Моя установка имеет динамическое количество контейнеров LXC, и поэтому мне нужно динамическое выделение адресов ipv6. Интерфейс brNC-internet представляет собой простой мост, который отображается в контейнер на основе LXC.
мне нужен способ назначить адреса ipv6 в контейнерах LXC для internet интерфейс каждого. ручное выполнение этого работает, как показано ниже, но это следует автоматизировать с помощью dhcpd6 (или чего-то подобного).
я бы хотел попробовать:
нота: Я не могу использовать radvd с SLAAC, потому что мой сетевой префикс / 66, а для этого radvd требуется как минимум / 64, см. этот.
нота: На данный момент я хотел бы сосредоточиться на ipv6.
нота: я использую nixos linux и я, вероятно, просто что-то неправильно настроил, у меня есть правило брандмауэра, которое ломает вещи, или общее недоразумение по поводу ipv6 или даже некоторых внутренних LXC. в любом случае, укажите, что я могу попробовать дальше.
Я установил radvd и dhcpd6 на хосте (виртуальная машина), но хотя radvd может подтолкнуть шлюз по умолчанию ipv6 и префикс, клиент никогда не обращается к серверу dhcpd6, используя dhcpcd от клиента.
если я отключу клиент dhcpcd на гостевом экземпляре LXC, я могу назначить адрес ipv6 в префиксе, и ping6 для работы Google:
[root@10:/]# ip a replace 2a01:4f8:221:3744:4000::4 dev internet
[root@10:/]# ping -6 -I internet 2a00:1450:4001:80b::2003
PING 2a00:1450:4001:80b::2003(2a00:1450:4001:80b::2003) from fe80::10af:ffff:fef4:318a internet: 56 data bytes
From fe80::2044:c6ff:fef3:cd5d%internet icmp_seq=1 Destination unreachable: Beyond scope of source address
64 bytes from 2a00:1450:4001:80b::2003: icmp_seq=2 ttl=55 time=5.36 ms
64 bytes from 2a00:1450:4001:80b::2003: icmp_seq=3 ttl=55 time=5.26 ms
64 bytes from 2a00:1450:4001:80b::2003: icmp_seq=4 ttl=55 time=5.27 ms
Я также попытался отключить брандмауэры как на хосте, так и на клиенте LXC, но без изменений.
dhcpcd -6 --config /nix/store/7n7ysqf92rlafihs9dm2gzsbh06cw64z-dhcpcd.conf
DUID 00:01:00:01:22:4f:af:36:ee:ae:40:b5:d7:d3
internet: IAID 98:0e:c7:c8
internet: soliciting an IPv6 router
internet: Router Advertisement from fe80::2044:c6ff:fef3:cd5d
forked to background, child pid 1238
tcpdump -i brNC-internet ip6
14:36:18.618554 IP6 fe80::dc5d:98ff:fe0e:c7c8 > ff02::2: ICMP6, router solicitation, length 16
14:36:18.618681 IP6 status.nixcloud.io > fe80::dc5d:98ff:fe0e:c7c8: ICMP6, router advertisement, length 112
14:36:20.578582 IP6 status.nixcloud.io > ff02::1: ICMP6, router advertisement, length 112
14:36:24.059514 IP6 status.nixcloud.io > fe80::dc5d:98ff:fe0e:c7c8: ICMP6, neighbor solicitation, who has fe80::dc5d:98ff:fe0e:c7c8, length 32
14:36:24.059598 IP6 fe80::dc5d:98ff:fe0e:c7c8 > status.nixcloud.io: ICMP6, neighbor advertisement, tgt is fe80::dc5d:98ff:fe0e:c7c8, length 24
journalctl -u dhcpd6 -f
-- Logs begin at Tue 2018-02-13 02:31:51 CET. --
Mar 30 14:00:08 status.nixcloud.io dhcpd[17605]: Wrote 0 NA, 0 TA, 0 PD leases to lease file.
Mar 30 14:00:08 status.nixcloud.io dhcpd6[17605]: Bound to *:547
Mar 30 14:00:08 status.nixcloud.io dhcpd[17605]: Bound to *:547
Mar 30 14:00:08 status.nixcloud.io dhcpd[17605]: Listening on Socket/5/brNC-internet/2a01:4f8:221:3744:4000::/66
Mar 30 14:00:08 status.nixcloud.io dhcpd[17605]: Sending on Socket/5/brNC-internet/2a01:4f8:221:3744:4000::/66
Mar 30 14:00:08 status.nixcloud.io dhcpd6[17605]: Listening on Socket/5/brNC-internet/2a01:4f8:221:3744:4000::/66
Mar 30 14:00:08 status.nixcloud.io dhcpd6[17605]: Sending on Socket/5/brNC-internet/2a01:4f8:221:3744:4000::/66
Mar 30 14:00:08 status.nixcloud.io systemd[1]: dhcpd6.service: Can't open PID file /run/dhcpd6/dhcpd.pid (yet?) after start: No such file or directory
Mar 30 14:00:08 status.nixcloud.io dhcpd6[17615]: Server starting service.
