It’s been a really long time since I posted here. Since my last entries, the network didn’t evolve a lot. This post is to move forward and propose IPv6 to the masses (of VM) and then I aim to learn Kubernetes. The main goal is to install Kubernetes from fedora server spin and IPv6 only helped by calico for networking.

First step is getting /56 networks to the physical hosts. Then I’ll propagate the new subnets through BGP using the existing ipsec+gre tunnels.

In order to get my IPv6 blocks, I’m asking them on the wire with dibbler-client package.

Installing dibbler

  • Install the packages
[root@db-xc1 696 ~]# apt install dibbler-client
  • Modify the config file in /etc/dibbler/client.conf for prefix discovery
log-level 7
inactive-mode
iface eth0 {
    pd
}

  • Enter the DUID in the right file: /var/lib/dibbler/client-duid

  • Configure the system so that the daemon autostart

[root@db-xc1 696 ~]# cd /etc
[root@db-xc1 697 ~]# ln -s ../init.d/dibbler-client S50dibbler-client
[root@db-xc1 698 ~]# update-rc.d   -f dibbler-client enable 345
[root@db-xc1 699 ~]# update-rc.d  dibbler-client enable
  • Modify the system to have an IP v6 address on eth0
iface eth0 inet6 static
    address fc01:100:200:400::1
    netmask 64
  • Create ip6tables filter & startup script
[root@db-xc1 700 ~]# cat /etc/network/if-pre-up.d/ip6tables
#!/bin/sh
/sbin/ip6tables-restore < /etc/ip6tables.up.rules
[root@db-xc1 701 ~]#
  • Reboot and check that IPv6 is working on the node ping6 ipv6.google.com & tcpdump -ni eth0 ip6 are your friends

Update the vm network for IPv6 usage

  • Use virsh to update directly the xml file or create a new one
[root@db-xc1 696 ~]# virsh net-edit VMNetwork
  • Update the xml entry for IPv6
<network>
  <name>OVSNetwork</name>
  <forward mode='route'/>
  <bridge name='br10' stp='on' delay='0'/>
  <ip address='172.16.4.1' netmask='255.255.255.0'>
    <dhcp>
      <range start='172.16.4.100' end='172.16.4.199'/>
    </dhcp>
  </ip>
  <virtualport type='openvswitch'/>
  <ip family='ipv6' address='fc01:100:200:401::1' prefix='64'>
    <dhcp>
      <range start='fc01:100:200:401::100' end='fc01:100:200:401::1ff'/>
    </dhcp>
  </ip>
</network>
  • In order to take into account the new network, the network has to be restarted and all VMs attached to this network shall be restarted too. May be detach and reattach the network works, I didn’t tried.

Update the system configuration

Notes on routing and Prefix Delegation

On Linux, in order to have DHCPv6PD and IPv6 forwarding enabled at the same time, you have to turn on some knobs in the kernel. More precisely, you have to change the option “accept_ra” to 2. Here is my relevant file:

[root@db-xc1 1120 ~]# cat /etc/sysctl.d/10-forwarding.conf 
# BEGIN ANSIBLE MANAGED BLOCK
net.ipv4.ip_forward = 1
net.ipv6.conf.all.accept_ra = 2
net.ipv6.conf.default.accept_ra = 2
net.ipv6.conf.eth0.accept_ra = 2
net.ipv6.conf.all.forwarding = 1
# END ANSIBLE MANAGED BLOCK
[root@db-xc1 1121 ~]#

Strangely enougth, I had to reboot the box with the new parameters in order to apply them.

/etc/network/interface.d/gre? updates

I add some lines to gre? files so that a private IP address is defined for interconnections. I had to do that because bird & openbgpd refuse to establish an IPv6 peering with the fe80::/16 addresses.

Here is the relevant configuration on Debian:

iface gre1 inet6 static
    address fc00:fe1b::6
    netmask 126

If you want to enter several aliases for the same interface, thanks to Sander Steffann answer on servervault:

auto gre1
iface gre1 inet6 static
    address fc00:fe1b::6
    netmask 126

auto gre1:0
iface gre1:0 inet6 static
    address fc00:fe1b::f
    netmask 126

Update the Bird configuration file to adapt the routing

  • Update on the /etc/bird/bird6.conf file :
router id 172.16.4.1;
define myas = 65004;
protocol kernel {
        persist;
        learn;
        scan time 20;
        import all;
        export all;   # Actually insert routes into the kernel routing table
}
protocol device {
        scan time 60;
        #primary fc01:100:200:401::/64;
        primary fc01:100:200:400::/56;
}
protocol direct {
        interface "br10";
        interface "gre1";
        interface "gre2";
}
function net_infra() {
  return net ~ [ fc01:100:200::/48+, fc00::/16+ ];
}
filter bgp_out {
        if ( from = fc00:fe1b::9 ) then bgp_path.prepend(65004);
        if net_infra() then accept;
        #if net_martian() then reject;
        else reject;
}
filter bgp_in {
        if net_infra() then accept;
        else reject;
}
protocol bgp db_sc1 {
        local as myas;
        description "to db-sc1";
        neighbor fc00:fe1b::9 as myas;
        next hop self;
        import filter bgp_in;
        import limit 20;
        export filter bgp_out;
}
protocol bgp cobra {
        local as myas;
        description "to home";
        neighbor fc00:fe1b::5 as 65001;
        import filter bgp_in;
        import limit 20;
        export filter bgp_out;
        #next hop self;
}
  • Restart the bird daemon and don’t forget to set the enable flag at start
[root@db-xc1 35 ~]# service bird6 restart
[root@db-xc1 36 ~]# birdc6 show route 
[root@db-xc1 37 ~]# systemctl enable bird6.service