kubernetes
diff --git a/‎cmd/minikube/cmd/start_flags.go‎
Lines changed: 12 additions & 3 deletions b/‎cmd/minikube/cmd/start_flags.go‎
Lines changed: 12 additions & 3 deletions
diff --git a/‎pkg/drivers/kic/oci/network.go‎
Lines changed: 61 additions & 20 deletions b/‎pkg/drivers/kic/oci/network.go‎
Lines changed: 61 additions & 20 deletions
diff --git a/‎pkg/drivers/kic/oci/network_create.go‎
Lines changed: 146 additions & 53 deletions b/‎pkg/drivers/kic/oci/network_create.go‎
Lines changed: 146 additions & 53 deletions
diff --git a/‎pkg/drivers/kic/oci/oci.go‎
Lines changed: 19 additions & 3 deletions b/‎pkg/drivers/kic/oci/oci.go‎
Lines changed: 19 additions & 3 deletions
diff --git a/‎pkg/minikube/bootstrapper/bsutil/ktmpl/v1beta1.go‎
Lines changed: 2 additions & 0 deletions b/‎pkg/minikube/bootstrapper/bsutil/ktmpl/v1beta1.go‎
Lines changed: 2 additions & 0 deletions
@@ -565,11 +565,20 @@ func normalizeAndValidateIPFamily(cc *config.ClusterConfig) {
     }
 
     if s := cc.KubernetesConfig.PodCIDRv6; s != "" {
-    	if _, _, err := net.ParseCIDR(s); err != nil {
-       		exit.Message(reason.Usage, "--pod-cidr-v6 must be a valid IPv6 CIDR: {{.e}}", out.V{"e": err})
-    	}
+        if _, _, err := net.ParseCIDR(s); err != nil {
+                exit.Message(reason.Usage, "--pod-cidr-v6 must be a valid IPv6 CIDR: {{.e}}", out.V{"e": err})
+        }
     }
 
+    // validate static IPv6 if provided
+    if s := cc.StaticIPv6; s != "" {
+        ip := net.ParseIP(s)
+        if ip == nil || ip.To4() != nil {
+            exit.Message(reason.Usage, "--static-ipv6 must be a valid IPv6 address")
+        }
+    }
+
+
     // Docker driver guardrails: Linux daemon + IPv6 must be enabled
     if driver.IsDocker(cc.Driver) && fam != "ipv4" {
 	// Desktop vs Linux daemon hint (we can't reliably detect IPv6 enabled here)
 
@@ -88,13 +88,39 @@ func RoutableHostIPFromInside(ociBin string, clusterName string, containerName s
 // digDNS will get the IP record for a dns
 func digDNS(ociBin, containerName, dns string) (net.IP, error) {
 	rr, err := runCmd(exec.Command(ociBin, "exec", "-t", containerName, "dig", "+short", dns))
-	ip := net.ParseIP(strings.TrimSpace(rr.Stdout.String()))
-	if err != nil {
-		return ip, errors.Wrapf(err, "resolve dns to ip")
-	}
-
-	klog.Infof("got host ip for mount in container by digging dns: %s", ip.String())
-	return ip, nil
+        if err != nil {
+                // still try to parse whatever output we got
+                klog.Infof("dig returned error, attempting to parse output anyway: %v", err)
+        }
+        out := strings.TrimSpace(rr.Stdout.String())
+        if out == "" {
+                return nil, errors.Wrapf(err, "resolve dns to ip")
+        }
+        // Parse line-by-line. On non-Linux (Docker Desktop), prefer IPv4 for better routability.
+        var firstIP net.IP
+        for _, line := range strings.Split(out, "\n") {
+                s := strings.TrimSpace(line)
+                if s == "" {
+                        continue
+                }
+                ip := net.ParseIP(s)
+                if ip == nil {
+                        continue
+                }
+                if runtime.GOOS != "linux" && ip.To4() == nil {
+                        // Prefer IPv4 on Desktop; keep looking for an A record
+                        if firstIP == nil { firstIP = ip }
+                        continue
+                }
+                klog.Infof("got host ip for mount in container by digging dns: %s", ip.String())
+                return ip, nil
+        }
+        // Fallback: return first valid IP if only AAAA answers were present
+        if firstIP != nil {
+                klog.Infof("got host ip for mount in container by digging dns (first match): %s", firstIP.String())
+                return firstIP, nil
+        }
+        return nil, errors.New("no A/AAAA answers returned by dig")
 }
 
