On 26/03/2021 20:56, Stephan Seitz wrote:
Wido, thank's a lot!
I just had to look into the db. The correctly calculated SLAAC is
already there.
Double-check: The API and UI do show an IPv6 address for the NIC?
It's then up to you to make sure the Routers in the (shared) network
send out the proper Router Advertisements.
Also check on the hypervisor with 'ip6tables-save' and ipset to see if
all the IPs have been programmed properly into the security groups.
Should just work. We have been using this code for years now.
Wido
Sorry for the noise!
Stephan
Am Freitag, den 26.03.2021, 20:28 +0100 schrieb Wido den Hollander:
On 26/03/2021 20:23, Stephan Seitz wrote:
Hi!
I've recently deployed 4.15.0 Advanced Zone with CentOS 8 kvm hosts
and
classic linux bridges. I do know that CentOS 7 is preferred, but
with
some initial tweaks here and there, i'ld say it's working quite
well.
VLAN or VXLAN?
small scale, so VLAN fits very well (just for the record)
Currently, I'm trying to use IPv6 on shared networks. I'd learned
that
IPv6 only does not work, so I switched to IPv6 plus RFC 1918 IPv4
natted at the outer gateway. IPv4 is not a requirement, but if it's
necessary to add, it doesn't harm.
Yes. IPv4 is still needed and RFC1918 is just fine. Cloud-init works
over IPv4. It's a lot of work to get rid of IPv4 in CloudStack.
I'm a big IPv6 fan (wrote a lot of the code in CS), but I didn't
bother
getting rid of IPv4. Not a real use-case for v6-only just yet.
The IPv4 addresses of the deployed hosts are provided by the
virtual
router as expected.
My problem is: I don't get any dhcp6 lease out of the VR. I dug
with
tcpdump on the host and VR. I see the solicit message arriving, but
no
answering advertise message. I've tried almost everything at the
host:
accepting RA, Autoconf, selectively disabling these. Also modifying
the
dhcpv6 duid as seen on some 4.11 docs didn't change anything.
IPv6 does not work with DHCPv6. You should see that when the IPv6
CIDR
is set properly for the shared network in the database that
CloudStack
calculates/generates the IPv6 address the Instance should obtain
through
SLAAC (without privacy addresses!)
When that works you have security grouping also working. It then
filters
on source addresses from VMs and such.
We have thousands of VMs connected with IPv6 this way.
Wido
Best case is, that I'm stuck with hosts correctly configured by the
router advertisement, but ACS doesn't know about it. So
subsequently i
can't add records to the respective DNS Zones.
Alternatively, I could skip ACS and add the provable eui-64
addresses
to the zone, but I'ld like to avoid that.
After a few uneducated peeks into the VR's dnsmasq configuration, I
cannot spot any setting for providing dhcp6 leases.
Initially I've deployed the 4.15.0 systemvmtemplate downloaded from
http://download.cloudstack.org/systemvm/4.15/
Right now, I've switched to the 4.15.1 from the same location, but
that
didn't change anything.
I've also tried switching the Zone from internal DNS to external
DNS
and vice versa (these are identical, except the internal DNS is
also
equipped with the respective IPv6 addresses, which obviously cannot
be
added to the external DNS). That didn't change anything either.
So, I'ld like to ask for any advise.
Thanks in advance!
Stephan
