[neutron] DevStack with IPv6

Lucio Seki lucioseki at gmail.com
Fri Sep 13 20:23:24 UTC 2019


I recreated my security group rules, to set remote_ip_prefix to ::/0
instead of None as in Donny's environment, but made no difference. :-(

On Fri, Sep 13, 2019 at 3:55 PM Donny Davis <donny at fortnebula.com> wrote:

> So outbound traffic works, but inbound traffic doesn't?
>
> Here is my icmp security group rule for ipv6.
>
> +-------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
> | Field             | Value
>
>                                                                    |
>
> +-------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
> | created_at        | 2019-07-30T00:50:25Z
>
>                                                                   |
> | description       |
>
>                                                                    |
> | direction         | ingress
>
>                                                                    |
> | ether_type        | IPv6
>
>                                                                   |
> | id                | b6df5801-8c2c-4ba4-afe1-2cbaa2922dfa
>
>                                                                   |
> | location          | Munch({'cloud': '', 'region_name': 'regionOne',
> 'zone': None, 'project': Munch({'id': 'e8fd161dc34c421a979a9e6421f823e9',
> 'name': 'openstackzuul', 'domain_id': None, 'domain_name': 'Default'})}) |
> | name              | None
>
>                                                                   |
> | port_range_max    | None
>
>                                                                   |
> | port_range_min    | None
>
>                                                                   |
> | project_id        | e8fd161dc34c421a979a9e6421f823e9
>
>                                                                   |
> | protocol          | icmp
>
>                                                                   |
> | remote_group_id   | None
>
>                                                                   |
> | remote_ip_prefix  | ::/0
>
>                                                                   |
> | revision_number   | 0
>
>                                                                    |
> | security_group_id | bcedc0e0-e2e8-41fc-aeaa-afd2e10c7ab6
>
>                                                                   |
> | tags              | []
>
>                                                                   |
> | updated_at        | 2019-07-30T00:50:25Z
>
>                                                                   |
>
> +-------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
>
>
>
> On Fri, Sep 13, 2019 at 2:48 PM Lucio Seki <lucioseki at gmail.com> wrote:
>
>> Hmm OK, I'll try to figure out what hacking
>> create_neutron_initial_network does...
>>
>> BTW, I noticed that I can ping6 the router interface at private subnet
>> from the DevStack host:
>>
>> $ ping6 fd12:67:1:1::1
>> PING fd12:67:1:1::1(fd12:67:1:1::1) 56 data bytes
>> 64 bytes from fd12:67:1:1::1: icmp_seq=1 ttl=64 time=0.646 ms
>> 64 bytes from fd12:67:1:1::1: icmp_seq=2 ttl=64 time=0.095 ms
>> 64 bytes from fd12:67:1:1::1: icmp_seq=3 ttl=64 time=0.106 ms
>> 64 bytes from fd12:67:1:1::1: icmp_seq=4 ttl=64 time=0.129 ms
>>
>> And also I can ping6 the public subnet interface from the VM:
>>
>> root at ubuntu:~# ping6 fd12:67:1::3c
>> PING fd12:67:1::3c (fd12:67:1::3c): 56 data bytes
>> ping: getnameinfo: Temporary failure in name resolution
>> 64 bytes from unknown: icmp_seq=0 ttl=64 time=2.079 ms
>> ping: getnameinfo: Temporary failure in name resolution
>> 64 bytes from unknown: icmp_seq=1 ttl=64 time=1.385 ms
>> ping: getnameinfo: Temporary failure in name resolution
>> 64 bytes from unknown: icmp_seq=2 ttl=64 time=0.881 ms
>>
>> Not sure if it means that there's something missing within the router
>> itself...