 // gatewayIP inspects oci container to find a gateway IP string
@@ -104,8 +130,16 @@ func gatewayIP(ociBin, containerName string) (string, error) {
 		return "", errors.Wrapf(err, "inspect gateway")
 	}
 	if gatewayIP := strings.TrimSpace(rr.Stdout.String()); gatewayIP != "" {
-		return gatewayIP, nil
-	}
+                return gatewayIP, nil
+        }
+
+	// Fallback to IPv6 gateway (needed for IPv6-only / dual-stack)
+        rr6, err6 := runCmd(exec.Command(ociBin, "container", "inspect", "--format", "{{.NetworkSettings.IPv6Gateway}}", containerName))
+        if err6 == nil {
+                if gatewayIP6 := strings.TrimSpace(rr6.Stdout.String()); gatewayIP6 != "" {
+                        return gatewayIP6, nil
+                }
+        }
 
 	// https://github.com/kubernetes/minikube/issues/11293
 	// need to check nested network
@@ -126,16 +160,24 @@ func gatewayIP(ociBin, containerName string) (string, error) {
 }
 
 func networkGateway(ociBin, container, network string) (string, error) {
-	format := fmt.Sprintf(`
-{{ if index .NetworkSettings.Networks %q}} 
-	{{(index .NetworkSettings.Networks %q).Gateway}}
-{{ end }}
-`, network, network)
-	rr, err := runCmd(exec.Command(ociBin, "container", "inspect", "--format", format, container))
+	// First try IPv4 gateway on the specific network
+        format4 := fmt.Sprintf(`{{ if index .NetworkSettings.Networks %q}}{{(index .NetworkSettings.Networks %q).Gateway}}{{ end }}`, network, network)
+        rr, err := runCmd(exec.Command(ociBin, "container", "inspect", "--format", format4, container))
 	if err != nil {
 		return "", errors.Wrapf(err, "inspect gateway")
 	}
-	return strings.TrimSpace(rr.Stdout.String()), nil
+
+	gw := strings.TrimSpace(rr.Stdout.String())
+        if gw != "" {
+                return gw, nil
+        }
+        // Fallback to IPv6 gateway
+        format6 := fmt.Sprintf(`{{ if index .NetworkSettings.Networks %q}}{{(index .NetworkSettings.Networks %q).IPv6Gateway}}{{ end }}`, network, network)
+        rr6, err := runCmd(exec.Command(ociBin, "container", "inspect", "--format", format6, container))
+        if err != nil {
+                return "", errors.Wrapf(err, "inspect ipv6 gateway")
+        }
+        return strings.TrimSpace(rr6.Stdout.String()), nil
 }
 
 // containerGatewayIP gets the default gateway ip for the container
@@ -188,10 +230,9 @@ func ForwardedPort(ociBin string, ociID string, contPort int) (int, error) {
 	o := strings.TrimSpace(rr.Stdout.String())
 	o = strings.Trim(o, "'")
 	p, err := strconv.Atoi(o)
-
-	if err != nil {
-		return p, errors.Wrapf(err, "convert host-port %q to number", p)
-	}
+        if err != nil {
+                return 0, errors.Wrapf(err, "convert host-port %q to number", o)
+        }
 
 	return p, nil
 }
 
@@ -76,66 +76,159 @@ func CreateNetwork(ociBin, networkName, subnet, staticIP string) (net.IP, error)
 	return CreateNetworkWithIPFamily(ociBin, networkName, subnet, "", staticIP, "", "ipv4")
 }
 
-func CreateNetworkWithIPFamily(ociBin, networkName, subnet, subnetv6, staticIP, staticIPv6, ipFamily string) (net.IP, error) {
-	bridgeName := defaultBridgeName(ociBin)
-	if networkName == bridgeName {
-		klog.Infof("skipping creating network since default network %s was specified", networkName)
-		return nil, nil
-	}
 