Mar 30 14:00:08 status.nixcloud.io systemd[1]: Started DHCPv6 server.
ip -6 a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 2a01:4f8:221:3744::1:26/128 scope global
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:fefb:d8d0/64 scope link
valid_lft forever preferred_lft forever
3: enp0s2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::5054:ff:fe08:4db9/64 scope link
valid_lft forever preferred_lft forever
4: brNC-hostonly: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::5880:6aff:fe77:cd16/64 scope link
valid_lft forever preferred_lft forever
5: brNC-internet: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 2a01:4f8:221:3744:4000::2/128 scope global
valid_lft forever preferred_lft forever
inet6 fc00::261/128 scope global
valid_lft forever preferred_lft forever
inet6 fe80::2044:c6ff:fef3:cd5d/64 scope link
valid_lft forever preferred_lft forever
121: vethVIEF2K@if120: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::fc55:8fff:fe5d:a50a/64 scope link
valid_lft forever preferred_lft forever
123: vethPIKVFW@if122: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::fc4f:adff:fe61:180b/64 scope link
valid_lft forever preferred_lft forever
133: vethC387B7@if132: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::fc5c:16ff:fe64:444b/64 scope link
valid_lft forever preferred_lft forever
135: vethE0I0FG@if134: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::fcbf:d4ff:fe33:a9d0/64 scope link
valid_lft forever preferred_lft forever
ip -6 r
2a01:4f8:221:3744::1:26 dev enp0s3 proto kernel metric 256 pref medium
2a01:4f8:221:3744:4000::2 dev brNC-internet proto kernel metric 256 pref medium
2a01:4f8:221:3744:4000::/66 dev brNC-internet proto kernel metric 256 expires 9700sec pref medium
fc00::26 dev enp0s3 metric 1024 pref medium
fc00::261 dev brNC-internet proto kernel metric 256 pref medium
fe80::/64 dev enp0s3 proto kernel metric 256 pref medium
fe80::/64 dev brNC-hostonly proto kernel metric 256 pref medium
fe80::/64 dev brNC-internet proto kernel metric 256 pref medium
fe80::/64 dev enp0s2 proto kernel metric 256 pref medium
fe80::/64 dev vethVIEF2K proto kernel metric 256 pref medium
fe80::/64 dev vethPIKVFW proto kernel metric 256 pref medium
fe80::/64 dev vethE0I0FG proto kernel metric 256 pref medium
fe80::/64 dev vethC387B7 proto kernel metric 256 pref medium
default via fc00::26 dev enp0s3 metric 1024 pref medium
cat /nix/store/5zvcjwvlj9n7cvrppkw1mxsxwhxwx3cm-dhcpd.conf
default-lease-time 600;
max-lease-time 7200;
authoritative;
ddns-update-style interim;
log-facility local1; # see dhcpd.nix
subnet6 2a01:4f8:221:3744:4000::/66 {
#range6 2a01:4f8:221:3744:4000::/66 temporary;
option dhcp6.name-servers 2a01:4f8:0:1::add:1010, 2a01:4f8:0:1::add:9999, 2a01:4f8:0:1::add:9898;
}
cat /nix/store/89j6hg4qhnd9nyijf9p2dcr4f5ygjz6r-radvd.conf
interface brNC-internet {
AdvSendAdvert on;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;
prefix 2a01:4f8:221:3744:4000::/66 {
AdvOnLink on;
AdvAutonomous off;
};
RDNSS 2a01:4f8:0:1::add:1010 2a01:4f8:0:1::add:9999 2a01:4f8:0:1::add:9898 { };
};
[root@10:/]# ip -6 a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
132: hostonly@if133: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::484f:50ff:fe0c:fa62/64 scope link
valid_lft forever preferred_lft forever
134: internet@if135: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 2a01:4f8:221:3744:4000::4/128 scope global
valid_lft forever preferred_lft forever
inet6 fe80::10af:ffff:fef4:318a/64 scope link
valid_lft forever preferred_lft forever
[root@10:/]# ip -6 r
2a01:4f8:221:3744:4000::4 dev internet proto kernel metric 256 pref medium
2a01:4f8:221:3744:4000::/66 dev internet proto kernel metric 256 expires 86395sec pref medium
fe80::/64 dev hostonly proto kernel metric 256 pref medium
fe80::/64 dev internet proto kernel metric 256 pref medium
default via fe80::2044:c6ff:fef3:cd5d dev internet proto ra metric 1024 expires 25sec hoplimit 64 pref medium
