[neutron] DevStack with IPv6
Lucio Seki
lucioseki at gmail.com
Mon Sep 16 12:59:26 UTC 2019
Hi Antonio. Yes, it is
$ sysctl net.ipv6.conf.all.forwarding
net.ipv6.conf.all.forwarding = 1
On Sat, Sep 14, 2019 at 6:02 AM Antonio Ojea <antonio.ojea.garcia at gmail.com>
wrote:
> Can you check if ipv6 forwarding is enabled in the router namespace?
>
> net.ipv6.conf.all.forwarding=1
>
> On Sat, 14 Sep 2019 at 02:13, Lucio Seki <lucioseki at gmail.com> wrote:
> >
> > I recreated my security group rules, to set remote_ip_prefix to ::/0
> instead of None as in Donny's environment, but made no difference. :-(
> >
> > On Fri, Sep 13, 2019 at 3:55 PM Donny Davis <donny at fortnebula.com>
> wrote:
> >>
> >> So outbound traffic works, but inbound traffic doesn't?
> >>
> >> Here is my icmp security group rule for ipv6.
> >>
> +-------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
> >> | Field | Value
>
> |
> >>
> +-------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
> >> | created_at | 2019-07-30T00:50:25Z
>
> |
> >> | description |
>
> |
> >> | direction | ingress
>
> |
> >> | ether_type | IPv6
>
> |
> >> | id | b6df5801-8c2c-4ba4-afe1-2cbaa2922dfa
>
> |
> >> | location | Munch({'cloud': '', 'region_name': 'regionOne',
> 'zone': None, 'project': Munch({'id': 'e8fd161dc34c421a979a9e6421f823e9',
> 'name': 'openstackzuul', 'domain_id': None, 'domain_name': 'Default'})}) |
> >> | name | None
>
> |
> >> | port_range_max | None
>
> |
> >> | port_range_min | None
>
> |
> >> | project_id | e8fd161dc34c421a979a9e6421f823e9
>
> |
> >> | protocol | icmp
>
> |
> >> | remote_group_id | None
>
> |
> >> | remote_ip_prefix | ::/0
>
> |
> >> | revision_number | 0
>
> |
> >> | security_group_id | bcedc0e0-e2e8-41fc-aeaa-afd2e10c7ab6
>
> |
> >> | tags | []
>
> |
> >> | updated_at | 2019-07-30T00:50:25Z
>
> |
> >>
> +-------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
> >>
> >>
> >>
> >> On Fri, Sep 13, 2019 at 2:48 PM Lucio Seki <lucioseki at gmail.com> wrote:
> >>>
> >>> Hmm OK, I'll try to figure out what hacking
> create_neutron_initial_network does...
> >>>
> >>> BTW, I noticed that I can ping6 the router interface at private subnet
> from the DevStack host:
> >>>
> >>> $ ping6 fd12:67:1:1::1
> >>> PING fd12:67:1:1::1(fd12:67:1:1::1) 56 data bytes
> >>> 64 bytes from fd12:67:1:1::1: icmp_seq=1 ttl=64 time=0.646 ms
> >>> 64 bytes from fd12:67:1:1::1: icmp_seq=2 ttl=64 time=0.095 ms
> >>> 64 bytes from fd12:67:1:1::1: icmp_seq=3 ttl=64 time=0.106 ms
> >>> 64 bytes from fd12:67:1:1::1: icmp_seq=4 ttl=64 time=0.129 ms
> >>>
> >>> And also I can ping6 the public subnet interface from the VM:
> >>>
> >>> root at ubuntu:~# ping6 fd12:67:1::3c
> >>> PING fd12:67:1::3c (fd12:67:1::3c): 56 data bytes
> >>> ping: getnameinfo: Temporary failure in name resolution
> >>> 64 bytes from unknown: icmp_seq=0 ttl=64 time=2.079 ms
> >>> ping: getnameinfo: Temporary failure in name resolution
> >>> 64 bytes from unknown: icmp_seq=1 ttl=64 time=1.385 ms
> >>> ping: getnameinfo: Temporary failure in name resolution
> >>> 64 bytes from unknown: icmp_seq=2 ttl=64 time=0.881 ms
> >>>
> >>> Not sure if it means that there's something missing within the router
> itself...