-	// For IPv6-only or dual-stack networks, use the v6/dual creator
-    	if ipFamily == "ipv6" || ipFamily == "dual" {
-        	return createV6OrDualNetwork(ociBin, networkName, subnet, subnetv6, ipFamily)
-    	}
-
-	// check if the network already exists
-	info, err := containerNetworkInspect(ociBin, networkName)
-	if err == nil {
-		klog.Infof("Found existing network %+v", info)
-		return info.gateway, nil
-	}
+func CreateNetworkWithIPFamily(ociBin, networkName, subnet, subnetv6, staticIP, staticIPv6, ipFamily string) (net.IP, error) {
+    bridgeName := defaultBridgeName(ociBin)
+    if networkName == bridgeName {
+        klog.Infof("skipping creating network since default network %s was specified", networkName)
+        return nil, nil
+    }
 
-	// will try to get MTU from the docker network to avoid issue with systems with exotic MTU settings.
-	// related issue #9528
-	info, err = containerNetworkInspect(ociBin, bridgeName)
-	if err != nil {
-		klog.Warningf("failed to get mtu information from the %s's default network %q: %v", ociBin, bridgeName, err)
-	}
+    // If already exists, reuse.
+    if info, err := containerNetworkInspect(ociBin, networkName); err == nil {
+        klog.Infof("Found existing network %+v", info)
+        return info.gateway, nil
+    }
 
-	tries := 20
+    // Learn MTU from the default bridge (best effort)
+    bridgeInfo, berr := containerNetworkInspect(ociBin, bridgeName)
+    if berr != nil {
+        klog.Warningf("failed to get mtu information from the %s's default network %q: %v", ociBin, bridgeName, berr)
+    }
+    // ----- IPv6/dual flow -----
+    if ipFamily == "ipv6" || ipFamily == "dual" {
+        // Decide v6 subnet
+        if subnetv6 == "" {
+            if staticIPv6 != "" {
+                if s, err := cidr64ForIP(staticIPv6); err == nil {
+                    subnetv6 = s
+                } else {
+                    return nil, errors.Wrap(err, "derive /64 from --static-ipv6")
+                }
+            } else {
+                subnetv6 = firstSubnetAddrv6(subnetv6) // default fd00::/64
+            }
+        }
+
+        // Build args; enable IPv6 always in this branch
+        args := []string{"network", "create", "--driver=bridge", "--ipv6"}
+
+        // For dual, also choose a free IPv4 subnet similar to the v4-only flow
+        if ipFamily == "dual" {
+            tries := 20
+            start := firstSubnetAddr(subnet)
+            if staticIP != "" {
+                tries = 1
+                start = staticIP
+            }
+
+            // Try up to 5 candidate /24s starting at start, stepping by 9 (as before)
+            var lastErr error
+            for attempts, subnetAddr := 0, start; attempts < 5; attempts++ {
+                var p *network.Parameters
+                p, lastErr = network.FreeSubnet(subnetAddr, 9, tries)
+                if lastErr != nil {
+                    klog.Errorf("failed to find free IPv4 subnet for %s network %s after %d attempts: %v", ociBin, networkName, 20, lastErr)
+                    return nil, fmt.Errorf("un-retryable: %w", lastErr)
+                }
+
+                argsWithV4 := append([]string{}, args...)
+                argsWithV4 = append(argsWithV4, "--subnet", p.CIDR, "--gateway", p.Gateway)
+                argsWithV4 = append(argsWithV4, "--subnet", subnetv6)
+		if ociBin == Docker && bridgeInfo.mtu > 0 {
+            		argsWithV4 = append(argsWithV4, "-o", fmt.Sprintf("com.docker.network.driver.mtu=%d", bridgeInfo.mtu))
+         	}
+                argsWithV4 = append(argsWithV4,
+                    fmt.Sprintf("--label=%s=%s", CreatedByLabelKey, "true"),
+                    fmt.Sprintf("--label=%s=%s", ProfileLabelKey, networkName),
+                    networkName,
+                )
+
+                rr, err := runCmd(exec.Command(ociBin, argsWithV4...))
+                if err == nil {
+                    ni, _ := containerNetworkInspect(ociBin, networkName)
+                    return ni.gateway, nil
+                }
+
+                out := rr.Output()
+                // Respect same retry conditions as v4-only
+                if strings.Contains(out, "Pool overlaps") ||
+                   (strings.Contains(out, "failed to allocate gateway") && strings.Contains(out, "Address already in use")) ||
+                   strings.Contains(out, "is being used by a network interface") ||
+                   strings.Contains(out, "is already used on the host or by another config") {
+                    klog.Warningf("failed to create %s network %s %s (dual): %v; retrying with next IPv4 subnet", ociBin, networkName, p.CIDR, err)
+                    subnetAddr = p.IP
+                    continue
+                }
+                // Non-retryable
+                klog.Errorf("error creating dual-stack network %s: %v", networkName, err)
+                return nil, fmt.Errorf("un-retryable: %w", err)
+            }
+            return nil, fmt.Errorf("failed to create %s network %s (dual): %w", ociBin, networkName, lastErr)
+        }
+
+        // ipv6-only (no IPv4)
+        args = append(args, "--subnet", subnetv6)
+	if ociBin == Docker && bridgeInfo.mtu > 0 {
+            args = append(args, "-o", fmt.Sprintf("com.docker.network.driver.mtu=%d", bridgeInfo.mtu))
+        }
+        args = append(args,
+            fmt.Sprintf("--label=%s=%s", CreatedByLabelKey, "true"),
+            fmt.Sprintf("--label=%s=%s", ProfileLabelKey, networkName),
+            networkName,
+        )
+
+        if _, err := runCmd(exec.Command(ociBin, args...)); err != nil {
+            klog.Warningf("failed to create %s network %q (ipv6-only): %v", ociBin, networkName, err)
+            return nil, fmt.Errorf("create %s network %q: %w", ociBin, networkName, err)
+        }
+        ni, _ := containerNetworkInspect(ociBin, networkName)
+        return ni.gateway, nil
+    }
 