>>
>> On Fri, Sep 13, 2019 at 2:24 PM Donny Davis <donny at fortnebula.com> wrote:
>>
>>> Also I have no v6 address on my br-ex
>>>
>>> On Fri, Sep 13, 2019 at 1:22 PM Donny Davis <donny at fortnebula.com>
>>> wrote:
>>>
>>>> Well here is the output from my rule list that is in prod right now
>>>> with ipv6
>>>>
>>>> +--------------------------------------+-------------+-----------+------------+-----------------------+
>>>> | ID                                   | IP Protocol | IP Range  | Port
>>>> Range | Remote Security Group |
>>>>
>>>> +--------------------------------------+-------------+-----------+------------+-----------------------+
>>>> | 9ab00b6f-2bc2-4554-818d-eff6e0570943 | None        | 0.0.0.0/0 |
>>>>        | None                  |
>>>> | b6df5801-8c2c-4ba4-afe1-2cbaa2922dfa | icmp        | ::/0      |
>>>>        | None                  |
>>>> | e7fd4840-5fbd-4709-b918-f80eac5cb6da | None        | ::/0      |
>>>>        | None                  |
>>>> | e9968d53-7efe-4a9e-ad42-1092ffaf52e7 | None        | None      |
>>>>        | None                  |
>>>> | ec1ea961-9025-4229-92cf-618026a1851b | None        | None      |
>>>>        | None                  |
>>>>
>>>> +--------------------------------------+-------------+-----------+------------+-----------------------+
>>>>
>>>>
>>>> +-------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
>>>> | Field             | Value
>>>>
>>>>                                                                      |
>>>>
>>>> +-------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
>>>> | created_at        | 2019-07-30T00:50:25Z
>>>>
>>>>                                                                       |
>>>> | description       |
>>>>
>>>>                                                                      |
>>>> | direction         | ingress
>>>>
>>>>                                                                      |
>>>> | ether_type        | IPv6
>>>>
>>>>                                                                       |
>>>> | id                | b6df5801-8c2c-4ba4-afe1-2cbaa2922dfa
>>>>
>>>>                                                                       |
>>>> | location          | Munch({'cloud': '', 'region_name': 'regionOne',
>>>> 'zone': None, 'project': Munch({'id': 'e8fd161dc34c421a979a9e6421f823e9',
>>>> 'name': 'openstackzuul', 'domain_id': None, 'domain_name': 'Default'})}) |
>>>> | name              | None
>>>>
>>>>                                                                       |
>>>> | port_range_max    | None
>>>>
>>>>                                                                       |
>>>> | port_range_min    | None
>>>>
>>>>                                                                       |
>>>> | project_id        | e8fd161dc34c421a979a9e6421f823e9
>>>>
>>>>                                                                       |
>>>> | protocol          | icmp
>>>>
>>>>                                                                       |
>>>> | remote_group_id   | None
>>>>
>>>>                                                                       |
>>>> | remote_ip_prefix  | ::/0
>>>>
>>>>                                                                       |
>>>> | revision_number   | 0
>>>>
>>>>                                                                      |
>>>> | security_group_id | bcedc0e0-e2e8-41fc-aeaa-afd2e10c7ab6
>>>>
>>>>                                                                       |
>>>> | tags              | []
>>>>
>>>>                                                                       |
>>>> | updated_at        | 2019-07-30T00:50:25Z
>>>>
>>>>                                                                       |
>>>>
>>>> +-------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Fri, Sep 13, 2019 at 9:24 AM Lucio Seki <lucioseki at gmail.com> wrote:
>>>>
>>>>> Hi Donny, following are the rules:
>>>>>
>>>>> $ openstack security group list --project admin
>>>>>
>>>>> +--------------------------------------+---------+------------------------+----------------------------------+------+
>>>>> | ID                                   | Name    | Description
>>>>>    | Project                          | Tags |
>>>>>
>>>>> +--------------------------------------+---------+------------------------+----------------------------------+------+
>>>>> | d0136b0e-ee51-461c-afa0-c5adb88dd0dd | default | Default security
>>>>> group | 68e3942285a24fb5bd1aed30e166aaee | []   |
>>>>>
>>>>> +--------------------------------------+---------+------------------------+----------------------------------+------+
>>>>>
>>>>> $ openstack security group rule list
>>>>> d0136b0e-ee51-461c-afa0-c5adb88dd0dd
>>>>>
>>>>> +--------------------------------------+-------------+----------+------------+--------------------------------------+
>>>>> | ID                                   | IP Protocol | IP Range | Port
>>>>> Range | Remote Security Group                |
>>>>>
>>>>> +--------------------------------------+-------------+----------+------------+--------------------------------------+
>>>>> | 38394345-3e44-4284-a519-cdd8af020f30 | tcp         | ::/0     |
>>>>> 22:22      | None                                 |
>>>>> | 40881f76-c87f-4685-b3af-c3497dd44837 | None        | None     |
>>>>>        | d0136b0e-ee51-461c-afa0-c5adb88dd0dd |
>>>>> | 56d4ae52-195e-48df-871e-dc70b899b7ba | None        | None     |
>>>>>        | d0136b0e-ee51-461c-afa0-c5adb88dd0dd |
>>>>> | 759edd06-b698-45ca-94cd-44e0cc2cc848 | ipv6-icmp   | None     |
