't force users to specify that they want google.com over IPv6, we don't force salt users to do the similar thing with salt masters. I think it's much smoother user experience.
It also enables mixed IPv4/IPv6 deployments with multiple masters and that is very useful during migration to IPv6 only stacks.
There was a problem hiding this comment.
Gotcha. I agree entirely that this is a better user experience but I am not very excited about making that change in a minor, bugfix only release. I would accept this PR if we didn't change the default behavior or as it is into the develop branch. Between those two choices, I think that putting this into the develop branch is the better course of action but I'd like to hear your thoughts. Thanks!
There was a problem hiding this comment.
It feels here like changing a default value does not change the behavior, but just adds additional behavior: previously by default it tried IPv4 only, but now it tries IPv4 and IPv6.
Also, I bet for most Salt users (at least for me) who did not try IPv6 specifically fact that IPv6 is disabled by default is more a surprise than an expectation.
There was a problem hiding this comment.
The default behavior is all-IPv4 for salt master and salt minion, we don't change that. This patch doesn't change behavior for this case. For people who run IPv6-only deployments already, this patch doesn't change behavior either, because those people already have to set ipv6: true on both minion and master.
The point here is to enable new behavior out of the box, not change anything existing and working.
This patch only changes behavior for the case that was not possible before, so it's hard to break anything existing in the wild. The only thing I can think of is a deployment where salt master works on IPv4, listens and accepts connections on IPv6, but otherwise breaks on IPv6. You have to try very hard to achieve that and I double anyone has would have this issue.
In fact, ipv6 option wasn't even documented, I changed that recently in #39131.
If you still feel very strongly about development branch, I can do that.
There was a problem hiding this comment.
You both make very strong points. I appreciate the explanation and you taking the time to walk me through your reasoning. We'll get this in.
salt/minion.py
Outdated
| @@ -132,7 +132,7 @@ | |||
| # 6. Handle publications | |||
|
|
|||
|
|
|||
| def resolve_dns(opts, fallback=True): | |||
| def resolve_dns(opts, connect=True, fallback=True): | |||
There was a problem hiding this comment.
We prefer to add new kwargs at the end of the list just in case anybody is calling this with positional arguments.
salt/utils/__init__.py
Outdated
| @@ -716,10 +716,11 @@ def ip_bracket(addr): | |||
| return addr | |||
|
|
|||
|
|
|||
| def dns_check(addr, safe=False, ipv6=False): | |||
| def dns_check(addr, port, connect=True, safe=False, ipv6=None): | |||
There was a problem hiding this comment.
Same comment as above with new kwargs being at the end.
bobrik
force-pushed
the
autodetect-ipv6
branch
from
385d473
to
220f6d7
Compare
bobrik
force-pushed
the
autodetect-ipv6
branch
from
220f6d7
to
2761a1b
Compare
|
Is there anything else I should address? |
This fixes saltstack#39995. The previous work happened in saltstack#39289.
This was a regression in saltstack#39289 Fixes saltstack#40908
What does this PR do?
It removes the need to specify
ipv6: truein minion configuration for IPv6-only salt masters.What issues does this PR fix or reference?
This is related to #39118.
Previous Behavior
IPv6 only master require setting
ipv6: truein the config, otherwise minions fail to connect, because IPv6 is explicitly disabled by default.New Behavior
IPv6 only masters work out of the box. Yay future.
Tests written?
Nope.