[libvirt PATCH 0/2] Fix IPv6 network startup after removal of "dummy" tap device
After the patch that removed the dummy tap device was added (commit ee6c936fbb), IPv6 networks would no longer start due to a "failure to complete DAD". Since this wait was only necessary because of the existence of the dummy tap device (see detailed git log spelunking in Patch 1 comment), we can just remove the wait. Laine Stump (2): network: don't wait for IPv6 DAD completion when starting a network util: remove unused virNetDevIPWaitDadFinish() src/libvirt_private.syms | 1 - src/network/bridge_driver.c | 32 ---------- src/util/virnetdevip.c | 119 ------------------------------------ src/util/virnetdevip.h | 2 - 4 files changed, 154 deletions(-) -- 2.26.2
0f7436ca54 added code during virtual network startup to wait for DAD (Duplicate Address Detection) to complete if there were any IPv6 addresses on the network. This wait was needed because (according to the commit log) "created problems when [the "dummy" tap device] is set to IFF_DOWN prior to DAD completing". That commit in turn referenced commit db488c7917, which had added the code to set the dummy tap device IFF_DOWN, commenting "DAD has happened (dnsmasq waits for it)", and in its commit message pointed out that if we just got rid of the dummy tap device this wouldn't be needed. Now that the dummy tap device has indeed been removed (commit ee6c936fbb), there is no longer any need to set it IFF_DOWN, and thus nothing requiring us to wait for DAD to complete. At any rate, with the dummy tap device removed, leaving nothing else on the bridge when it is first started, DAD never completes, leading to failure to start any IPv6 network. So, yes, this patch removes the wait for DAD completion, and IPv6 networks can once again start, and their associated dnsmasq process starts successfully (this is the problem that the DAD wait was originally intended to fix) Signed-off-by: Laine Stump <laine@redhat.com> --- src/network/bridge_driver.c | 32 -------------------------------- 1 file changed, 32 deletions(-) diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index 5c00befc16..87d7acab06 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -2286,32 +2286,6 @@ networkAddRouteToBridge(virNetworkObjPtr obj, return 0; } -static int -networkWaitDadFinish(virNetworkObjPtr obj) -{ - virNetworkDefPtr def = virNetworkObjGetDef(obj); - virNetworkIPDefPtr ipdef; - g_autofree virSocketAddrPtr *addrs = NULL; - virSocketAddrPtr addr = NULL; - size_t naddrs = 0; - int ret = -1; - - VIR_DEBUG("Begin waiting for IPv6 DAD on network %s", def->name); - - while ((ipdef = virNetworkDefGetIPByIndex(def, AF_INET6, naddrs))) { - addr = &ipdef->address; - if (VIR_APPEND_ELEMENT_COPY(addrs, naddrs, addr) < 0) - goto cleanup; - } - - ret = (naddrs == 0) ? 0 : virNetDevIPWaitDadFinish(addrs, naddrs); - - cleanup: - VIR_DEBUG("Finished waiting for IPv6 DAD on network %s with status %d", - def->name, ret); - return ret; -} - static int networkStartNetworkVirtual(virNetworkDriverStatePtr driver, @@ -2444,12 +2418,6 @@ networkStartNetworkVirtual(virNetworkDriverStatePtr driver, if (v6present && networkStartRadvd(driver, obj) < 0) goto error; - /* dnsmasq does not wait for DAD to complete before daemonizing, - * so we need to wait for it ourselves. - */ - if (v6present && networkWaitDadFinish(obj) < 0) - goto error; - if (virNetDevBandwidthSet(def->bridge, def->bandwidth, true, true) < 0) goto error; -- 2.26.2
On Fri, Sep 04, 2020 at 02:01:14PM -0400, Laine Stump wrote:
0f7436ca54 added code during virtual network startup to wait for DAD (Duplicate Address Detection) to complete if there were any IPv6 addresses on the network. This wait was needed because (according to the commit log) "created problems when [the "dummy" tap device] is set to IFF_DOWN prior to DAD completing".
That commit in turn referenced commit db488c7917, which had added the code to set the dummy tap device IFF_DOWN, commenting "DAD has happened (dnsmasq waits for it)", and in its commit message pointed out that if we just got rid of the dummy tap device this wouldn't be needed.
Now that the dummy tap device has indeed been removed (commit ee6c936fbb), there is no longer any need to set it IFF_DOWN, and thus nothing requiring us to wait for DAD to complete. At any rate, with the dummy tap device removed, leaving nothing else on the bridge when it is first started, DAD never completes, leading to failure to start any IPv6 network.