lxc.uts.name = 10
# Fixme also support other architectures?
lxc.arch = x86_64
# Not needed, just makes spares a few cpu cycles as LXC doesn't have
# to detect the backend.
#lxc.rootfs.backend = dir
lxc.rootfs.path = /var/lib/lxc/10/rootfs
lxc.init.cmd = /init/container/init
#lxc.rootfs = /var/lib/lxc/10/rootfs
# Ensures correct functionality with user namespaces. Since mknod is not possible stuff like
# /dev/console, /dev/tty, /dev/urandom, etc. need to be bind mounted. Note the order
# of the file inclusion here is important.
lxc.include = /nix/store/3hz7xkd86pzrvr4z53fa079q61qar02x-lxc-2.1.1/share/lxc/config/common.conf
lxc.include = /nix/store/3hz7xkd86pzrvr4z53fa079q61qar02x-lxc-2.1.1/share/lxc/config/userns.conf
## Network
# see also https://wiki.archlinux.org/index.php/Linux_Containers
lxc.net.0.type = veth
lxc.net.0.name = hostonly
#lxc.net.0.ipv4.address = 10.101.0.63 (we assign this using nix, not from lxc)
lxc.net.0.flags = up
lxc.net.0.link = brNC-hostonly
lxc.net.1.type = veth
lxc.net.1.name = internet
lxc.net.1.flags = up
lxc.net.1.link = brNC-internet
# Specifiy {u,g}id mapping.
lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536
# FIXME apparmor support
# Nixos does not provide AppArmor support.
#lxc.aa_profile = unconfined
#lxc.aa_allow_incomplete = 1
lxc.apparmor.profile = unconfined
lxc.apparmor.allow_incomplete = 1
# Tweaks for systemd.
lxc.autodev = 1
# Additional mount entries.
lxc.mount.entry = /nix/store nix/store none defaults,bind.ro 0.0
lxc.mount.entry = /nix/var/nix/profiles/nixcloud-container-10 init none defaults,bind.ro 0 0
# Mount entries that lead to a cleaner boot experience.
lxc.mount.entry = /sys/kernel/debug sys/kernel/debug none bind,optional 0 0
lxc.mount.entry = /sys/kernel/security sys/kernel/security none bind,optional 0 0
lxc.mount.entry = /sys/fs/pstore sys/fs/pstore none bind,optional 0 0
lxc.mount.entry = mqueue dev/mqueue mqueue rw,relatime,create=dir,optional 0 0
# LXC autostart
lxc.start.auto = 0
lxc.rootfs.path = dir:/var/lib/lxc/10/rootfs
хорошо, поехали:
после 3 полных дней пробных разных конфигураций, чтения около 40 веб-страниц и адской удачи, вот как у меня все заработало:
systemctl stop firewallотсутствующие правила брандмауэра в брандмауэре nixos были следующими:
ip6tables -A INPUT -p tcp -m tcp -m multiport -i brNC-internet -j ACCEPT --dports 546,547
ip6tables -A INPUT -p udp -m udp -m multiport -i brNC-internet -j ACCEPT --dports 546,547
Резюме: состояние документации ipv6, конфигураций ipv6 по умолчанию (на сервере ubuntu) и руководств по передовой практике - позор и еще раз показывает, почему ipv6 не развертывается на большем количестве сайтов, и при этом я имею в виду серверы (даже не говоря о клиентских конфигурациях как ноутбуки или мобильные устройства здесь).
моя текущая настройка развертывает шлюз ipv6 через radvd и назначает адреса ipv6, используя dhcpd6 параллельно, поскольку SLAAC не может быть использован в моей настройке, так как мой префикс / 66 и должен быть (/ 64, / 63, ..., меньшее число, чем 64). видеть http://www.teaparty.net/technotes/home-ipv6.html (раздел radvd) для более подробной информации.
примечание о dhclient: oh, и в отличие от dhcpcd, который требует особой конфигурации для работы с dhclient на моих тестовых машинах ubuntu я получил аренду без каких-либо изменений в конфигурации dhclient. это огромный плюс по сравнению с dhcpcd реализация.