>>>>>        | None                                 |
>>>>> | 762effae-b8e5-42ac-ba99-e85a7bc42455 | tcp         | ::/0     |
>>>>> 22:22      | None                                 |
>>>>> | 81f3588d-4159-4af2-ad50-ff6b76add9cf | ipv6-icmp   | None     |
>>>>>        | None                                 |
>>>>>
>>>>> +--------------------------------------+-------------+----------+------------+--------------------------------------+
>>>>>
>>>>> $ openstack security group rule show
>>>>> 759edd06-b698-45ca-94cd-44e0cc2cc848
>>>>>
>>>>> +-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
>>>>> | Field             | Value
>>>>>
>>>>>                                                                 |
>>>>>
>>>>> +-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
>>>>> | created_at        | 2019-09-03T16:51:41Z
>>>>>
>>>>>                                                                |
>>>>> | description       |
>>>>>
>>>>>                                                                 |
>>>>> | direction         | egress
>>>>>
>>>>>                                                                |
>>>>> | ether_type        | IPv6
>>>>>
>>>>>                                                                |
>>>>> | id                | 759edd06-b698-45ca-94cd-44e0cc2cc848
>>>>>
>>>>>                                                                |
>>>>> | location          | Munch({'project': Munch({'domain_id': 'default',
>>>>> 'id': u'68e3942285a24fb5bd1aed30e166aaee', 'name': 'admin', 'domain_name':
>>>>> None}), 'cloud': '', 'region_name': 'RegionOne', 'zone': None}) |
>>>>> | name              | None
>>>>>
>>>>>                                                                |
>>>>> | port_range_max    | None
>>>>>
>>>>>                                                                |
>>>>> | port_range_min    | None
>>>>>
>>>>>                                                                |
>>>>> | project_id        | 68e3942285a24fb5bd1aed30e166aaee
>>>>>
>>>>>                                                                |
>>>>> | protocol          | ipv6-icmp
>>>>>
>>>>>                                                                 |
>>>>> | remote_group_id   | None
>>>>>
>>>>>                                                                |
>>>>> | remote_ip_prefix  | None
>>>>>
>>>>>                                                                |
>>>>> | revision_number   | 0
>>>>>
>>>>>                                                                 |
>>>>> | security_group_id | d0136b0e-ee51-461c-afa0-c5adb88dd0dd
>>>>>
>>>>>                                                                |
>>>>> | tags              | []
>>>>>
>>>>>                                                                |
>>>>> | updated_at        | 2019-09-03T16:51:41Z
>>>>>
>>>>>                                                                |
>>>>>
>>>>> +-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
>>>>>
>>>>> $ openstack security group rule show
>>>>> 81f3588d-4159-4af2-ad50-ff6b76add9cf
>>>>>
>>>>> +-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
>>>>> | Field             | Value
>>>>>
>>>>>                                                                 |
>>>>>
>>>>> +-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
>>>>> | created_at        | 2019-09-03T16:51:30Z
>>>>>
>>>>>                                                                |
>>>>> | description       |
>>>>>
>>>>>                                                                 |
>>>>> | direction         | ingress
>>>>>
>>>>>                                                                 |
>>>>> | ether_type        | IPv6
>>>>>
>>>>>                                                                |
>>>>> | id                | 81f3588d-4159-4af2-ad50-ff6b76add9cf
>>>>>
>>>>>                                                                |
>>>>> | location          | Munch({'project': Munch({'domain_id': 'default',
>>>>> 'id': u'68e3942285a24fb5bd1aed30e166aaee', 'name': 'admin', 'domain_name':
>>>>> None}), 'cloud': '', 'region_name': 'RegionOne', 'zone': None}) |
>>>>> | name              | None
>>>>>
>>>>>                                                                |
>>>>> | port_range_max    | None
>>>>>
>>>>>                                                                |
>>>>> | port_range_min    | None
>>>>>
>>>>>                                                                |
>>>>> | project_id        | 68e3942285a24fb5bd1aed30e166aaee
>>>>>
>>>>>                                                                |
>>>>> | protocol          | ipv6-icmp
>>>>>
>>>>>                                                                 |
>>>>> | remote_group_id   | None
>>>>>
>>>>>                                                                |
>>>>> | remote_ip_prefix  | None
>>>>>
>>>>>                                                                |
>>>>> | revision_number   | 0
>>>>>
>>>>>                                                                 |
>>>>> | security_group_id | d0136b0e-ee51-461c-afa0-c5adb88dd0dd
>>>>>
>>>>>                                                                |
>>>>> | tags              | []
>>>>>
>>>>>                                                                |
>>>>> | updated_at        | 2019-09-03T16:51:30Z
>>>>>
>>>>>                                                                |
>>>>>
>>>>> +-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
>>>>>
>>>>>
>>>>> On Fri, Sep 13, 2019 at 10:16 AM Donny Davis <donny at fortnebula.com>
>>>>> wrote:
>>>>>
>>>>>> Security group rules?