-	// we don't want to increment the subnet IP on network creation failure if the user specifies a static IP, so set tries to 1
-	if staticIP != "" {
-		tries = 1
-		subnet = staticIP
-	}
+    // ----- IPv4-only flow (existing logic) -----
+    // keep current implementation
+    tries := 20
+    if staticIP != "" {
+        tries = 1
+        subnet = staticIP
+    }
+    var lastErr error
+    for attempts, subnetAddr := 0, firstSubnetAddr(subnet); attempts < 5; attempts++ {
+        var p *network.Parameters
+        p, lastErr = network.FreeSubnet(subnetAddr, 9, tries)
+        if lastErr != nil {
+            klog.Errorf("failed to find free subnet for %s network %s after %d attempts: %v", ociBin, networkName, 20, lastErr)
+            return nil, fmt.Errorf("un-retryable: %w", lastErr)
+        }
+        gw, err := tryCreateDockerNetwork(ociBin, p, bridgeInfo.mtu, networkName)
+        if err == nil {
+            klog.Infof("%s network %s %s created", ociBin, networkName, p.CIDR)
+            return gw, nil
+        }
+        if !errors.Is(err, ErrNetworkSubnetTaken) && !errors.Is(err, ErrNetworkGatewayTaken) {
+            klog.Errorf("error while trying to create %s network %s %s: %v", ociBin, networkName, p.CIDR, err)
+            return nil, fmt.Errorf("un-retryable: %w", err)
+        }
+        klog.Warningf("failed to create %s network %s %s, will retry: %v", ociBin, networkName, p.CIDR, err)
+        subnetAddr = p.IP
+    }
+    return nil, fmt.Errorf("failed to create %s network %s: %w", ociBin, networkName, lastErr)
+ 
+}
 