> >>>
> >>> On Fri, Sep 13, 2019 at 2:24 PM Donny Davis <donny at fortnebula.com>
> wrote:
> >>>>
> >>>> Also I have no v6 address on my br-ex
> >>>>
> >>>> On Fri, Sep 13, 2019 at 1:22 PM Donny Davis <donny at fortnebula.com>
> wrote:
> >>>>>
> >>>>> Well here is the output from my rule list that is in prod right now
> with ipv6
> >>>>>
> +--------------------------------------+-------------+-----------+------------+-----------------------+
> >>>>> | ID | IP Protocol | IP Range |
> Port Range | Remote Security Group |
> >>>>>
> +--------------------------------------+-------------+-----------+------------+-----------------------+
> >>>>> | 9ab00b6f-2bc2-4554-818d-eff6e0570943 | None | 0.0.0.0/0 |
> | None |
> >>>>> | b6df5801-8c2c-4ba4-afe1-2cbaa2922dfa | icmp | ::/0 |
> | None |
> >>>>> | e7fd4840-5fbd-4709-b918-f80eac5cb6da | None | ::/0 |
> | None |
> >>>>> | e9968d53-7efe-4a9e-ad42-1092ffaf52e7 | None | None |
> | None |
> >>>>> | ec1ea961-9025-4229-92cf-618026a1851b | None | None |
> | None |
> >>>>>
> +--------------------------------------+-------------+-----------+------------+-----------------------+
> >>>>>
> >>>>>
> +-------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
> >>>>> | Field | Value
>
> |
> >>>>>
> +-------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
> >>>>> | created_at | 2019-07-30T00:50:25Z
>
> |
> >>>>> | description |
>
> |
> >>>>> | direction | ingress
>
> |
> >>>>> | ether_type | IPv6
>
> |
> >>>>> | id | b6df5801-8c2c-4ba4-afe1-2cbaa2922dfa
>
> |
> >>>>> | location | Munch({'cloud': '', 'region_name':
> 'regionOne', 'zone': None, 'project': Munch({'id':
> 'e8fd161dc34c421a979a9e6421f823e9', 'name': 'openstackzuul', 'domain_id':
> None, 'domain_name': 'Default'})}) |
> >>>>> | name | None
>
> |
> >>>>> | port_range_max | None
>
> |
> >>>>> | port_range_min | None
>
> |
> >>>>> | project_id | e8fd161dc34c421a979a9e6421f823e9
>
> |
> >>>>> | protocol | icmp
>
> |
> >>>>> | remote_group_id | None
>
> |
> >>>>> | remote_ip_prefix | ::/0
>
> |
> >>>>> | revision_number | 0
>
> |
> >>>>> | security_group_id | bcedc0e0-e2e8-41fc-aeaa-afd2e10c7ab6
>
> |
> >>>>> | tags | []
>
> |
> >>>>> | updated_at | 2019-07-30T00:50:25Z
>
> |
> >>>>>
> +-------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> On Fri, Sep 13, 2019 at 9:24 AM Lucio Seki <lucioseki at gmail.com>
> wrote:
> >>>>>>
> >>>>>> Hi Donny, following are the rules:
> >>>>>>
> >>>>>> $ openstack security group list --project admin
> >>>>>>
> +--------------------------------------+---------+------------------------+----------------------------------+------+
> >>>>>> | ID | Name | Description
> | Project | Tags |
> >>>>>>
> +--------------------------------------+---------+------------------------+----------------------------------+------+
> >>>>>> | d0136b0e-ee51-461c-afa0-c5adb88dd0dd | default | Default security
> group | 68e3942285a24fb5bd1aed30e166aaee | [] |
> >>>>>>
> +--------------------------------------+---------+------------------------+----------------------------------+------+
> >>>>>>
> >>>>>> $ openstack security group rule list
> d0136b0e-ee51-461c-afa0-c5adb88dd0dd
> >>>>>>
> +--------------------------------------+-------------+----------+------------+--------------------------------------+
> >>>>>> | ID | IP Protocol | IP Range |
> Port Range | Remote Security Group |
> >>>>>>
