From d56865b703f1457e227c7dfe0955dd161260ffb0 Mon Sep 17 00:00:00 2001
From: zhangzujian <zhangzujian.7@gmail.com>
Date: Mon, 19 Aug 2024 07:04:42 +0000
Subject: [PATCH] cni-server: fix failure in ipv6/dual clusters running in
 docker

Signed-off-by: zhangzujian <zhangzujian.7@gmail.com>
---
 charts/kube-ovn/templates/ovncni-ds.yaml |  9 +--------
 dist/images/install.sh                   |  9 +--------
 pkg/daemon/ovs_linux.go                  | 16 ++++++++++++++++
 3 files changed, 18 insertions(+), 16 deletions(-)

diff --git a/charts/kube-ovn/templates/ovncni-ds.yaml b/charts/kube-ovn/templates/ovncni-ds.yaml
index dc7a6cf3c1f..616ace69599 100644
--- a/charts/kube-ovn/templates/ovncni-ds.yaml
+++ b/charts/kube-ovn/templates/ovncni-ds.yaml
@@ -83,14 +83,7 @@ spec:
           - --secure-serving={{- .Values.func.SECURE_SERVING }}
         securityContext:
           runAsUser: 0
-          privileged: false
-          capabilities:
-            add:
-              - NET_ADMIN
-              - NET_BIND_SERVICE
-              - NET_RAW
-              - SYS_ADMIN
-              - CAP_SYS_PTRACE
+          privileged: true
         env:
           - name: ENABLE_SSL
             value: "{{ .Values.networking.ENABLE_SSL }}"
diff --git a/dist/images/install.sh b/dist/images/install.sh
index 89855274f95..44b1e464dc5 100755
--- a/dist/images/install.sh
+++ b/dist/images/install.sh
@@ -4268,14 +4268,7 @@ spec:
           - --secure-serving=${SECURE_SERVING}
         securityContext:
           runAsUser: 0
-          privileged: false
-          capabilities:
-            add:
-              - NET_ADMIN
-              - NET_BIND_SERVICE
-              - NET_RAW
-              - SYS_ADMIN
-              - CAP_SYS_PTRACE
+          privileged: true
         env:
           - name: ENABLE_SSL
             value: "$ENABLE_SSL"
diff --git a/pkg/daemon/ovs_linux.go b/pkg/daemon/ovs_linux.go
index 37c93e0c2da..a4eab057b92 100644
--- a/pkg/daemon/ovs_linux.go
+++ b/pkg/daemon/ovs_linux.go
@@ -17,6 +17,7 @@ import (
 	"time"
 
 	"github.com/containernetworking/plugins/pkg/ns"
+	"github.com/containernetworking/plugins/pkg/utils/sysctl"
 	"github.com/k8snetworkplumbingwg/sriovnet"
 	sriovutilfs "github.com/k8snetworkplumbingwg/sriovnet/pkg/utils/filesystem"
 	"github.com/vishvananda/netlink"
@@ -236,6 +237,21 @@ func configureContainerNic(nicName, ifName, ipAddr, gateway string, isDefaultRou
 			}
 		}
 
+		if util.CheckProtocol(ipAddr) == kubeovnv1.ProtocolDual || util.CheckProtocol(ipAddr) == kubeovnv1.ProtocolIPv6 {
+			// For docker version >=17.x the "none" network will disable ipv6 by default.
+			// We have to enable ipv6 here to add v6 address and gateway.
+			// See https://github.com/containernetworking/cni/issues/531
+			value, err := sysctl.Sysctl("net.ipv6.conf.all.disable_ipv6")
+			if err != nil {
+				return fmt.Errorf("failed to get sysctl net.ipv6.conf.all.disable_ipv6: %v", err)
+			}
+			if value != "0" {
+				if _, err = sysctl.Sysctl("net.ipv6.conf.all.disable_ipv6", "0"); err != nil {
+					return fmt.Errorf("failed to enable ipv6 on all nic: %v", err)
+				}
+			}
+		}
+
 		if nicType == util.InternalType {
 			if err = addAdditionalNic(ifName); err != nil {
 				return err