Skip to content

Commit

Permalink
test: force IPv4 on Docker 26+ to fix Envoy int tests
Browse files Browse the repository at this point in the history
As of Docker Engine 26.0.0 (moby/moby#47062),
IPv6 is enabled by default where supported. This causes issues for our
tests attempting to resolve requests to other containers over
localhost, since on Linux IPv6 will be preferred over IPv4 when
available when applying the default behavior defined in RFC3484.

As a workaround, force IPv4 with a flag passed to `docker run`.
  • Loading branch information
zalimeni committed Apr 17, 2024
1 parent 08761f1 commit a27d118
Showing 1 changed file with 18 additions and 18 deletions.
36 changes: 18 additions & 18 deletions test/integration/connect/envoy/run-tests.sh
Original file line number Diff line number Diff line change
Expand Up @@ -227,7 +227,7 @@ function start_consul {
docker_kill_rm consul-${DC}-server
docker_kill_rm consul-${DC}

docker run -d --name envoy_consul-${DC}-server_1 \
docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 -d --name envoy_consul-${DC}-server_1 \
--net=envoy-tests \
$WORKDIR_SNIPPET \
--hostname "consul-${DC}-server" \
Expand All @@ -240,7 +240,7 @@ function start_consul {
-client "0.0.0.0" \
-bind "0.0.0.0" >/dev/null

docker run -d --name envoy_consul-${DC}_1 \
docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 -d --name envoy_consul-${DC}_1 \
--net=envoy-tests \
$WORKDIR_SNIPPET \
--hostname "consul-${DC}-client" \
Expand All @@ -258,7 +258,7 @@ function start_consul {
else
docker_kill_rm consul-${DC}

docker run -d --name envoy_consul-${DC}_1 \
docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 -d --name envoy_consul-${DC}_1 \
--net=envoy-tests \
$WORKDIR_SNIPPET \
--hostname "consul-${DC}" \
Expand Down Expand Up @@ -295,7 +295,7 @@ function start_partitioned_client {
# Run consul and expose some ports to the host to make debugging locally a
# bit easier.
#
docker run -d --name envoy_consul-${PARTITION}_1 \
docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 -d --name envoy_consul-${PARTITION}_1 \
--net=envoy-tests \
$WORKDIR_SNIPPET \
--hostname "consul-${PARTITION}-client" \
Expand Down Expand Up @@ -351,7 +351,7 @@ function verify {

# need to tell the PID 1 inside of the container that it won't be actual PID
# 1 because we're using --pid=host so we use TINI_SUBREAPER
if docker run --name envoy_verify-${CLUSTER}_1 -t \
if docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 --name envoy_verify-${CLUSTER}_1 -t \
-e TINI_SUBREAPER=1 \
-e ENVOY_VERSION \
$WORKDIR_SNIPPET \
Expand Down Expand Up @@ -442,7 +442,7 @@ function global_setup {
}

function wipe_volumes {
docker run --rm -i \
docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 --rm -i \
$WORKDIR_SNIPPET \
--net=none \
"${HASHICORP_DOCKER_PROXY}/alpine" \
Expand Down Expand Up @@ -556,7 +556,7 @@ function suite_setup {
# This is a dummy container that we use to create volume and keep it
# accessible while other containers are down.
docker volume create envoy_workdir &>/dev/null
docker run -d --name envoy_workdir_1 \
docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 -d --name envoy_workdir_1 \
$WORKDIR_SNIPPET \
--net=none \
k8s.gcr.io/pause &>/dev/null
Expand All @@ -567,7 +567,7 @@ function suite_setup {
retry_default docker build -t bats-verify -f Dockerfile-bats .

echo "Checking bats image..."
docker run --rm -t bats-verify -v
docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 --rm -t bats-verify -v

# pre-build the consul+envoy container
echo "Rebuilding 'consul-dev-envoy:${ENVOY_VERSION}' image..."
Expand Down Expand Up @@ -615,7 +615,7 @@ function common_run_container_service {
local httpPort="$3"
local grpcPort="$4"

docker run -d --name $(container_name_prev) \
docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 -d --name $(container_name_prev) \
-e "FORTIO_NAME=${service}" \
$(network_snippet $CLUSTER) \
"${HASHICORP_DOCKER_PROXY}/fortio/fortio" \
Expand Down Expand Up @@ -696,7 +696,7 @@ function common_run_container_sidecar_proxy {
# despite separate containers that don't share IPC namespace. Not quite
# sure how this happens but may be due to unix socket being in some shared
# location?
docker run -d --name $(container_name_prev) \
docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 -d --name $(container_name_prev) \
$WORKDIR_SNIPPET \
$(network_snippet $CLUSTER) \
$(aws_snippet) \
Expand All @@ -717,7 +717,7 @@ function run_container_s1-ap1-sidecar-proxy {
}

function run_container_s1-sidecar-proxy-consul-exec {
docker run -d --name $(container_name) \
docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 -d --name $(container_name) \
$(network_snippet primary) \
consul-dev-envoy:${ENVOY_VERSION} \
consul connect envoy -sidecar-for s1 \
Expand Down Expand Up @@ -783,7 +783,7 @@ function common_run_container_gateway {
# despite separate containers that don't share IPC namespace. Not quite
# sure how this happens but may be due to unix socket being in some shared
# location?
docker run -d --name $(container_name_prev) \
docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 -d --name $(container_name_prev) \
$WORKDIR_SNIPPET \
$(network_snippet $DC) \
$(aws_snippet) \
Expand Down Expand Up @@ -824,7 +824,7 @@ function run_container_fake-statsd {
# This magic SYSTEM incantation is needed since Envoy doesn't add newlines and so
# we need each packet to be passed to echo to add a new line before
# appending.
docker run -d --name $(container_name) \
docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 -d --name $(container_name) \
$WORKDIR_SNIPPET \
$(network_snippet primary) \
"${HASHICORP_DOCKER_PROXY}/alpine/socat:1.7.3.4-r1" \
Expand All @@ -833,22 +833,22 @@ function run_container_fake-statsd {
}

function run_container_zipkin {
docker run -d --name $(container_name) \
docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 -d --name $(container_name) \
$WORKDIR_SNIPPET \
$(network_snippet primary) \
"${HASHICORP_DOCKER_PROXY}/openzipkin/zipkin"
}

function run_container_jaeger {
docker run -d --name $(container_name) \
docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 -d --name $(container_name) \
$WORKDIR_SNIPPET \
$(network_snippet primary) \
"${HASHICORP_DOCKER_PROXY}/jaegertracing/all-in-one:1.11" \
--collector.zipkin.http-port=9411
}

function run_container_test-sds-server {
docker run -d --name $(container_name) \
docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 -d --name $(container_name) \
$WORKDIR_SNIPPET \
$(network_snippet primary) \
"test-sds-server"
Expand All @@ -863,7 +863,7 @@ function container_name_prev {

# This is a debugging tool. Run via './run-tests.sh debug_dump_volumes'
function debug_dump_volumes {
docker run --rm -it \
docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 --rm -it \
$WORKDIR_SNIPPET \
-v ./:/cwd \
--net=none \
Expand Down Expand Up @@ -891,7 +891,7 @@ function common_run_container_tcpdump {

retry_default docker build -t envoy-tcpdump -f Dockerfile-tcpdump .

docker run -d --name $(container_name_prev) \
docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 -d --name $(container_name_prev) \
$(network_snippet $DC) \
-v $(pwd)/workdir/${DC}/envoy/:/data \
--privileged \
Expand Down

0 comments on commit a27d118

Please sign in to comment.