On Arch Linux, with default lxc (lxc 6.0.3 currently)
I disabled IPv6 on a host, by passing to the kernel the parameter ipv6.disable=1
But, as can be seen in lxc sources: config/init/common/lxc-net.in
By default, some IPv6 parameters are set:
# IPv6 connectivity
LXC_IPV6_ADDR="fc42:5009:ba4b:5ab0::1"
LXC_IPV6_MASK="64"
LXC_IPV6_NETWORK="fc42:5009:ba4b:5ab0::/64"
LXC_IPV6_NAT="true"
This file is installed in /usr/lib/lxc/lxc-net
This setting made the lxc-net service unable to start, until I comment these default lines, without IPv6 in kernel:
janv. 05 02:03:11 myhostname lxc-net[5256]: /usr/lib/lxc/lxc-net: ligne 141: /proc/sys/net/ipv6/conf/lxcbr0/accept_dad: A>
janv. 05 02:03:11 myhostname lxc-net[5256]: /usr/lib/lxc/lxc-net: ligne 66: /proc/sys/net/ipv6/conf/all/forwarding: Aucun>
janv. 05 02:03:11 myhostname lxc-net[5256]: Failed to setup lxc-net.
janv. 05 02:03:11 myhostname systemd[1]: lxc-net.service: Main process exited, code=exited, status=1/FAILURE
if I comment these line it will start, but the file as binary will be overwritten at package update (tested by resintalling it), and then will fail again to start at next reboot.
Worst, the fact that it doesn’t launch, and then don’t create the lxcbr0 bridge interface,made nftable unable to load its rules due to unavailable interface, exposing the whole system to security issues.
The only mean I found to avoid this in non-IPv6 system, is to add in /etc/pacman.conf;
IgnorePkg = lxc
Is there an option to put in /etc/lxc-net to override hardcoded values in /usr/lib/lxc/lxc-net, ignore them and ipv6?