Ask Your Question
1

ipv6 dhcpv6 not working on icehouse. Is it supported?

asked 2014-05-27 15:00:30 -0500

neb-m gravatar image

updated 2014-07-19 11:59:09 -0500

smaffulli gravatar image

While attempting to bring up VM with DHCPv6, we noticed that security rules on the compute host are dropping DHCPv6 request coming from the tap interface. Unlike the IPv4 security rules, there are no IPv6 rules that allow for DHCPv6 message exchange.

For example:

Chain neutron-openvswi-o2acc1247-4 (2 references)
 pkts bytes target     prot opt in     out     source               destination
    **0     0 RETURN     icmpv6    *      *       ::/0                 ::/0
   18  1800 neutron-openvswi-s2acc1247-4  all      *      *       ::/0                 ::/0**   
    0     0 DROP       all      *      *       ::/0                 ::/0                 state INVALID
    0     0 RETURN     all      *      *       ::/0                 ::/0                 state RELATED,ESTABLISHED
    0     0 RETURN     all      *      *       ::/0                 ::/0
    0     0 neutron-openvswi-sg-fallback  all      *      *       ::/0                 ::/0   
root@g2ice-cpu2:~# ip6tables -n -v -L neutron-openvswi-s2acc1247-4
Chain neutron-openvswi-s2acc1247-4 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all      *      *       fd00:5060:5060:5060::3  ::/0                 MAC FA:16:3E:BE:F3:2F
   18  1800 DROP       all      *      *       ::/0                 ::/0

Sorry, for late follow-up. I didn't receive email when you posted the comment. Here is my nova.conf.

root@g2ice-cntrl:/etc/nova# cat nova.conf
[DEFAULT]
resume_guests_state_on_host_boot=True
#verbose=True
scheduler_default_filters = RetryFilter, AvailabilityZoneFilter, RamFilter, ComputeFilter, ComputeCapabilitiesFilter, ImagePropertiesFilter, ServerGroupAntiAffinityFilter, ServerGroupAffinityFilter, AggregateMultiTenancyIsolation
dhcpbridge_flagfile=/etc/nova/nova.conf
dhcpbridge=/usr/bin/nova-dhcpbridge
logdir=/var/log/nova
state_path=/var/lib/nova
lock_path=/var/lock/nova
force_dhcp_release=True
iscsi_helper=tgtadm
libvirt_use_virtio_for_bridges=True
connection_type=libvirt
root_helper=sudo nova-rootwrap /etc/nova/rootwrap.conf
ec2_private_dns_show_ip=True
api_paste_config=/etc/nova/api-paste.ini
volumes_path=/var/lib/nova/volumes
enabled_apis=osapi_compute,metadata
cpu_allocation_ratio=1
rpc_backend = rabbit
rabbit_host = g2ice-cntrl
rabbit_password = RABBIT_PASS
my_ip = 10.1.165.98
vncserver_listen = 0.0.0.0
vncserver_proxyclient_address = 10.1.165.98
vnc_enabled=True
novncproxy_base_url=http://x.x.x.x:6080/vnc_auto.html
auth_strategy = keystone
glance_host = g2ice-cntrl
network_api_class=nova.network.neutronv2.api.API
neutron_url=http://g2ice-cntrl:9696
neutron_auth_strategy=keystone
neutron_admin_tenant_name=service
neutron_admin_username=neutron
neutron_admin_password=NEUTRON_PASS
neutron_admin_auth_url=http://x.x.x.x:35357/v2.0
linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver
firewall_driver=nova.virt.firewall.NoopFirewallDriver
security_group_api=neutron
neutron_metadata_proxy_shared_secret = METADATA_PASS
service_neutron_metadata_proxy = true
allow_resize_to_same_host=True
sql_connection=mysql://nova:NOVA_DBPASS@g2ice-cntrl/nova
[keystone_authtoken]
auth_uri = http://g2ice-cntrl:5000
auth_host = g2ice-cntrl
auth_port = 35357
auth_protocol = http
admin_tenant_name = service
admin_user = nova
admin_password = NOVA_PASS
edit retag flag offensive close merge delete

Comments

Can you paste in your nova.conf? I've had IPv6 running on Grizzly before, and will be attempting to so with Icehouse in the next day or so. I currently have instances launching with IPv6 addresses, but they are coming from my router...

kordless gravatar imagekordless ( 2014-06-06 20:18:27 -0500 )edit

You can use https://paste.openstack.org to paste large pieces of text.

smaffulli gravatar imagesmaffulli ( 2014-07-19 12:04:33 -0500 )edit

1 answer

Sort by ยป oldest newest most voted
0

answered 2014-07-19 12:08:09 -0500

smaffulli gravatar image

This looks like a bug to me, you may want to file one. To answer your question, IPv6 support exists but AFAIK not complete 100% and I know of very few users with IPv6 deployed in production (meaning that I wouldn't be surprised if you found lots of bugs).

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-05-27 15:00:30 -0500

Seen: 236 times

Last updated: Jul 19 '14