Comments (13)
I guess we need some logic to bind on 0.0.0.0 instead of [::] in those cases?
from ztunnel.
Yeah the bind has been v6-default in ztunnel for ages - there was some reason we picked that, I don't recall what it was.
I think it has more to do with whether someone is using a kernel with v6 support explicitly compiled out - even in V4-only clusters Linux is quite happy to locally bind
V6 addresses, and we don't really care if they're routable outside the pod.
We can probably offer a back compat flag for people that aren't running v6 capable kernel networking stacks.
from ztunnel.
#1163 should fix this in the next release.
from ztunnel.
from ztunnel.
Is it easy to detect if they don't have ipv6 compiled in? if so we could just automate it
from ztunnel.
Is it easy to detect if they don't have ipv6 compiled in? if so we could just automate it
dunno, but that's an option yep.
We could also do an autofallback like we do for admin privs + use-original-src
from ztunnel.
I don't know how easily we can reliably check if the IPv6 module is loaded.
If that cannot be done, we could also expose the Kubernetes pod IPs field to the container.
If only IPv4 addresses are specified (single-stack ipv4 cluster), we use 0.0.0.0 as the unspecified address; otherwise, we use :: . Though, this would end up using 0.0.0.0 also for ipv4-only clusters where the ipv6 module is enabled.
from ztunnel.
Thank you all for the responses.
IMHO: A back-compat flag configurable via Helm as a pragmatic solution would definitely work for me --> no need for over-engineering if that would be necessary to get fully automated solution. To be honest, I was searching the Helm values for such a flag, just did not find it.
from ztunnel.
Hmm, I thought I could reproduce this with sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1
for testing/local/etc, but that does not seem to trigger the failure
from ztunnel.
@howardjohn : Looks like you are trying to disable the ipv6 network interface only. I think that when using a kernel without ipv6 you don't even have the path "net.ipv6" at all. Please try to disable the kernel module completely e.g. via grub cmd option ipv6.disable=1
from ztunnel.
Yeah the bummer is if it needs kernel restart we cannot actually test it in our CI.
from ztunnel.
We already have an enableV6
helm flag for istio-cni
- we can pretty easily share that with ztunnel as well.
from ztunnel.
@bleggett : Sounds good! Probably just the actual behavior of the flag would need some clarification...Enabling is fine, but disabling would need to avoid all ipv6-functionality/calls/dependencies completely.
from ztunnel.
Related Issues (20)
- Provide a new label for metrics regarding destination type HOT 3
- [release-1.22] h2: remove illegal double oneshot recv HOT 1
- [release-1.22] Properly handle named targetPort services
- dualstack: DNS always returns both IP families regardless of service configuration
- Support dual-stack localhost binding for DNS
- Emit end-of-process access logs
- Stress test on-demand DNS querying
- [release-1.22] Add option for disabling IPv6 HOT 1
- local_address and peer_address can panic
- Ztunnel does not scale up with number of worker threads in expected way HOT 13
- Implement DNS-over-TCP redirection HOT 1
- Do not error if the app sends a RST
- Implement improved draining HOT 14
- CVE-2023-4039 when will fix ? HOT 4
- Failure to do `apk update` when ambient captured from wolfi pods HOT 2
- Refactoring improvements now that we have a proxy-per-workload approach HOT 4
- Feature Request: Allow Customized XDS Address to be set HOT 7
- log output in json format HOT 1
- failed to connect to server "/var/run/ztunnel/ztunnel.sock" HOT 12
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ztunnel.