osdir.com


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[neutron] DevStack with IPv6


Security group rules?

Donny Davis
c: 805 814 6800

On Thu, Sep 12, 2019, 5:53 PM Lucio Seki <lucioseki at gmail.com> wrote:

> Hi folks, I'm having troubles to ping6 a VM running over DevStack from its
> hypervisor.
> Could you please help me troubleshooting it?
>
> I deployed DevStack with NEUTRON_CREATE_INITIAL_NETWORKS=False,
> and manually created the networks, subnets and router. Following is my
> router:
>
> $ openstack router show router1 -c external_gateway_info -c interfaces_info
>
> +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
> | Field                 | Value
>
>
>                                                                      |
>
> +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
> | external_gateway_info | {"network_id":
> "b87048ed-1be9-4f31-8d7e-fe74921aeec4", "enable_snat": true,
> "external_fixed_ips": [{"subnet_id":
> "28a00bc3-b30b-456f-b26a-44b50d37183f", "ip_address": "10.2.0.199"},
> {"subnet_id": "a9729beb-b297-4fec-8ec3-7703f7f6f4bc", "ip_address":
> "fd12:67:1::3c"}]} |
> | interfaces_info       | [{"subnet_id":
> "081e8508-4ceb-4aaf-bf91-36a1e22a768c", "ip_address": "fd12:67:1:1::1",
> "port_id": "75391abd-8ac8-41f8-acf8-3dfaf2a6b08f"}]
>
>                               |
>
> +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
>
> I'm trying to ping6 the following VM:
>
> $ openstack server list
>
> +--------------------------------------+---------+--------+------------------------------------------+--------+--------+
> | ID                                   | Name    | Status | Networks
>                           | Image  | Flavor |
>
> +--------------------------------------+---------+--------+------------------------------------------+--------+--------+
> | 938854d0-80e9-45b2-bc29-8fe7651ffa93 | manila1 | ACTIVE |
> private1=fd12:67:1:1:f816:3eff:fe0e:17c3 | manila | manila |
>
> +--------------------------------------+---------+--------+------------------------------------------+--------+--------+
>
> I intend to reach it via br-ex interface of the hypervisor:
>
> $ ip a show dev br-ex
> 9: br-ex: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state
> UNKNOWN group default qlen 1000
>     link/ether 0e:82:a1:ba:77:4c brd ff:ff:ff:ff:ff:ff
>     inet6 fd12:67:1::1/64 scope global
>        valid_lft forever preferred_lft forever
>     inet6 fe80::c82:a1ff:feba:774c/64 scope link
>        valid_lft forever preferred_lft forever
>
> The hypervisor has the following routes:
>
> $ ip -6 route
> fd12:67:1:1::/64 via fd12:67:1::3c dev br-ex metric 1024 pref medium
> fe80::/64 dev ens3 proto kernel metric 256 pref medium
> fe80::/64 dev br-ex proto kernel metric 256 pref medium
> fe80::/64 dev br-int proto kernel metric 256 pref medium
> fe80::/64 dev tapa5cf4799-9f proto kernel metric 256 pref medium
>
> And within the VM has the following routes:
>
> root at ubuntu:~# ip -6 route
> root at ubuntu:~# ip -6 route
> fd12:67:1::/64 via fd12:67:1:1::1 dev ens3 metric 1024 pref medium
> fd12:67:1:1::/64 dev ens3 proto kernel metric 256 expires 86360sec pref
> medium
> fe80::/64 dev ens3 proto kernel metric 256 pref medium
> default via fe80::f816:3eff:feb3:bd56 dev ens3 proto ra metric 1024
> expires 260sec hoplimit 64 pref medium
>
> Though the ping6 from VM to hypervisor doesn't work:
> root at ubuntu:~# ping6 fd12:67:1::1 -c4
> PING fd12:67:1::1 (fd12:67:1::1): 56 data bytes
> --- fd12:67:1::1 ping statistics ---
> 4 packets transmitted, 0 packets received, 100% packet loss
>
> I'm able to tcpdump inside the router1 netns and see that request packet
> is passing there, but can't see any reply packets:
>
> $ sudo ip netns exec qrouter-5172472c-bbe7-4907-832a-e2239c8badb4 tcpdump
> -l -i any icmp6
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144
> bytes
> 21:29:29.351358 IP6 fd12:67:1:1:f816:3eff:fe0e:17c3 > fd12:67:1::1: ICMP6,
> echo request, seq 0, length 64
> 21:29:30.033316 IP6 fe80::f816:3eff:feb3:bd56 > fe80::f816:3eff:fe0e:17c3:
> ICMP6, neighbor solicitation, who has fe80::f816:3eff:fe0e:17c3, length 32
> 21:29:30.035807 IP6 fe80::f816:3eff:fe0e:17c3 > fe80::f816:3eff:feb3:bd56:
> ICMP6, neighbor advertisement, tgt is fe80::f816:3eff:fe0e:17c3, length 24
> 21:29:30.353646 IP6 fd12:67:1:1:f816:3eff:fe0e:17c3 > fd12:67:1::1: ICMP6,
> echo request, seq 1, length 64
> 21:29:31.355410 IP6 fd12:67:1:1:f816:3eff:fe0e:17c3 > fd12:67:1::1: ICMP6,
> echo request, seq 2, length 64
> 21:29:32.357239 IP6 fd12:67:1:1:f816:3eff:fe0e:17c3 > fd12:67:1::1: ICMP6,
> echo request, seq 3, length 64
>
> The same happens from hypervisor to VM. I only acan see the request
> packets, but no reply packets.
>
> Thanks in advance,
> Lucio Seki
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190913/6e660a20/attachment.html>