cni-server: fix failure in ipv6/dual clusters running in docker

Signed-off-by: zhangzujian <zhangzujian.7@gmail.com>
kubeovn · Aug 19, 2024 · d56865b · d56865b
1 parent 786eb0a
commit d56865b
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 16 deletions.
diff --git a/charts/kube-ovn/templates/ovncni-ds.yaml b/charts/kube-ovn/templates/ovncni-ds.yaml
@@ -83,14 +83,7 @@ spec:
           - --secure-serving={{- .Values.func.SECURE_SERVING }}
         securityContext:
           runAsUser: 0
-          privileged: false
-          capabilities:
-            add:
-              - NET_ADMIN
-              - NET_BIND_SERVICE
-              - NET_RAW
-              - SYS_ADMIN
-              - CAP_SYS_PTRACE
+          privileged: true
         env:
           - name: ENABLE_SSL
             value: "{{ .Values.networking.ENABLE_SSL }}"

diff --git a/dist/images/install.sh b/dist/images/install.sh
@@ -4268,14 +4268,7 @@ spec:
           - --secure-serving=${SECURE_SERVING}
         securityContext:
           runAsUser: 0
-          privileged: false
-          capabilities:
-            add:
-              - NET_ADMIN
-              - NET_BIND_SERVICE
-              - NET_RAW
-              - SYS_ADMIN
-              - CAP_SYS_PTRACE
+          privileged: true
         env:
           - name: ENABLE_SSL
             value: "$ENABLE_SSL"

diff --git a/pkg/daemon/ovs_linux.go b/pkg/daemon/ovs_linux.go
@@ -17,6 +17,7 @@ import (
 	"time"
 
 	"github.com/containernetworking/plugins/pkg/ns"
+	"github.com/containernetworking/plugins/pkg/utils/sysctl"
 	"github.com/k8snetworkplumbingwg/sriovnet"
 	sriovutilfs "github.com/k8snetworkplumbingwg/sriovnet/pkg/utils/filesystem"
 	"github.com/vishvananda/netlink"
@@ -236,6 +237,21 @@ func configureContainerNic(nicName, ifName, ipAddr, gateway string, isDefaultRou
 			}
 		}
 
+		if util.CheckProtocol(ipAddr) == kubeovnv1.ProtocolDual || util.CheckProtocol(ipAddr) == kubeovnv1.ProtocolIPv6 {
+			// For docker version >=17.x the "none" network will disable ipv6 by default.
+			// We have to enable ipv6 here to add v6 address and gateway.
+			// See https://github.com/containernetworking/cni/issues/531
+			value, err := sysctl.Sysctl("net.ipv6.conf.all.disable_ipv6")
+			if err != nil {
+				return fmt.Errorf("failed to get sysctl net.ipv6.conf.all.disable_ipv6: %v", err)
+			}
+			if value != "0" {
+				if _, err = sysctl.Sysctl("net.ipv6.conf.all.disable_ipv6", "0"); err != nil {
+					return fmt.Errorf("failed to enable ipv6 on all nic: %v", err)
+				}
+			}
+		}
+
 		if nicType == util.InternalType {
 			if err = addAdditionalNic(ifName); err != nil {
 				return err