incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chip Childers <chip.child...@sungard.com>
Subject Re: Disable IPv6 for systemvm
Date Mon, 30 Jul 2012 14:57:10 GMT
Looks like we are using the same version, but different configuration?:

# uname -a
Linux xshost2 2.6.32.12-0.7.1.xs6.0.2.542.170665xen #1 SMP Tue Jan 17
15:14:24 EST 2012 i686 i686 i386 GNU/Linux

# cat /etc/redhat-release
XenServer release 6.0.2-53456p (xenenterprise)

# ls /proc/sys/net/ipv6/conf/all/autoconf
ls: /proc/sys/net/ipv6/conf/all/autoconf: No such file or directory

I can't get a simpel ipv6 table list, because the protocol
# ip6tables -L
ip6tables v1.3.5: can't initialize ip6tables table `filter': Address
family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.

The ip6tables commands will fail with the above error if it's not
enabled.  Other than that, I think the script would work (if v6 is
enabled on the host).

On Mon, Jul 30, 2012 at 10:44 AM, Hugo Trippaers
<HTrippaers@schubergphilis.com> wrote:
> Hey Chip,
>
> Interesting, which version are you using?
>
> My box:
> Linux XXXXXX 2.6.32.12-0.7.1.xs6.0.2.542.170665xen #1 SMP Tue Jan 17 15:14:24 EST 2012
i686 i686 i386 GNU/Linux
> [root@XXXXX ~]# cat /etc/redhat-release
> XenServer release 6.0.2-53456p (xenenterprise)
> [root@XXXXX ~]# ls /proc/sys/net/ipv6/conf/all/autoconf
> /proc/sys/net/ipv6/conf/all/autoconf
> [root@XXXXX ~]# cat /proc/sys/net/ipv6/conf/all/autoconf
> 1
>
> Btw I plan to add this to setupxenserver.sh:
> # setup ip6tables
> if [ -x "/sbin/ip6tables" ] ; then
>     /sbin/ip6tables -P INPUT DROP
>     /sbin/ip6tables -P OUTPUT DROP
>     /sbin/ip6tables -P FORWARD DROP
>     if [ -x "/etc/init.d/ip6tables" ] ; then
>         /etc/init.d/ip6tables save
>     fi
> fi
>
> # disable IPv6
> if [ -d "/proc/sys/net/ipv6/conf/all" ] ; then
>     /sbin/sysctl -w net.ipv6.conf.all.forwarding=0
>     /sbin/sysctl -w net.ipv6.conf.all.accept_ra=0
>     /sbin/sysctl -w net.ipv6.conf.all.accept_redirects=0
>     /sbin/sysctl -w net.ipv6.conf.all.autoconf=0
>     /sbin/sysctl -w net.ipv6.conf.all.disable_ipv6=1
> fi
>
> Cheers,
>
> Hugo
>
> -----Original Message-----
> From: Chip Childers [mailto:chip.childers@sungard.com]
> Sent: Monday, July 30, 2012 4:06 PM
> To: <cloudstack-dev@incubator.apache.org>
> Subject: Re: Disable IPv6 for systemvm
>
> The latest Xen Server install seems to have IPv6 disabled (just checked in my lab). Is
it enabled in XCP?
>
> (I may be showing my Xen ignorance here)
>
> - chip
>
> On Jul 30, 2012, at 9:24 AM, Hugo Trippaers <HTrippaers@schubergphilis.com> wrote:
>
>> Hey Chip,
>>
>> Yeah, I want help :-)
>>
>> I just committed the sysctl.conf changes for the systemvm. This morning i applied
them to my test environment and they do the job.
>>
>> We could add the actual sysctl command to the vmops next to adding the IPv6 ip6tables
statements I think.
>>
>> Cheers,
>>
>> Hugo
>>
>>
>> -----Original Message-----
>> From: Chip Childers [mailto:chip.childers@sungard.com]
>> Sent: Monday, July 30, 2012 3:13 PM
>> To: cloudstack-dev@incubator.apache.org
>> Subject: Re: Disable IPv6 for systemvm
>>
>> On Mon, Jul 30, 2012 at 7:32 AM, Hugo Trippaers <HTrippaers@schubergphilis.com>
wrote:
>>> By the way, we might want to add the same configuration to vmops for XenServer.
>>>
>>> Currently it is possible to have a tenant vm send a router advertisement on the
isolated lan that is picked up by XenServer. Even though XenServer only has a bridge interface
in the tenant lan that interface will be autoconfigured. A simple ping to the local all-node
address (ff02::1) will tell you the mac off of the XenServer interface. As XenServer has ssh
active on all interfaces you can directly connect to the ssh daemon on the XenServer. We only
push a IPv4 firewall to the XenServer so the IPv6 firewall is default (ACCEPT everything).
>>>
>>> Still you only gain access to the ssh port, but that is something that should
not be possible from a tenant lan.
>>>
>>> Cheers,
>>>
>>> Hugo
>>
>> As a provider, this one is even more concerning.  Unless someone has an objection,
I'd agree with your solution.  We can remove a DENY rule in the future, after IPv6 support
is added properly / completely.
>>
>> If you want help working up the fix for this, please let me know!
>>
>> -chip
>>
>

Mime
View raw message