The setup that I work with has a bunch of LXC containers on various hosts, the containers have static IPv6 addresses configured via LXC config file (lxc.net.0.ipv6.address). The goal is to only have the static IPv6 address on the interfaces. However the gateway on the network provides Router Advertisement and the containers pick it up and configure a SLAAC IPv6 address alongside the static address.
I’ve tried a few options but the results are mixed.
- I’ve tried setting the following parameters for a container either via LXC
config(prefixing it withlxc.sysctl.) or via adding it to/etc/sysctl.conf:
net.ipv6.conf.default.accept_ra=0
net.ipv6.conf.default.autoconf=0
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.all.autoconf=0
The variables in the container are set correctly however the corresponding variables for the interfaces are still set to 1 and the container configures an IP via SLAAC based on RA.
Afterwards based on this I tried setting up default parameters from above on the host expecting the parameter to propagate to the interfaces created in the container. That was not the case.
It appears that the default setting does not make a difference in this case because the default value is based on the value of forwarding according to this. Indeed setting IPv6 forwarding to 1 disabled RA and SLAAC IP was not generated. I’d like to understand the logic behind that dependency but perhaps I’m getting sidetracked a bit.
Finally I looked in the direction of Network Manager, it is only present on the host and not on the container. Initially I thought I would set ipv6.method manual on the host peer veth interface but that interface does not have this parameter. And for the corresponding bridge the value is already set to manual and the host works as expected, it does not autocofigure SLAAC IP address. So this was also a dead end.
What works is setting the parameter directly for the interface in question, e.g. net.ipv6.conf.${INTERFACE_NAME}.accept_ra=0 either via LXC config or via sysctl.conf in the container. However this approach does not scale as well since one needs to tweak the configuration generation process to account for different interface names on different containers. And overall I’d like to undrestand what’s wrong with the approach described above.
The tests are conducted on Rocky 8.9 with lxc-5.0.0-1.el8.x86_64