So, yes, this patch removes the wait for DAD completion, and IPv6 networks can once again start, and their associated dnsmasq process starts successfully (this is the problem that the DAD wait was originally intended to fix)
I'll note that when the virtual network first starts, the IPv6 address is shown as "global tentative" and "netstat -u" does not show any dnsmasq listening on the IPv6 address. Once I start the first guest, then it removes "tentative" state and dnsmasq is now listening on IPv6 address. In contrast wth the old patch, the "tentative" state is gone immediately and it listens on IPv6. IIUC, the removal "tenative" signals that DAD is complete. IOW, with our new setup DAD is not complete until the first guest runs. This difference in behaviour doesn't seem to have any functional problem. I can start the guest, it gets IPv6 connectivity and can reach the interwebs fine. The only nagging feeling in the back of my mind is whether the the original dnsmasq problems with DAD were in fact solved by some fix in dnsmasq, and the magic kernel behaviour wrt to a bridge with no NICs is a distraction. Anyway, I feel we can stick with this and revisit if anyone complains later.
Signed-off-by: Laine Stump <laine@redhat.com> --- src/network/bridge_driver.c | 32 -------------------------------- 1 file changed, 32 deletions(-)
diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index 5c00befc16..87d7acab06 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -2286,32 +2286,6 @@ networkAddRouteToBridge(virNetworkObjPtr obj, return 0; }
-static int -networkWaitDadFinish(virNetworkObjPtr obj) -{ - virNetworkDefPtr def = virNetworkObjGetDef(obj); - virNetworkIPDefPtr ipdef; - g_autofree virSocketAddrPtr *addrs = NULL; - virSocketAddrPtr addr = NULL; - size_t naddrs = 0; - int ret = -1; - - VIR_DEBUG("Begin waiting for IPv6 DAD on network %s", def->name); - - while ((ipdef = virNetworkDefGetIPByIndex(def, AF_INET6, naddrs))) { - addr = &ipdef->address; - if (VIR_APPEND_ELEMENT_COPY(addrs, naddrs, addr) < 0) - goto cleanup; - } - - ret = (naddrs == 0) ? 0 : virNetDevIPWaitDadFinish(addrs, naddrs); - - cleanup: - VIR_DEBUG("Finished waiting for IPv6 DAD on network %s with status %d", - def->name, ret); - return ret; -} -
static int networkStartNetworkVirtual(virNetworkDriverStatePtr driver, @@ -2444,12 +2418,6 @@ networkStartNetworkVirtual(virNetworkDriverStatePtr driver, if (v6present && networkStartRadvd(driver, obj) < 0) goto error;
- /* dnsmasq does not wait for DAD to complete before daemonizing, - * so we need to wait for it ourselves. - */ - if (v6present && networkWaitDadFinish(obj) < 0) - goto error; - if (virNetDevBandwidthSet(def->bridge, def->bandwidth, true, true) < 0) goto error;
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
Since we no longer need to wait for IPv6 DAD to complete, we never call this function. Signed-off-by: Laine Stump <laine@redhat.com> --- src/libvirt_private.syms | 1 - src/util/virnetdevip.c | 119 --------------------------------------- src/util/virnetdevip.h | 2 - 3 files changed, 122 deletions(-) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 1272ac6506..f8cdd01797 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -2633,7 +2633,6 @@ virNetDevIPRouteGetAddress; virNetDevIPRouteGetGateway; virNetDevIPRouteGetMetric; virNetDevIPRouteGetPrefix; -virNetDevIPWaitDadFinish; # util/virnetdevmacvlan.h diff --git a/src/util/virnetdevip.c b/src/util/virnetdevip.c index 1e7e64f8f3..7bd5a75f85 100644 --- a/src/util/virnetdevip.c +++ b/src/util/virnetdevip.c @@ -45,8 +45,6 @@ # include <linux/if_vlan.h> #endif -#define VIR_DAD_WAIT_TIMEOUT 20 /* seconds */ - #define VIR_FROM_THIS VIR_FROM_NONE VIR_LOG_INIT("util.netdevip"); @@ -372,113 +370,6 @@ virNetDevIPRouteAdd(const char *ifname, } -/* return true if there is a known address with 'tentative' flag set */ -static bool -virNetDevIPParseDadStatus(struct nlmsghdr *nlh, int len, - virSocketAddrPtr *addrs, size_t count) -{ - struct ifaddrmsg *ifaddrmsg_ptr; - unsigned int ifaddrmsg_len; - struct rtattr *rtattr_ptr; - size_t i; - struct in6_addr *addr; - - VIR_WARNINGS_NO_CAST_ALIGN - for (; NLMSG_OK(nlh, len); nlh = NLMSG_NEXT(nlh, len)) { - VIR_WARNINGS_RESET - if (NLMSG_PAYLOAD(nlh, 0) < sizeof(struct ifaddrmsg)) { - /* Message without payload is the last one. */ - break; - } - - ifaddrmsg_ptr = (struct ifaddrmsg *)NLMSG_DATA(nlh); - if (!