> +--------------------------------------+-------------+----------+------------+--------------------------------------+
> >>>>>> | 38394345-3e44-4284-a519-cdd8af020f30 | tcp | ::/0 |
> 22:22 | None |
> >>>>>> | 40881f76-c87f-4685-b3af-c3497dd44837 | None | None |
> | d0136b0e-ee51-461c-afa0-c5adb88dd0dd |
> >>>>>> | 56d4ae52-195e-48df-871e-dc70b899b7ba | None | None |
> | d0136b0e-ee51-461c-afa0-c5adb88dd0dd |
> >>>>>> | 759edd06-b698-45ca-94cd-44e0cc2cc848 | ipv6-icmp | None |
> | None |
> >>>>>> | 762effae-b8e5-42ac-ba99-e85a7bc42455 | tcp | ::/0 |
> 22:22 | None |
> >>>>>> | 81f3588d-4159-4af2-ad50-ff6b76add9cf | ipv6-icmp | None |
> | None |
> >>>>>>
> +--------------------------------------+-------------+----------+------------+--------------------------------------+
> >>>>>>
> >>>>>> $ openstack security group rule show
> 759edd06-b698-45ca-94cd-44e0cc2cc848
> >>>>>>
> +-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
> >>>>>> | Field | Value
>
> |
> >>>>>>
> +-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
> >>>>>> | created_at | 2019-09-03T16:51:41Z
>
> |
> >>>>>> | description |
>
> |
> >>>>>> | direction | egress
>
> |
> >>>>>> | ether_type | IPv6
>
> |
> >>>>>> | id | 759edd06-b698-45ca-94cd-44e0cc2cc848
>
> |
> >>>>>> | location | Munch({'project': Munch({'domain_id':
> 'default', 'id': u'68e3942285a24fb5bd1aed30e166aaee', 'name': 'admin',
> 'domain_name': None}), 'cloud': '', 'region_name': 'RegionOne', 'zone':
> None}) |
> >>>>>> | name | None
>
> |
> >>>>>> | port_range_max | None
>
> |
> >>>>>> | port_range_min | None
>
> |
> >>>>>> | project_id | 68e3942285a24fb5bd1aed30e166aaee
>
> |
> >>>>>> | protocol | ipv6-icmp
>
> |
> >>>>>> | remote_group_id | None
>
> |
> >>>>>> | remote_ip_prefix | None
>
> |
> >>>>>> | revision_number | 0
>
> |
> >>>>>> | security_group_id | d0136b0e-ee51-461c-afa0-c5adb88dd0dd
>
> |
> >>>>>> | tags | []
>
> |
> >>>>>> | updated_at | 2019-09-03T16:51:41Z
>
> |
> >>>>>>
> +-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
> >>>>>>
> >>>>>> $ openstack security group rule show
> 81f3588d-4159-4af2-ad50-ff6b76add9cf
> >>>>>>
> +-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
> >>>>>> | Field | Value
>
> |
> >>>>>>
> +-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
> >>>>>> | created_at | 2019-09-03T16:51:30Z
>
> |
> >>>>>> | description |
>
> |
> >>>>>> | direction | ingress
>
> |
> >>>>>> | ether_type | IPv6
>
> |
> >>>>>> | id | 81f3588d-4159-4af2-ad50-ff6b76add9cf
>
> |
> >>>>>> | location | Munch({'project': Munch({'domain_id':
> 'default', 'id': u'68e3942285a24fb5bd1aed30e166aaee', 'name': 'admin',
> 'domain_name': None}), 'cloud': '', 'region_name': 'RegionOne', 'zone':
> None}) |
> >>>>>> | name | None
>
> |
> >>>>>> | port_range_max | None
>
> |
> >>>>>> | port_range_min | None
>
> |
> >>>>>> | project_id | 68e3942285a24fb5bd1aed30e166aaee
>
> |
> >>>>>> | protocol | ipv6-icmp
>
> |
> >>>>>> | remote_group_id | None
>
> |
> >>>>>> | remote_ip_prefix | None
>
> |
> >>>>>> | revision_number | 0
>
> |
> >>>>>> | security_group_id | d0136b0e-ee51-461c-afa0-c5adb88dd0dd
>
> |
> >>>>>> | tags | []
>
> |
> >>>>>> | updated_at | 2019-09-03T16:51:30Z
>
> |
> >>>>>>
> +-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
> >>>>>>
> >>>>>>
> >>>>>> On Fri, Sep 13, 2019 at 10:16 AM Donny Davis <donny at fortnebula.com>
> wrote:
> >>>>>>>
> >>>>>>> Security group rules?
