[lxc-devel] [lxd/master] Routed NIC adds detection for proxy_ndp on all interfaces

tomponline on Github lxc-bot at linuxcontainers.org
Mon Jan 6 09:46:50 UTC 2020 

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 301 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20200106/f2a7f38d/attachment.bin>
-------------- next part --------------
From 40e35f32f583f46e0a557202a433215782fedaca Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parrott at canonical.com>
Date: Mon, 6 Jan 2020 09:42:42 +0000
Subject: [PATCH 1/2] lxd/device/nic/routed: Improves IPv6 forwarding and
 proxy_ndp sysctl detection

Routed mode requires forwarding enabled for "all" interfaces to enable general packet forwarding. This is already enforced in liblxc but for usability is now detected in LXD.

Additionally, routed mode also requires proxy_ndp enabled on "all" interfaces as this is needed to ensure the kernel responds to unicast neighbour solicitations. Otherwise it rejects the request and causes the remote node to have to expire the neighbour cache and perform a multicast NDP solicitation, which causes periodic spikes in latency every 15-20s.

Fixes #6668

Signed-off-by: Thomas Parrott <thomas.parrott at canonical.com>
---
 lxd/device/nic_routed.go | 26 ++++++++++++++++++++++++--
 1 file changed, 24 insertions(+), 2 deletions(-)

diff --git a/lxd/device/nic_routed.go b/lxd/device/nic_routed.go
index 44900a2683..a77eadc3d9 100644
--- a/lxd/device/nic_routed.go
+++ b/lxd/device/nic_routed.go
@@ -94,16 +94,38 @@ func (d *nicRouted) validateEnvironment() error {
 
 	// Check necessary sysctls are configured for use with l2proxy parent for routed mode.
 	if d.config["parent"] != "" && d.config["ipv6.address"] != "" {
-		ipv6FwdPath := fmt.Sprintf("net/ipv6/conf/%s/forwarding", d.config["parent"])
+		// net.ipv6.conf.all.forwarding=1 is required to enable general packet forwarding for IPv6.
+		ipv6FwdPath := fmt.Sprintf("net/ipv6/conf/%s/forwarding", "all")
 		sysctlVal, err := util.SysctlGet(ipv6FwdPath)
 		if err != nil {
 			return fmt.Errorf("Error reading net sysctl %s: %v", ipv6FwdPath, err)
 		}
+		if sysctlVal != "1\n" {
+			return fmt.Errorf("Routed mode requires sysctl net.ipv6.conf.%s.forwarding=1", "all")
+		}
+
+		ipv6FwdPath = fmt.Sprintf("net/ipv6/conf/%s/forwarding", d.config["parent"])
+		sysctlVal, err = util.SysctlGet(ipv6FwdPath)
+		if err != nil {
+			return fmt.Errorf("Error reading net sysctl %s: %v", ipv6FwdPath, err)
+		}
 		if sysctlVal != "1\n" {
 			return fmt.Errorf("Routed mode requires sysctl net.ipv6.conf.%s.forwarding=1", d.config["parent"])
 		}
 
-		ipv6ProxyNdpPath := fmt.Sprintf("net/ipv6/conf/%s/proxy_ndp", d.config["parent"])
+		// net.ipv6.conf.all.proxy_ndp=1 is needed otherwise unicast neighbour solicitations are rejected.
+		// This causes periodic latency spikes every 15-20s as the neighbour has to resort to using
+		// multicast NDP resolution and expires the previous neighbour entry.
+		ipv6ProxyNdpPath := fmt.Sprintf("net/ipv6/conf/%s/proxy_ndp", "all")
+		sysctlVal, err = util.SysctlGet(ipv6ProxyNdpPath)
+		if err != nil {
+			return fmt.Errorf("Error reading net sysctl %s: %v", ipv6ProxyNdpPath, err)
+		}
+		if sysctlVal != "1\n" {
+			return fmt.Errorf("Routed mode requires sysctl net.ipv6.conf.%s.proxy_ndp=1", "all")
+		}
+
+		ipv6ProxyNdpPath = fmt.Sprintf("net/ipv6/conf/%s/proxy_ndp", d.config["parent"])
 		sysctlVal, err = util.SysctlGet(ipv6ProxyNdpPath)
 		if err != nil {
 			return fmt.Errorf("Error reading net sysctl %s: %v", ipv6ProxyNdpPath, err)

From 15b9019398a639db731b4a016bb52a5dc63247e2 Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parrott at canonical.com>
Date: Mon, 6 Jan 2020 09:45:20 +0000
Subject: [PATCH 2/2] doc/instances: Updates routed nic sysctl requirements

Fixes #6668

Signed-off-by: Thomas Parrott <thomas.parrott at canonical.com>
---
 doc/instances.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/doc/instances.md b/doc/instances.md
index 9ef017d60a..a080576ac0 100644
--- a/doc/instances.md
+++ b/doc/instances.md
@@ -415,7 +415,9 @@ net.ipv4.conf.<parent>.forwarding=1
 If using IPv6 addresses:
 
 ```
+net.ipv6.conf.all.forwarding=1
 net.ipv6.conf.<parent>.forwarding=1
+net.ipv6.conf.all.proxy_ndp=1
 net.ipv6.conf.<parent>.proxy_ndp=1
 ```

More information about the lxc-devel mailing list