(ifaddrmsg_ptr->ifa_flags & IFA_F_TENTATIVE)) { - /* Not tentative: we are not interested in this entry. */ - continue; - } - - ifaddrmsg_len = IFA_PAYLOAD(nlh); - VIR_WARNINGS_NO_CAST_ALIGN - rtattr_ptr = (struct rtattr *) IFA_RTA(ifaddrmsg_ptr); - for (; RTA_OK(rtattr_ptr, ifaddrmsg_len); - rtattr_ptr = RTA_NEXT(rtattr_ptr, ifaddrmsg_len)) { - VIR_WARNINGS_RESET - if (RTA_PAYLOAD(rtattr_ptr) != sizeof(struct in6_addr)) { - /* No address: ignore. */ - continue; - } - - /* We check only known addresses. */ - for (i = 0; i < count; i++) { - addr = &addrs[i]->data.inet6.sin6_addr; - if (!memcmp(addr, RTA_DATA(rtattr_ptr), - sizeof(struct in6_addr))) { - /* We found matching tentative address. */ - return true; - } - } - } - } - return false; -} - - -/* return after DAD finishes for all known IPv6 addresses or an error */ -int -virNetDevIPWaitDadFinish(virSocketAddrPtr *addrs, size_t count) -{ - struct ifaddrmsg ifa; - unsigned int recvbuflen; - bool dad = true; - time_t max_time = time(NULL) + VIR_DAD_WAIT_TIMEOUT; - g_autoptr(virNetlinkMsg) nlmsg = NULL; - - if (!(nlmsg = nlmsg_alloc_simple(RTM_GETADDR, - NLM_F_REQUEST | NLM_F_DUMP))) { - virReportOOMError(); - return -1; - } - - memset(&ifa, 0, sizeof(ifa)); - /* DAD is for IPv6 addresses only. */ - ifa.ifa_family = AF_INET6; - if (nlmsg_append(nlmsg, &ifa, sizeof(ifa), NLMSG_ALIGNTO) < 0) { - virReportError(VIR_ERR_INTERNAL_ERROR, "%s", - _("allocated netlink buffer is too small")); - return -1; - } - - /* Periodically query netlink until DAD finishes on all known addresses. */ - while (dad && time(NULL) < max_time) { - g_autofree struct nlmsghdr *resp = NULL; - - if (virNetlinkCommand(nlmsg, &resp, &recvbuflen, 0, 0, - NETLINK_ROUTE, 0) < 0) - return -1; - - if (virNetlinkGetErrorCode(resp, recvbuflen) < 0) { - virReportError(VIR_ERR_SYSTEM_ERROR, "%s", - _("error reading DAD state information")); - return -1; - } - - /* Parse response. */ - dad = virNetDevIPParseDadStatus(resp, recvbuflen, addrs, count); - if (dad) - g_usleep(1000 * 10); - } - /* Check timeout. */ - if (dad) { - virReportError(VIR_ERR_SYSTEM_ERROR, - _("Duplicate Address Detection " - "not finished in %d seconds"), VIR_DAD_WAIT_TIMEOUT); - } else { - return 0; - } - - return -1; -} - static int virNetDevIPGetAcceptRA(const char *ifname) { @@ -798,16 +689,6 @@ virNetDevIPRouteAdd(const char *ifname, } -/* return after DAD finishes for all known IPv6 addresses or an error */ -int -virNetDevIPWaitDadFinish(virSocketAddrPtr *addrs G_GNUC_UNUSED, - size_t count G_GNUC_UNUSED) -{ - virReportSystemError(ENOSYS, "%s", - _("Unable to wait for IPv6 DAD on this platform")); - return -1; -} - bool virNetDevIPCheckIPv6Forwarding(void) { diff --git a/src/util/virnetdevip.h b/src/util/virnetdevip.h index 1fa6dd8836..faaa4f2c01 100644 --- a/src/util/virnetdevip.h +++ b/src/util/virnetdevip.h @@ -76,8 +76,6 @@ int virNetDevIPAddrDel(const char *ifname, ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) G_GNUC_WARN_UNUSED_RESULT; int virNetDevIPAddrGet(const char *ifname, virSocketAddrPtr addr) ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) G_GNUC_WARN_UNUSED_RESULT; -int virNetDevIPWaitDadFinish(virSocketAddrPtr *addrs, size_t count) - ATTRIBUTE_NONNULL(1); bool virNetDevIPCheckIPv6Forwarding(void); void virNetDevIPAddrFree(virNetDevIPAddrPtr ip); -- 2.26.2
On a Friday in 2020, Laine Stump wrote:
After the patch that removed the dummy tap device was added (commit ee6c936fbb), IPv6 networks would no longer start due to a "failure to complete DAD". Since this wait was only necessary because of the existence of the dummy tap device (see detailed git log spelunking in Patch 1 comment), we can just remove the wait.
Laine Stump (2): network: don't wait for IPv6 DAD completion when starting a network util: remove unused virNetDevIPWaitDadFinish()
src/libvirt_private.syms | 1 - src/network/bridge_driver.c | 32 ---------- src/util/virnetdevip.c | 119 ------------------------------------ src/util/virnetdevip.h | 2 -
4 files changed, 154 deletions(-)
Beautiful. Reviewed-by: Ján Tomko <jtomko@redhat.com> Jano
participants (3)
-
Daniel P. Berrangé -
Ján Tomko -
Laine Stump