Quadlet doesn't have usable IPv6

[maleadt]

Issue Description

I'm trying to get IPv6 connectivity working in my rootless quadlet set-up (podman 5.3, pasta, crun, on Debian 13). I only have a single network, and before doing anything else, I could see that my containers only got an IPv4 address.

Steps to reproduce the issue

I edited my network configuration to look as such:

❯ cat ~/.config/containers/systemd/web.network
[Network]
IPv6=true

Describe the results you received

My containers do get an IPv6 address, but it's not usable:

❯ podman run --network=systemd-web --rm quay.io/curl/curl:latest ip a show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0@if22: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether fa:f8:75:69:ed:da brd ff:ff:ff:ff:ff:ff
    inet 10.89.2.20/24 brd 10.89.2.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::f8f8:75ff:fe69:edda/64 scope link tentative
       valid_lft forever preferred_lft forever

❯ podman run --network=systemd-web --rm quay.io/curl/curl:latest curl -v -6 google.be
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Host google.be:80 was resolved.
* IPv6: 2a00:1450:400c:c07::5e
* IPv4: (none)
*   Trying [2a00:1450:400c:c07::5e]:80...
* Immediate connect fail for 2a00:1450:400c:c07::5e: Network unreachable
* Failed to connect to google.be port 80 after 0 ms: Could not connect to server
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* closing connection #0
curl: (7) Failed to connect to google.be port 80 after 0 ms: Could not connect to server

Curiously, inspecting the network still lists ipv6_enabled=false:

❯ podman network inspect systemd-web
[
     {
          "name": "systemd-web",
          "id": "d0c0147aec40409212e2f7fcac3993b42a8450b40be3e980134821e4ca3ce8aa",
          "driver": "bridge",
          "network_interface": "podman3",
          "created": "2024-11-14T16:28:44.001919442+01:00",
          "subnets": [
               {
                    "subnet": "10.89.2.0/24",
                    "gateway": "10.89.2.1"
               }
          ],
          "ipv6_enabled": false,
          "internal": false,
          "dns_enabled": true,
          "ipam_options": {
               "driver": "host-local"
          },
          "containers": {
...

Describe the results you expected

Describe the results you expectedAnd just to confirm that I do have working IPv6:

❯ podman run quay.io/curl/curl:latest ip a show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp89s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65520 qdisc fq_codel state UNKNOWN qlen 1000
    link/ether ee:c3:43:e7:e2:a1 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.10/24 brd 192.168.0.255 scope global enp89s0
       valid_lft forever preferred_lft forever
    inet6 2a02:1811:e41f:2080:1e69:7aff:feae:d694/64 scope global noprefixroute flags 102
       valid_lft forever preferred_lft forever
    inet6 fe80::ecc3:43ff:fee7:e2a1/64 scope link tentative flags 02
       valid_lft forever preferred_lft forever

❯ podman run quay.io/curl/curl:latest curl -v -6 google.be
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Host google.be:80 was resolved.
* IPv6: 2a00:1450:400c:c07::5e
* IPv4: (none)
*   Trying [2a00:1450:400c:c07::5e]:80...
* Connected to google.be (2a00:1450:400c:c07::5e) port 80
* using HTTP/1.x
> GET / HTTP/1.1
> Host: google.be
> User-Agent: curl/8.11.0
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 301 Moved Permanently

podman info output

❯ podman info
host:
  arch: amd64
  buildahVersion: 1.38.0
  cgroupControllers:
  - cpu
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon_2.1.12-3_amd64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.12, commit: unknown'
  cpuUtilization:
    idlePercent: 90.22
    systemPercent: 2.35
    userPercent: 7.43
  cpus: 8
  databaseBackend: sqlite
  distribution:
    codename: trixie
    distribution: debian
    version: unknown
  eventLogger: journald
  freeLocks: 1997
  hostname: sagittarius
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 100
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 6.11.5-amd64
  linkmode: dynamic
  logDriver: journald
  memFree: 22785703936
  memTotal: 33067675648
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns_1.12.2-1_amd64
      path: /usr/lib/podman/aardvark-dns
      version: aardvark-dns 1.12.2
    package: netavark_1.12.1-3_amd64
    path: /usr/lib/podman/netavark
    version: netavark 1.12.1
  ociRuntime:
    name: crun
    package: crun_1.18.2-1_amd64
    path: /usr/bin/crun
    version: |-
      crun version 1.18.2
      commit: 00ab38af875ddd0d1a8226addda52e1de18339b5
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt_0.0~git20241030.ee7d0b6-1_amd64
    version: |
      pasta 0.0~git20241030.ee7d0b6-1
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: true
    path: /run/user/1000/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 32397848576
  swapTotal: 32397848576
  uptime: 0h 6m 1.00s
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries: {}
store:
  configFile: /home/tim/.config/containers/storage.conf
  containerStore:
    number: 47
    paused: 0
    running: 22
    stopped: 25
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/tim/.local/share/containers/storage
  graphRootAllocated: 1966925209600
  graphRootUsed: 237299933184
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 31
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /home/tim/.local/share/containers/storage/volumes
version:
  APIVersion: 5.3.0
  Built: 1731599797
  BuiltTime: Thu Nov 14 16:56:37 2024
  GitCommit: ""
  GoVersion: go1.23.3
  Os: linux
  OsArch: linux/amd64
  Version: 5.3.0

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

Yes

Additional environment details

No response

Additional information

No response

[Luap99]

You must remove the network in order for it to recreate on the next start.

https://docs.podman.io/en/latest/markdown/podman-systemd.unit.5.html#network-units-network

[maleadt]

Ah, thanks, that did the trick. I also had to do an explicit systemctl --user restart web-network, as it wasn't recreated automatically after an podman network rm