[lxc-devel] [lxd/master] Routed NIC adds detection for proxy_ndp on all interfaces

Mon, 06 Jan 2020 01:47:08 -0800 

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/6671

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===


From 40e35f32f583f46e0a557202a433215782fedaca Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parr...@canonical.com>
Date: Mon, 6 Jan 2020 09:42:42 +0000
Subject: [PATCH 1/2] lxd/device/nic/routed: Improves IPv6 forwarding and
 proxy_ndp sysctl detection

Routed mode requires forwarding enabled for "all" interfaces to enable general 
packet forwarding. This is already enforced in liblxc but for usability is now 
detected in LXD.

Additionally, routed mode also requires proxy_ndp enabled on "all" interfaces 
as this is needed to ensure the kernel responds to unicast neighbour 
solicitations. Otherwise it rejects the request and causes the remote node to 
have to expire the neighbour cache and perform a multicast NDP solicitation, 
which causes periodic spikes in latency every 15-20s.

Fixes #6668

Signed-off-by: Thomas Parrott <thomas.parr...@canonical.com>
---
 lxd/device/nic_routed.go | 26 ++++++++++++++++++++++++--
 1 file changed, 24 insertions(+), 2 deletions(-)

diff --git a/lxd/device/nic_routed.go b/lxd/device/nic_routed.go
index 44900a2683..a77eadc3d9 100644
--- a/lxd/device/nic_routed.go
+++ b/lxd/device/nic_routed.go
@@ -94,16 +94,38 @@ func (d *nicRouted) validateEnvironment() error {
 
        // Check necessary sysctls are configured for use with l2proxy parent 
for routed mode.
        if d.config["parent"] != "" && d.config["ipv6.address"] != "" {
-               ipv6FwdPath := fmt.Sprintf("net/ipv6/conf/%s/forwarding", 
d.config["parent"])
+               // net.ipv6.conf.all.forwarding=1 is required to enable general 
packet forwarding for IPv6.
+               ipv6FwdPath := fmt.Sprintf("net/ipv6/conf/%s/forwarding", "all")
                sysctlVal, err := util.SysctlGet(ipv6FwdPath)
                if err != nil {
                        return fmt.Errorf("Error reading net sysctl %s: %v", 
ipv6FwdPath, err)
                }
+               if sysctlVal != "1\n" {
+                       return fmt.Errorf("Routed mode requires sysctl 
net.ipv6.conf.%s.forwarding=1", "all")
+               }
+
+               ipv6FwdPath = fmt.Sprintf("net/ipv6/conf/%s/forwarding", 
d.config["parent"])
+               sysctlVal, err = util.SysctlGet(ipv6FwdPath)
+               if err != nil {
+                       return fmt.Errorf("Error reading net sysctl %s: %v", 
ipv6FwdPath, err)
+               }
                if sysctlVal != "1\n" {
                        return fmt.Errorf("Routed mode requires sysctl 
net.ipv6.conf.%s.forwarding=1", d.config["parent"])
                }
 
-               ipv6ProxyNdpPath := fmt.Sprintf("net/ipv6/conf/%s/proxy_ndp", 
d.config["parent"])
+               // net.ipv6.conf.all.proxy_ndp=1 is needed otherwise unicast 
neighbour solicitations are rejected.
+               // This causes periodic latency spikes every 15-20s as the 
neighbour has to resort to using
+               // multicast NDP resolution and expires the previous neighbour 
entry.
+               ipv6ProxyNdpPath := fmt.Sprintf("net/ipv6/conf/%s/proxy_ndp", 
"all")
+               sysctlVal, err = util.SysctlGet(ipv6ProxyNdpPath)
+               if err != nil {
+                       return fmt.Errorf("Error reading net sysctl %s: %v", 
ipv6ProxyNdpPath, err)
+               }
+               if sysctlVal != "1\n" {
+                       return fmt.Errorf("Routed mode requires sysctl 
net.ipv6.conf.%s.proxy_ndp=1", "all")
+               }
+
+               ipv6ProxyNdpPath = fmt.Sprintf("net/ipv6/conf/%s/proxy_ndp", 
d.config["parent"])
                sysctlVal, err = util.SysctlGet(ipv6ProxyNdpPath)
                if err != nil {
                        return fmt.Errorf("Error reading net sysctl %s: %v", 
ipv6ProxyNdpPath, err)

From 15b9019398a639db731b4a016bb52a5dc63247e2 Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parr...@canonical.com>
Date: Mon, 6 Jan 2020 09:45:20 +0000
Subject: [PATCH 2/2] doc/instances: Updates routed nic sysctl requirements

Fixes #6668

Signed-off-by: Thomas Parrott <thomas.parr...@canonical.com>
---
 doc/instances.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/doc/instances.md b/doc/instances.md
index 9ef017d60a..a080576ac0 100644
--- a/doc/instances.md
+++ b/doc/instances.md
@@ -415,7 +415,9 @@ net.ipv4.conf.<parent>.forwarding=1
 If using IPv6 addresses:
 
 ```
+net.ipv6.conf.all.forwarding=1
 net.ipv6.conf.<parent>.forwarding=1
+net.ipv6.conf.all.proxy_ndp=1
 net.ipv6.conf.<parent>.proxy_ndp=1
 ```
 

_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

Reply via email to