-	// retry up to 5 times to create container network
-	for attempts, subnetAddr := 0, firstSubnetAddr(subnet); attempts < 5; attempts++ {
-		// Rather than iterate through all of the valid subnets, give up at 20 to avoid a lengthy user delay for something that is unlikely to work.
-		// will be like 192.168.49.0/24,..., 192.168.220.0/24 (in increment steps of 9)
-		var subnet *network.Parameters
-		subnet, err = network.FreeSubnet(subnetAddr, 9, tries)
-		if err != nil {
-			klog.Errorf("failed to find free subnet for %s network %s after %d attempts: %v", ociBin, networkName, 20, err)
-			return nil, fmt.Errorf("un-retryable: %w", err)
-		}
-		info.gateway, err = tryCreateDockerNetwork(ociBin, subnet, info.mtu, networkName)
-		if err == nil {
-			klog.Infof("%s network %s %s created", ociBin, networkName, subnet.CIDR)
-			return info.gateway, nil
-		}
-		// don't retry if error is not address is taken
-		if !errors.Is(err, ErrNetworkSubnetTaken) && !errors.Is(err, ErrNetworkGatewayTaken) {
-			klog.Errorf("error while trying to create %s network %s %s: %v", ociBin, networkName, subnet.CIDR, err)
-			return nil, fmt.Errorf("un-retryable: %w", err)
-		}
-		klog.Warningf("failed to create %s network %s %s, will retry: %v", ociBin, networkName, subnet.CIDR, err)
-		subnetAddr = subnet.IP
-	}
-	return info.gateway, fmt.Errorf("failed to create %s network %s: %w", ociBin, networkName, err)
+// cidr64ForIP returns a /64 CIDR string covering the provided IPv6 address.
+func cidr64ForIP(ipStr string) (string, error) {
+    ip := net.ParseIP(ipStr)
+    if ip == nil || ip.To16() == nil || ip.To4() != nil {
+        return "", fmt.Errorf("not a valid IPv6 address: %q", ipStr)
+    }
+    mask := net.CIDRMask(64, 128)
+    ipMasked := ip.Mask(mask)
+    return (&net.IPNet{IP: ipMasked, Mask: mask}).String(), nil
 }
 
+
 // createV6OrDualNetwork creates a user-defined bridge network with IPv6 enabled,
 // and adds both subnets when ipFamily == "dual". Returns the gateway reported by inspect (may be nil for v6-only).
 func createV6OrDualNetwork(ociBin, name, subnetV4, subnetV6, ipFamily string) (net.IP, error) {
 
@@ -199,10 +199,26 @@ func CreateContainerNode(p CreateParams) error { //nolint to suppress cyclomatic
 
  	// For IPv6/dual clusters, enable forwarding inside the node container
         // (safe sysctl; avoid disable_ipv6 which may be blocked by Docker's safe list)
-        if p.IPFamily == "ipv6" || p.IPFamily == "dual" {
-                runArgs = append(runArgs, "--sysctl", "net.ipv6.conf.all.forwarding=1")
-        }
 
+	// Ensure service rules apply to bridged traffic inside the node container.
+       // Do both families; harmless if already set.
+       runArgs = append(runArgs,
+               "--sysctl", "net.ipv4.ip_forward=1",
+               "--sysctl", "net.bridge.bridge-nf-call-iptables=1",
+               // Allow kube-proxy/IPVS or iptables to program and accept IPv4 Service VIPs.
+               "--sysctl", "net.ipv4.ip_nonlocal_bind=1",
+       )
+       // IPv6/dual clusters need IPv6 forwarding and IPv6 bridge netfilter, too.
+       if p.IPFamily == "ipv6" || p.IPFamily == "dual" {
+               runArgs = append(runArgs,
+                       "--sysctl", "net.ipv6.conf.all.forwarding=1",
+                       "--sysctl", "net.bridge.bridge-nf-call-ip6tables=1",
+		       // Allow kube-proxy/IPVS or iptables to program and accept Service VIPs.
+	               "--sysctl", "net.ipv4.ip_nonlocal_bind=1",
+        	       // Same for IPv6 VIPs.
+               	       "--sysctl", "net.ipv6.ip_nonlocal_bind=1",
+               )
+       }
 	switch p.GPUs {
 	case "all", "nvidia":
 		runArgs = append(runArgs, "--gpus", "all", "--env", "NVIDIA_DRIVER_CAPABILITIES=all")
 
@@ -36,8 +36,10 @@ bootstrapTokens:
 nodeRegistration:
   criSocket: {{if .CRISocket}}{{.CRISocket}}{{else}}/var/run/dockershim.sock{{end}}
   name: "{{.NodeName}}"
+{{- if .NodeIP }}
   kubeletExtraArgs:
     node-ip: {{.NodeIP}}
+{{- end }}
   taints: []
 ---
 apiVersion: kubeadm.k8s.io/v1beta1