>>>>>>
>>>>>> Donny Davis
>>>>>> c: 805 814 6800
>>>>>>
>>>>>> On Thu, Sep 12, 2019, 5:53 PM Lucio Seki <lucioseki at gmail.com> wrote:
>>>>>>
>>>>>>> Hi folks, I'm having troubles to ping6 a VM running over DevStack
>>>>>>> from its hypervisor.
>>>>>>> Could you please help me troubleshooting it?
>>>>>>>
>>>>>>> I deployed DevStack with NEUTRON_CREATE_INITIAL_NETWORKS=False,
>>>>>>> and manually created the networks, subnets and router. Following is
>>>>>>> my router:
>>>>>>>
>>>>>>> $ openstack router show router1 -c external_gateway_info -c
>>>>>>> interfaces_info
>>>>>>>
>>>>>>> +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
>>>>>>> | Field                 | Value
>>>>>>>
>>>>>>>
>>>>>>>                                                                            |
>>>>>>>
>>>>>>> +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
>>>>>>> | external_gateway_info | {"network_id":
>>>>>>> "b87048ed-1be9-4f31-8d7e-fe74921aeec4", "enable_snat": true,
>>>>>>> "external_fixed_ips": [{"subnet_id":
>>>>>>> "28a00bc3-b30b-456f-b26a-44b50d37183f", "ip_address": "10.2.0.199"},
>>>>>>> {"subnet_id": "a9729beb-b297-4fec-8ec3-7703f7f6f4bc", "ip_address":
>>>>>>> "fd12:67:1::3c"}]} |
>>>>>>> | interfaces_info       | [{"subnet_id":
>>>>>>> "081e8508-4ceb-4aaf-bf91-36a1e22a768c", "ip_address": "fd12:67:1:1::1",
>>>>>>> "port_id": "75391abd-8ac8-41f8-acf8-3dfaf2a6b08f"}]
>>>>>>>
>>>>>>>                               |
>>>>>>>
>>>>>>> +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
>>>>>>>
>>>>>>> I'm trying to ping6 the following VM:
>>>>>>>
>>>>>>> $ openstack server list
>>>>>>>
>>>>>>> +--------------------------------------+---------+--------+------------------------------------------+--------+--------+
>>>>>>> | ID                                   | Name    | Status | Networks
>>>>>>>                                 | Image  | Flavor |
>>>>>>>
>>>>>>> +--------------------------------------+---------+--------+------------------------------------------+--------+--------+
>>>>>>> | 938854d0-80e9-45b2-bc29-8fe7651ffa93 | manila1 | ACTIVE |
>>>>>>> private1=fd12:67:1:1:f816:3eff:fe0e:17c3 | manila | manila |
>>>>>>>
>>>>>>> +--------------------------------------+---------+--------+------------------------------------------+--------+--------+
>>>>>>>
>>>>>>> I intend to reach it via br-ex interface of the hypervisor:
>>>>>>>
>>>>>>> $ ip a show dev br-ex
>>>>>>> 9: br-ex: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
>>>>>>> state UNKNOWN group default qlen 1000
>>>>>>>     link/ether 0e:82:a1:ba:77:4c brd ff:ff:ff:ff:ff:ff
>>>>>>>     inet6 fd12:67:1::1/64 scope global
>>>>>>>        valid_lft forever preferred_lft forever
>>>>>>>     inet6 fe80::c82:a1ff:feba:774c/64 scope link
>>>>>>>        valid_lft forever preferred_lft forever
>>>>>>>
