test: force IPv4 on Docker 26+ to fix Envoy int tests

As of Docker Engine 26.0.0 (https://github.com/moby/moby/pull/47062), IPv6 is enabled by default where supported. This causes issues for our tests attempting to resolve requests to other containers over localhost, since on Linux IPv6 will be preferred over IPv4 when available when applying the default behavior defined in RFC3484. As a workaround, force IPv4 with a flag passed to `docker run`.
7 months ago · a27d118408
parent 08761f16c8
commit a27d118408
1 changed files with 18 additions and 18 deletions
--- a/test/integration/connect/envoy/run-tests.sh
+++ b/test/integration/connect/envoy/run-tests.sh
@ -227,7 +227,7 @@ function start_consul {
    docker_kill_rm consul-${DC}-server
    docker_kill_rm consul-${DC}

-    docker run -d --name envoy_consul-${DC}-server_1 \
+    docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 -d --name envoy_consul-${DC}-server_1 \
      --net=envoy-tests \
      $WORKDIR_SNIPPET \
      --hostname "consul-${DC}-server" \
@ -240,7 +240,7 @@ function start_consul {
      -client "0.0.0.0" \
      -bind "0.0.0.0" >/dev/null

-    docker run -d --name envoy_consul-${DC}_1 \
+    docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 -d --name envoy_consul-${DC}_1 \
      --net=envoy-tests \
      $WORKDIR_SNIPPET \
      --hostname "consul-${DC}-client" \
@ -258,7 +258,7 @@ function start_consul {
  else
    docker_kill_rm consul-${DC}

-    docker run -d --name envoy_consul-${DC}_1 \
+    docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 -d --name envoy_consul-${DC}_1 \
      --net=envoy-tests \
      $WORKDIR_SNIPPET \
      --hostname "consul-${DC}" \
@ -295,7 +295,7 @@ function start_partitioned_client {
  # Run consul and expose some ports to the host to make debugging locally a
  # bit easier.
  #
-  docker run -d --name envoy_consul-${PARTITION}_1 \
+  docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 -d --name envoy_consul-${PARTITION}_1 \
    --net=envoy-tests \
    $WORKDIR_SNIPPET \
    --hostname "consul-${PARTITION}-client" \
@ -351,7 +351,7 @@ function verify {

  # need to tell the PID 1 inside of the container that it won't be actual PID
  # 1 because we're using --pid=host so we use TINI_SUBREAPER
-  if docker run --name envoy_verify-${CLUSTER}_1 -t \
+  if docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 --name envoy_verify-${CLUSTER}_1 -t \
    -e TINI_SUBREAPER=1 \
    -e ENVOY_VERSION \
    $WORKDIR_SNIPPET \
@ -442,7 +442,7 @@ function global_setup {
 }

 function wipe_volumes {
-  docker run --rm -i \
+  docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 --rm -i \
    $WORKDIR_SNIPPET \
    --net=none \
    "${HASHICORP_DOCKER_PROXY}/alpine" \
@ -556,7 +556,7 @@ function suite_setup {
    # This is a dummy container that we use to create volume and keep it
    # accessible while other containers are down.
    docker volume create envoy_workdir &>/dev/null
-    docker run -d --name envoy_workdir_1 \
+    docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 -d --name envoy_workdir_1 \
        $WORKDIR_SNIPPET \
        --net=none \
        k8s.gcr.io/pause &>/dev/null
@ -567,7 +567,7 @@ function suite_setup {
    retry_default docker build -t bats-verify -f Dockerfile-bats .

    echo "Checking bats image..."
-    docker run --rm -t bats-verify -v
+    docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 --rm -t bats-verify -v

    # pre-build the consul+envoy container
    echo "Rebuilding 'consul-dev-envoy:${ENVOY_VERSION}' image..."
@ -615,7 +615,7 @@ function common_run_container_service {
  local httpPort="$3"
  local grpcPort="$4"

-  docker run -d --name $(container_name_prev) \
+  docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 -d --name $(container_name_prev) \
    -e "FORTIO_NAME=${service}" \
    $(network_snippet $CLUSTER) \
    "${HASHICORP_DOCKER_PROXY}/fortio/fortio" \
@ -696,7 +696,7 @@ function common_run_container_sidecar_proxy {
  # despite separate containers that don't share IPC namespace. Not quite
  # sure how this happens but may be due to unix socket being in some shared
  # location?
-  docker run -d --name $(container_name_prev) \
+  docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 -d --name $(container_name_prev) \
    $WORKDIR_SNIPPET \
    $(network_snippet $CLUSTER) \
    $(aws_snippet) \
@ -717,7 +717,7 @@ function run_container_s1-ap1-sidecar-proxy {
 }

 function run_container_s1-sidecar-proxy-consul-exec {
-  docker run -d --name $(container_name) \
+  docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 -d --name $(container_name) \
    $(network_snippet primary) \
    consul-dev-envoy:${ENVOY_VERSION} \
    consul connect envoy -sidecar-for s1 \
@ -783,7 +783,7 @@ function common_run_container_gateway {
  # despite separate containers that don't share IPC namespace. Not quite
  # sure how this happens but may be due to unix socket being in some shared
  # location?
-  docker run -d --name $(container_name_prev) \
+  docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 -d --name $(container_name_prev) \
    $WORKDIR_SNIPPET \
    $(network_snippet $DC) \
    $(aws_snippet) \
@ -824,7 +824,7 @@ function run_container_fake-statsd {
  # This magic SYSTEM incantation is needed since Envoy doesn't add newlines and so
  # we need each packet to be passed to echo to add a new line before
  # appending.
-  docker run -d --name $(container_name) \
+  docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 -d --name $(container_name) \
    $WORKDIR_SNIPPET \
    $(network_snippet primary) \
    "${HASHICORP_DOCKER_PROXY}/alpine/socat:1.7.3.4-r1" \
@ -833,14 +833,14 @@ function run_container_fake-statsd {
 }

 function run_container_zipkin {
-  docker run -d --name $(container_name) \
+  docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 -d --name $(container_name) \
    $WORKDIR_SNIPPET \
    $(network_snippet primary) \
    "${HASHICORP_DOCKER_PROXY}/openzipkin/zipkin"
 }

 function run_container_jaeger {
-  docker run -d --name $(container_name) \
+  docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 -d --name $(container_name) \
    $WORKDIR_SNIPPET \
    $(network_snippet primary) \
    "${HASHICORP_DOCKER_PROXY}/jaegertracing/all-in-one:1.11" \
@ -848,7 +848,7 @@ function run_container_jaeger {
 }

 function run_container_test-sds-server {
-  docker run -d --name $(container_name) \
+  docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 -d --name $(container_name) \
    $WORKDIR_SNIPPET \
    $(network_snippet primary) \
    "test-sds-server"
@ -863,7 +863,7 @@ function container_name_prev {

 # This is a debugging tool. Run via './run-tests.sh debug_dump_volumes'
 function debug_dump_volumes {
-  docker run --rm -it \
+  docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 --rm -it \
    $WORKDIR_SNIPPET \
    -v ./:/cwd \
    --net=none \
@ -891,7 +891,7 @@ function common_run_container_tcpdump {

    retry_default docker build -t envoy-tcpdump -f Dockerfile-tcpdump .

-    docker run -d --name $(container_name_prev) \
+    docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 -d --name $(container_name_prev) \
        $(network_snippet $DC) \
        -v $(pwd)/workdir/${DC}/envoy/:/data \
        --privileged \