> >>>>>>>
> >>>>>>> Donny Davis
> >>>>>>> c: 805 814 6800
> >>>>>>>
> >>>>>>> On Thu, Sep 12, 2019, 5:53 PM Lucio Seki <lucioseki at gmail.com>
> wrote:
> >>>>>>>>
> >>>>>>>> Hi folks, I'm having troubles to ping6 a VM running over DevStack
> from its hypervisor.
> >>>>>>>> Could you please help me troubleshooting it?
> >>>>>>>>
> >>>>>>>> I deployed DevStack with NEUTRON_CREATE_INITIAL_NETWORKS=False,
> >>>>>>>> and manually created the networks, subnets and router. Following
> is my router:
> >>>>>>>>
> >>>>>>>> $ openstack router show router1 -c external_gateway_info -c
> interfaces_info
> >>>>>>>>
> +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
> >>>>>>>> | Field | Value
>
>
>
> |
> >>>>>>>>
> +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
> >>>>>>>> | external_gateway_info | {"network_id":
> "b87048ed-1be9-4f31-8d7e-fe74921aeec4", "enable_snat": true,
> "external_fixed_ips": [{"subnet_id":
> "28a00bc3-b30b-456f-b26a-44b50d37183f", "ip_address": "10.2.0.199"},
> {"subnet_id": "a9729beb-b297-4fec-8ec3-7703f7f6f4bc", "ip_address":
> "fd12:67:1::3c"}]} |
> >>>>>>>> | interfaces_info | [{"subnet_id":
> "081e8508-4ceb-4aaf-bf91-36a1e22a768c", "ip_address": "fd12:67:1:1::1",
> "port_id": "75391abd-8ac8-41f8-acf8-3dfaf2a6b08f"}]
>
> |
> >>>>>>>>
> +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
> >>>>>>>>
> >>>>>>>> I'm trying to ping6 the following VM:
> >>>>>>>>
> >>>>>>>> $ openstack server list
> >>>>>>>>
> +--------------------------------------+---------+--------+------------------------------------------+--------+--------+
> >>>>>>>> | ID | Name | Status |
> Networks | Image | Flavor |
> >>>>>>>>
> +--------------------------------------+---------+--------+------------------------------------------+--------+--------+
> >>>>>>>> | 938854d0-80e9-45b2-bc29-8fe7651ffa93 | manila1 | ACTIVE |
> private1=fd12:67:1:1:f816:3eff:fe0e:17c3 | manila | manila |
> >>>>>>>>
> +--------------------------------------+---------+--------+------------------------------------------+--------+--------+
> >>>>>>>>
> >>>>>>>> I intend to reach it via br-ex interface of the hypervisor:
> >>>>>>>>
> >>>>>>>> $ ip a show dev br-ex
> >>>>>>>> 9: br-ex: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
> noqueue state UNKNOWN group default qlen 1000
> >>>>>>>> link/ether 0e:82:a1:ba:77:4c brd ff:ff:ff:ff:ff:ff
> >>>>>>>> inet6 fd12:67:1::1/64 scope global
> >>>>>>>> valid_lft forever preferred_lft forever
> >>>>>>>> inet6 fe80::c82:a1ff:feba:774c/64 scope link
> >>>>>>>> valid_lft forever preferred_lft forever
> >>>>>>>>
> >>>>>>>> The hypervisor has the following routes:
> >>>>>>>>
> >>>>>>>> $ ip -6 route
> >>>>>>>> fd12:67:1:1::/64 via fd12:67:1::3c dev br-ex metric 1024 pref
