Issue trying ambient mode on an ipv4-only k8s cluster about ztunnel HOT 13 CLOSED

I guess we need some logic to bind on 0.0.0.0 instead of [::] in those cases?

from ztunnel.

Yeah the bind has been v6-default in ztunnel for ages - there was some reason we picked that, I don't recall what it was.

I think it has more to do with whether someone is using a kernel with v6 support explicitly compiled out - even in V4-only clusters Linux is quite happy to locally bind V6 addresses, and we don't really care if they're routable outside the pod.

We can probably offer a back compat flag for people that aren't running v6 capable kernel networking stacks.

from ztunnel.

#1163 should fix this in the next release.

from ztunnel.

cc @bleggett and @leosarra

from ztunnel.

Is it easy to detect if they don't have ipv6 compiled in? if so we could just automate it

from ztunnel.

Is it easy to detect if they don't have ipv6 compiled in? if so we could just automate it

dunno, but that's an option yep.

We could also do an autofallback like we do for admin privs + use-original-src

from ztunnel.

I don't know how easily we can reliably check if the IPv6 module is loaded.
If that cannot be done, we could also expose the Kubernetes pod IPs field to the container.
If only IPv4 addresses are specified (single-stack ipv4 cluster), we use 0.0.0.0 as the unspecified address; otherwise, we use :: . Though, this would end up using 0.0.0.0 also for ipv4-only clusters where the ipv6 module is enabled.

from ztunnel.

Thank you all for the responses.

IMHO: A back-compat flag configurable via Helm as a pragmatic solution would definitely work for me --> no need for over-engineering if that would be necessary to get fully automated solution. To be honest, I was searching the Helm values for such a flag, just did not find it.

from ztunnel.

Hmm, I thought I could reproduce this with sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1 for testing/local/etc, but that does not seem to trigger the failure

from ztunnel.

@howardjohn : Looks like you are trying to disable the ipv6 network interface only. I think that when using a kernel without ipv6 you don't even have the path "net.ipv6" at all. Please try to disable the kernel module completely e.g. via grub cmd option ipv6.disable=1

from ztunnel.

Yeah the bummer is if it needs kernel restart we cannot actually test it in our CI.

from ztunnel.

We already have an enableV6 helm flag for istio-cni - we can pretty easily share that with ztunnel as well.

from ztunnel.

@bleggett : Sounds good! Probably just the actual behavior of the flag would need some clarification...Enabling is fine, but disabling would need to avoid all ipv6-functionality/calls/dependencies completely.

from ztunnel.