>>>>>>> The hypervisor has the following routes:
>>>>>>>
>>>>>>> $ ip -6 route
>>>>>>> fd12:67:1:1::/64 via fd12:67:1::3c dev br-ex metric 1024 pref medium
>>>>>>> fe80::/64 dev ens3 proto kernel metric 256 pref medium
>>>>>>> fe80::/64 dev br-ex proto kernel metric 256 pref medium
>>>>>>> fe80::/64 dev br-int proto kernel metric 256 pref medium
>>>>>>> fe80::/64 dev tapa5cf4799-9f proto kernel metric 256 pref medium
>>>>>>>
>>>>>>> And within the VM has the following routes:
>>>>>>>
>>>>>>> root at ubuntu:~# ip -6 route
>>>>>>> root at ubuntu:~# ip -6 route
>>>>>>> fd12:67:1::/64 via fd12:67:1:1::1 dev ens3 metric 1024 pref medium
>>>>>>> fd12:67:1:1::/64 dev ens3 proto kernel metric 256 expires 86360sec
>>>>>>> pref medium
>>>>>>> fe80::/64 dev ens3 proto kernel metric 256 pref medium
>>>>>>> default via fe80::f816:3eff:feb3:bd56 dev ens3 proto ra metric 1024
>>>>>>> expires 260sec hoplimit 64 pref medium
>>>>>>>
>>>>>>> Though the ping6 from VM to hypervisor doesn't work:
>>>>>>> root at ubuntu:~# ping6 fd12:67:1::1 -c4
>>>>>>> PING fd12:67:1::1 (fd12:67:1::1): 56 data bytes
>>>>>>> --- fd12:67:1::1 ping statistics ---
>>>>>>> 4 packets transmitted, 0 packets received, 100% packet loss
>>>>>>>
>>>>>>> I'm able to tcpdump inside the router1 netns and see that request
>>>>>>> packet is passing there, but can't see any reply packets:
>>>>>>>
>>>>>>> $ sudo ip netns exec qrouter-5172472c-bbe7-4907-832a-e2239c8badb4
>>>>>>> tcpdump -l -i any icmp6
>>>>>>> tcpdump: verbose output suppressed, use -v or -vv for full protocol
>>>>>>> decode
>>>>>>> listening on any, link-type LINUX_SLL (Linux cooked), capture size
>>>>>>> 262144 bytes
>>>>>>> 21:29:29.351358 IP6 fd12:67:1:1:f816:3eff:fe0e:17c3 > fd12:67:1::1:
>>>>>>> ICMP6, echo request, seq 0, length 64
>>>>>>> 21:29:30.033316 IP6 fe80::f816:3eff:feb3:bd56 >
>>>>>>> fe80::f816:3eff:fe0e:17c3: ICMP6, neighbor solicitation, who has
>>>>>>> fe80::f816:3eff:fe0e:17c3, length 32
>>>>>>> 21:29:30.035807 IP6 fe80::f816:3eff:fe0e:17c3 >
>>>>>>> fe80::f816:3eff:feb3:bd56: ICMP6, neighbor advertisement, tgt is
>>>>>>> fe80::f816:3eff:fe0e:17c3, length 24
>>>>>>> 21:29:30.353646 IP6 fd12:67:1:1:f816:3eff:fe0e:17c3 > fd12:67:1::1:
>>>>>>> ICMP6, echo request, seq 1, length 64
>>>>>>> 21:29:31.355410 IP6 fd12:67:1:1:f816:3eff:fe0e:17c3 > fd12:67:1::1:
>>>>>>> ICMP6, echo request, seq 2, length 64
>>>>>>> 21:29:32.357239 IP6 fd12:67:1:1:f816:3eff:fe0e:17c3 > fd12:67:1::1:
>>>>>>> ICMP6, echo request, seq 3, length 64
>>>>>>>
>>>>>>> The same happens from hypervisor to VM. I only acan see the request
>>>>>>> packets, but no reply packets.
>>>>>>>
>>>>>>> Thanks in advance,
>>>>>>> Lucio Seki
>>>>>>>
>>>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190913/af549d6e/attachment-0001.html>


More information about the openstack-discuss mailing list