> medium
> >>>>>>>> fe80::/64 dev ens3 proto kernel metric 256 pref medium
> >>>>>>>> fe80::/64 dev br-ex proto kernel metric 256 pref medium
> >>>>>>>> fe80::/64 dev br-int proto kernel metric 256 pref medium
> >>>>>>>> fe80::/64 dev tapa5cf4799-9f proto kernel metric 256 pref medium
> >>>>>>>>
> >>>>>>>> And within the VM has the following routes:
> >>>>>>>>
> >>>>>>>> root at ubuntu:~# ip -6 route
> >>>>>>>> root at ubuntu:~# ip -6 route
> >>>>>>>> fd12:67:1::/64 via fd12:67:1:1::1 dev ens3 metric 1024 pref medium
> >>>>>>>> fd12:67:1:1::/64 dev ens3 proto kernel metric 256 expires
> 86360sec pref medium
> >>>>>>>> fe80::/64 dev ens3 proto kernel metric 256 pref medium
> >>>>>>>> default via fe80::f816:3eff:feb3:bd56 dev ens3 proto ra metric
> 1024 expires 260sec hoplimit 64 pref medium
> >>>>>>>>
> >>>>>>>> Though the ping6 from VM to hypervisor doesn't work:
> >>>>>>>> root at ubuntu:~# ping6 fd12:67:1::1 -c4
> >>>>>>>> PING fd12:67:1::1 (fd12:67:1::1): 56 data bytes
> >>>>>>>> --- fd12:67:1::1 ping statistics ---
> >>>>>>>> 4 packets transmitted, 0 packets received, 100% packet loss
> >>>>>>>>
> >>>>>>>> I'm able to tcpdump inside the router1 netns and see that request
> packet is passing there, but can't see any reply packets:
> >>>>>>>>
> >>>>>>>> $ sudo ip netns exec qrouter-5172472c-bbe7-4907-832a-e2239c8badb4
> tcpdump -l -i any icmp6
> >>>>>>>> tcpdump: verbose output suppressed, use -v or -vv for full
> protocol decode
> >>>>>>>> listening on any, link-type LINUX_SLL (Linux cooked), capture
> size 262144 bytes
> >>>>>>>> 21:29:29.351358 IP6 fd12:67:1:1:f816:3eff:fe0e:17c3 >
> fd12:67:1::1: ICMP6, echo request, seq 0, length 64
> >>>>>>>> 21:29:30.033316 IP6 fe80::f816:3eff:feb3:bd56 >
> fe80::f816:3eff:fe0e:17c3: ICMP6, neighbor solicitation, who has
> fe80::f816:3eff:fe0e:17c3, length 32
> >>>>>>>> 21:29:30.035807 IP6 fe80::f816:3eff:fe0e:17c3 >
> fe80::f816:3eff:feb3:bd56: ICMP6, neighbor advertisement, tgt is
> fe80::f816:3eff:fe0e:17c3, length 24
> >>>>>>>> 21:29:30.353646 IP6 fd12:67:1:1:f816:3eff:fe0e:17c3 >
> fd12:67:1::1: ICMP6, echo request, seq 1, length 64
> >>>>>>>> 21:29:31.355410 IP6 fd12:67:1:1:f816:3eff:fe0e:17c3 >
> fd12:67:1::1: ICMP6, echo request, seq 2, length 64
> >>>>>>>> 21:29:32.357239 IP6 fd12:67:1:1:f816:3eff:fe0e:17c3 >
> fd12:67:1::1: ICMP6, echo request, seq 3, length 64
> >>>>>>>>
> >>>>>>>> The same happens from hypervisor to VM. I only acan see the
> request packets, but no reply packets.
> >>>>>>>>
> >>>>>>>> Thanks in advance,
> >>>>>>>> Lucio Seki
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190916/8517c5f9/attachment-0001.html>
More information about the openstack-discuss
mailing list