примечание о документации и блогах: Большое спасибо sixxs.net и авторам этих веб-страниц. без твоей замечательной работы я бы не справился!
interface brNC-internet {
AdvSendAdvert on;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;
#prefix 2a01:4f8:221:3744:4000::/66 {
# AdvOnLink on;
# AdvAutonomous off;
#};
#RDNSS 2a01:4f8:0:1::add:1010 2a01:4f8:0:1::add:9999 2a01:4f8:0:1::add:9898 { };
[root@11:~]# dhcpcd --config /root/dhcpcd6.conf
DUID 00:01:00:01:22:52:a7:e3:0a:79:bb:c7:9c:d6
internet: IAID fc:bf:59:37
internet: IAID 00:00:00:01
internet: confirming prior DHCPv6 lease
internet: REPLY6 received from fe80::e4d2:fbff:feab:81dd
internet: adding address 2a01:4f8:221:3744:4000::300/128
internet: renew in 40000, rebind in 64000, expire in 86400 seconds
forked to background, child pid 12363
# Inform the DHCP server of our hostname for DDNS.
hostname
# Rapid commit support.
# Safe to enable by default because it requires the equivalent option set
# on the server to actually work.
option rapid_commit
# options to request from the DHCP
option domain_name_servers, interface_mtu
# A ServerID is required by RFC2131.
require dhcp_server_identifier
# only configure ipv6
ipv6only
# disable routing solicitation
noipv6rs
# don't touch these interfaces at all
denyinterfaces hostonly
interface internet
# enable routing solicitation get the default IPv6 route
#ipv6rs
# request a normal (IA_NA) IPv6 address with IAID 1
ia_na 1
services.dhcpd6 = {
enable = true;
interfaces = [ "brNC-internet" ];
extraConfig = ''
ddns-update-style interim;
ddns-updates on;
ddns-domainname "your.domain.com";
ddns-rev-domainname "ip6.arpa";
allow client-updates;
update-conflict-detection false;
update-optimization false;
authoritative;
option domain-name-servers dns.your.domain.com;
default-lease-time 86400;
preferred-lifetime 80000;
allow leasequery;
option dhcp6.name-servers 2001:0db8:edfa:1234::1;
option dhcp6.domain-search "your.domain.com","domain.com";
#include "/etc/rndc.key";
option dhcp6.preference 255;
subnet6 2a01:4f8:221:3744:4000::/66 {
#range6 2a01:4f8:221:3744:4000::/66 temporary;
range6 2a01:4f8:221:3744:4000::129 2a01:4f8:221:3744:4000::300;
option dhcp6.name-servers 2a01:4f8:0:1::add:1010, 2a01:4f8:0:1::add:9999, 2a01:4f8:0:1::add:9898;
# option dhcp6.gateway 2001:db8:2:3::1;
}
'';
};
tcpdump -i brNC-internet ip6
13:47:01.854794 IP6 fe80::d4e8:fcff:febf:5937 > status.nixcloud.io: ICMP6, neighbor solicitation, who has status.nixcloud.io, length 32
13:47:01.854827 IP6 status.nixcloud.io > fe80::d4e8:fcff:febf:5937: ICMP6, neighbor advertisement, tgt is status.nixcloud.io, length 24
13:47:05.649860 IP6 status.nixcloud.io > ff02::1: ICMP6, router advertisement, length 24
13:47:06.772849 IP6 fe80::d4e8:fcff:febf:5937.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit
13:47:06.773021 IP6 status.nixcloud.io.dhcpv6-server > fe80::d4e8:fcff:febf:5937.dhcpv6-client: dhcp6 advertise
13:47:06.773344 IP6 fe80::d4e8:fcff:febf:5937.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 request
13:47:06.774004 IP6 status.nixcloud.io.dhcpv6-server > fe80::d4e8:fcff:febf:5937.dhcpv6-client: dhcp6 reply
13:47:06.777782 IP6 fe80::d4e8:fcff:febf:5937 > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48
13:47:07.071788 IP6 fe80::d4e8:fcff:febf:5937 > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48
13:47:07.423792 IP6 :: > ff02::1:ff00:300: ICMP6, neighbor solicitation, who has 2a01:4f8:221:3744:4000::300, length 32
Apr 01 13:35:41 status.nixcloud.io dhcpd6[9225]: Copyright 2004-2016 Internet Systems Consortium.
Apr 01 13:35:41 status.nixcloud.io dhcpd6[9225]: All rights reserved.
Apr 01 13:35:41 status.nixcloud.io dhcpd6[9225]: For info, please visit https://www.isc.org/software/dhcp/
Apr 01 13:35:41 status.nixcloud.io dhcpd6[9225]: Wrote 0 NA, 0 TA, 0 PD leases to lease file.
