Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

[BUG] Pot should run ip6addrctl on jail startup #203

Closed
grembo opened this issue Feb 6, 2022 · 0 comments · Fixed by #205
Closed

[BUG] Pot should run ip6addrctl on jail startup #203

grembo opened this issue Feb 6, 2022 · 0 comments · Fixed by #205
Labels
bug

Comments

@grembo
Copy link
Collaborator

grembo commented Feb 6, 2022
edited
Loading

Describe the bug
(Usually?) pot installations are based on ipv4, but without calling ip6addrctl, the default address selection policy uses IPv6 in case a domain has an AAAA record. This makes some tools chose the wrong protocol.

To Reproduce
Create a pot that is based on /tmp/tinirc, jexec into the running jail, then:

root@long_jail_name:/ # host www.google.com                                (1)
www.google.com has address 142.251.36.196
www.google.com has IPv6 address 2a00:1450:4016:809::2004
root@long_jail_name:/ # ping www.google.com                                (2)
ping: UDP connect: No route to host
root@long_jail_name:/ # ping -4 www.google.com                             (3)
PING www.google.com (142.250.184.196): 56 data bytes
64 bytes from 142.250.184.196: icmp_seq=0 ttl=59 time=5.146 ms
^C
root@long_jail_name:/ # service ip6addrctl start                           (4)
root@long_jail_name:/ # ping www.google.com                                (5)
PING www.google.com (142.250.184.196): 56 data bytes
64 bytes from 142.250.184.196: icmp_seq=0 ttl=59 time=5.164 ms
^C
  1. The hostname lookup of www.google.com shows that it has both IN A and IN AAAA records.
  2. Pinging www.google.com selects IPv6, which is not configured in the pot to have any routes to the outside world and therefore fails.
  3. Pinging with an explicit protocol specification works as expected.
  4. Running the ip6addrctl rc script configured the default of preferring IPv4.
  5. Now ping works as expected (prefer IPv4).

Expected behavior
Expect 5. from above to work by default (prefer IPv4 in an IPv4 based pot).

Additional context
Fixing this should be fairly straightforward. The general question of course is how much of these things should be done by pot itself and which things should be done by the container's payload (some customized script).

Either way, in this case the fix is fairly simple - either call service ip6addrctl start like above, or do what /etc/rc.d/ip6addrctl would do in /tmp/tinirc:

if sysctl -n kern.features.inet6 >/dev/null 2>&1; then
	${IP6ADDRCTL_CMD} flush >/dev/null 2>&1
	cat <<EOT | ${IP6ADDRCTL_CMD} install /dev/stdin
	::1/128          50      0
	::/0             40      1
	::ffff:0:0/96   100      4
	2002::/16        30      2
	2001::/32         5      5
	fc00::/7          3     13
	::/96             1      3
	fec0::/10         1     11
	3ffe::/16         1     12
EOT
fi

Maybe calling service ip6addrctl start (but not stopping in case that didn't work), might be some good real-world middle-ground solution, as it would allow less-stripped down images to override the default (by changing the ip6addrctl_policy in rc.conf), while those who create really stripped-down images (without /etc/rc.d) could still setup things in their own scriptwork as they want.
@grembo grembo added the bug label Feb 6, 2022
grembo added a commit to grembo/pot that referenced this issue Feb 7, 2022
@grembo
tinirc: Wait for epair on start, set address selection policy
b9bc038 
This applies to pots without an rc script.

Closes bsdpot#201
Fixes bsdpot#203
@grembo grembo mentioned this issue Feb 7, 2022
Merged
grembo added a commit to grembo/pot that referenced this issue Feb 7, 2022
@grembo
tinirc: Wait for epair on start, set address selection policy
2c6e5dd 
This applies to pots without an rc script.

Closes bsdpot#201
Fixes bsdpot#203
grembo added a commit to grembo/pot that referenced this issue Feb 7, 2022
@grembo
tinirc: Wait for epair on start, set address selection policy
b4b4fa9 
This applies to pots without an rc script.

Closes bsdpot#201
Fixes bsdpot#203
grembo added a commit to grembo/pot that referenced this issue Feb 8, 2022
@grembo
tinirc: Configure address selection policy
1ec3cbe 
In case of IPv4-only, give IPv4 addresses the highest precedence,
in other cases (IPv6/dual-stack), prefer IPv6 addresses.

This fixes dual-stack tools like ping.

Only implemented for tinirc, as pots running standard rc run
these commands by default.

While there, add "wait for epair" also for IPv6 and private vnet
interfaces.

Fixes bsdpot#203
@grembo grembo mentioned this issue Feb 8, 2022
Merged
grembo added a commit to grembo/pot that referenced this issue Feb 8, 2022
@grembo
tinirc: Configure address selection policy
e19f914 
In case of IPv4-only, give IPv4 addresses the highest precedence,
in other cases (IPv6/dual-stack), prefer IPv6 addresses.

This fixes dual-stack tools like ping.

Only implemented for tinirc, as pots running standard rc run
these commands by default.

While there, add "wait for epair" also for IPv6 and private vnet
interfaces.

Fixes bsdpot#203
pizzamig pushed a commit that referenced this issue Feb 9, 2022
@grembo
tinirc: Configure address selection policy (#205)
564debb 
In case of IPv4-only, give IPv4 addresses the highest precedence,
in other cases (IPv6/dual-stack), prefer IPv6 addresses.

This fixes dual-stack tools like ping.

Only implemented for tinirc, as pots running standard rc run
these commands by default.

While there, add "wait for epair" also for IPv6 and private vnet
interfaces.

Fixes #203
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

tinirc: Configure address selection policy grembo/pot
1 participant
@grembo