Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nginx: also listen on ipv6 #34

Merged
merged 1 commit into from
Dec 21, 2016
Merged

nginx: also listen on ipv6 #34

merged 1 commit into from
Dec 21, 2016

Conversation

euank
Copy link
Contributor

@euank euank commented Nov 28, 2016
edited
Loading

This allows a brave user to run this in host networking mode and support
ipv6.

  • - Manual testing

I've been running a very similar patch against the contrib version with no trouble for a while.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Nov 28, 2016
@bprashanth
Copy link
Contributor

Don't see why not, defer to Manuel. Do we really need all 4 listen directives?

@coveralls
Copy link

Coverage Status

Coverage remained the same at 40.231% when pulling 73a4ec4e5b6332e19a8e3b18e5afe5c2b3654c50 on euank:nginx-ipv6ish into d1fb96a on kubernetes:master.

@aledbf
Copy link
Member

aledbf commented Nov 28, 2016

@euank what happens if the ipv6 is not enabled?

can you test what happens if only listen [::]:80 and listen [::]:443 exists?
(no listen 80 and listen 443 sections because is not clear from the nginx docs)

@euank
Copy link
Contributor Author

euank commented Nov 28, 2016
edited
Loading

@aledbf I don't have a kernel without CONFIG_IPV6 handy, but even if ipv6 is turned off via --ipv6=false on dockerd + the net.ipv6...disable_ipv6 sysctls, docker containers still get a linklocal ipv6 address to listen on and everything should work fine. (edit, forgot I'm running this in --net=host where the previous don't apply, I'll experiment)

When I had only listen [::]:80, I expected it to listen on both based on my reading of the docs, but experimentally it didn't, only listening on ipv6

@bprashanth
Copy link
Contributor

I think Manuel was asking to verify that this isn't required https://codinginthetrenches.com/2013/12/14/nginx-ipv6only-setting-gotcha/

@k8s-oncall
Copy link

This change is Reviewable

@euank
Copy link
Contributor Author

euank commented Nov 29, 2016

With both (as it is now), I don't think I need that setting. I'll see if ipv6only=off lets me get away with only one listen though. Thanks for the pointer!

I'll do some testing today or tomorrow and report back

@aledbf
Copy link
Member

aledbf commented Nov 29, 2016

@euank if using ipv6only=off works please add that flag here

@euank euank changed the title nginx: also listen on ivp6 nginx: also listen on ipv6 Dec 5, 2016
@aledbf
Copy link
Member

aledbf commented Dec 12, 2016

@euank any update on this?

@euank
nginx: also listen on ivp6
8fe1efe 
This allows a brave user to run this in host networking mode and support
ipv6.
@euank
Copy link
Contributor Author

euank commented Dec 12, 2016

Thanks for the ping, I just now got back to this. I ended up hitting a couple unrelated snags with my test cluster which slowed this down.

There were a couple things that made it more complicated, namely that you can only have one ipv6only per port (and there are many listen 80 directives, so there had to be something extra for that).

I've manually tested that the current commit (image euank/nginx-ingress-controller:8fe1efe) works on my test cluster of CoreOS machines using my hostNetwork ingress daemonset.

When using that, doing a curl of its ipv4 or ipv6 address returns the default backend, and adding -H "Host: $service" for my services works as expected for both ips as well.

One thing to note, however, is that logs produced by nginx change slightly.

A line that before might read 1.2.3.4 service [1.2.3.4 443 - [12/Dec/2016:18:04:59 +0000] "GET / .... now reads as ::ffff:1.2.3.4 - [::ffff:1.2.3.4] - - [12/Dec/2016:18:04:59 +0000] "GET / ...

I mention that only because if you know of people doing log ingestion/parsing, this could impact them.

@coveralls
Copy link

Coverage Status

Coverage remained the same at 39.753% when pulling 8fe1efe on euank:nginx-ipv6ish into 6262aa8 on kubernetes:master.

@aledbf
Copy link
Member

aledbf commented Dec 21, 2016

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Dec 21, 2016
@aledbf aledbf merged commit f0762ba into kubernetes:master Dec 21, 2016
@euank euank deleted the nginx-ipv6ish branch December 22, 2016 02:58
@euank euank mentioned this pull request Jan 18, 2017
Closed
@databus23 databus23 mentioned this pull request Mar 3, 2017
Closed
@justjanne justjanne mentioned this pull request May 24, 2017
Closed
This was referenced Feb 15, 2019
Closed
Closed
@erulabs erulabs mentioned this pull request Apr 9, 2019
Closed
haoqing0110 referenced this pull request in stolostron/management-ingress Mar 5, 2021
@rashmi43
Make identity provider https (#34)
3d8a79a 
* Update oidc.lua

* Update oidc.lua

* Update .travis.yml

* Update .travis.yml

* Update oidc.lua

* Update .travis.yml

* Update Dockerfile

* Update .travis.yml

* Update Dockerfile

* Update .travis.yml

* Update Dockerfile
haoqing0110 referenced this pull request in stolostron/management-ingress Mar 5, 2021
@clyang82
Add go.mod for downstream workaround (#34)
ac69708
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@aledbf aledbf

Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@euank @bprashanth @coveralls @aledbf @k8s-oncall @k8s-ci-robot