Apr 01 13:35:41 status.nixcloud.io dhcpd[9225]: Wrote 0 NA, 0 TA, 0 PD leases to lease file.
Apr 01 13:35:42 status.nixcloud.io dhcpd6[9225]: Bound to *:547
Apr 01 13:35:42 status.nixcloud.io dhcpd[9225]: Bound to *:547
Apr 01 13:35:42 status.nixcloud.io dhcpd[9225]: Listening on Socket/5/brNC-internet/2a01:4f8:221:3744:4000::/66
Apr 01 13:35:42 status.nixcloud.io dhcpd[9225]: Sending on Socket/5/brNC-internet/2a01:4f8:221:3744:4000::/66
Apr 01 13:35:42 status.nixcloud.io dhcpd6[9225]: Listening on Socket/5/brNC-internet/2a01:4f8:221:3744:4000::/66
Apr 01 13:35:42 status.nixcloud.io dhcpd6[9225]: Sending on Socket/5/brNC-internet/2a01:4f8:221:3744:4000::/66
Apr 01 13:35:42 status.nixcloud.io systemd[1]: Started DHCPv6 server.
Apr 01 13:35:42 status.nixcloud.io dhcpd6[9227]: Server starting service.
Apr 01 13:44:47 status.nixcloud.io dhcpd6[9227]: Solicit message from fe80::d4e8:fcff:febf:5937 port 546, transaction ID 0x693A9D00
Apr 01 13:44:47 status.nixcloud.io dhcpd6[9227]: Picking pool address 2a01:4f8:221:3744:4000::300
Apr 01 13:44:47 status.nixcloud.io dhcpd6[9227]: Advertise NA: address 2a01:4f8:221:3744:4000::300 to client with duid 00:01:00:01:22:52:a7:e3:0a:79:bb:c7:9c:d6 iaid = 1 valid for 86400 seconds
Apr 01 13:44:47 status.nixcloud.io dhcpd6[9227]: Sending Advertise to fe80::d4e8:fcff:febf:5937 port 546
Apr 01 13:44:47 status.nixcloud.io dhcpd6[9227]: Request message from fe80::d4e8:fcff:febf:5937 port 546, transaction ID 0x8694C500
Apr 01 13:44:47 status.nixcloud.io dhcpd6[9227]: Reply NA: address 2a01:4f8:221:3744:4000::300 to client with duid 00:01:00:01:22:52:a7:e3:0a:79:bb:c7:9c:d6 iaid = 1 valid for 86400 seconds
Apr 01 13:44:47 status.nixcloud.io dhcpd6[9227]: Sending Reply to fe80::d4e8:fcff:febf:5937 port 546
Apr 01 13:45:38 status.nixcloud.io dhcpd6[9227]: Release message from fe80::d4e8:fcff:febf:5937 port 546, transaction ID 0x176D6200
Apr 01 13:45:38 status.nixcloud.io dhcpd6[9227]: Client 00:01:00:01:22:52:a7:e3:0a:79:bb:c7:9c:d6 releases address 2a01:4f8:221:3744:4000::300
Apr 01 13:45:38 status.nixcloud.io dhcpd6[9227]: Sending Reply to fe80::d4e8:fcff:febf:5937 port 546
Apr 01 13:45:44 status.nixcloud.io dhcpd6[9227]: Solicit message from fe80::d4e8:fcff:febf:5937 port 546, transaction ID 0x9D658700
Apr 01 13:45:44 status.nixcloud.io dhcpd6[9227]: Advertise NA: address 2a01:4f8:221:3744:4000::300 to client with duid 00:01:00:01:22:52:a7:e3:0a:79:bb:c7:9c:d6 iaid = 1 valid for 86400 seconds
Apr 01 13:45:44 status.nixcloud.io dhcpd6[9227]: Sending Advertise to fe80::d4e8:fcff:febf:5937 port 546
Apr 01 13:45:44 status.nixcloud.io dhcpd6[9227]: Request message from fe80::d4e8:fcff:febf:5937 port 546, transaction ID 0xBF064200
Apr 01 13:45:44 status.nixcloud.io dhcpd6[9227]: Reply NA: address 2a01:4f8:221:3744:4000::300 to client with duid 00:01:00:01:22:52:a7:e3:0a:79:bb:c7:9c:d6 iaid = 1 valid for 86400 seconds
Apr 01 13:45:44 status.nixcloud.io dhcpd6[9227]: Sending Reply to fe80::d4e8:fcff:febf:5937 port 546
Apr 01 13:46:20 status.nixcloud.io dhcpd6[9227]: Unable to add forward map from 11.your.domain.com to 2a01:4f8:221:3744:4000::300: timed out