Mailing-List: contact cloudstack-dev-help@incubator.apache.org; run by ezmlm
Precedence: bulk
Reply-To: cloudstack-dev@incubator.apache.org
Received-SPF: pass (nike.apache.org: local policy)
From: Hugo Trippaers <HTrippaers@schubergphilis.com>
To: "cloudstack-dev@incubator.apache.org"
	<cloudstack-dev@incubator.apache.org>
Subject: RE: Disable IPv6 for systemvm
Thread-Topic: Disable IPv6 for systemvm
Thread-Index: 
 Ac1uRKncRkwtecM4T3KgRf43scP7jQAATWeA///80YD//9zTMIAAMd+A///dSPCAADEfAP//3KHgAATjwgD//9YywA==
Date: Mon, 30 Jul 2012 15:43:20 +0000
Message-ID: <6DE00C9FDF08A34683DF71786C70EBF0298BE7ED@SBPOMB402.sbp.lan>
References: <6DE00C9FDF08A34683DF71786C70EBF0298BB913@SBPOMB402.sbp.lan>
	<6DE00C9FDF08A34683DF71786C70EBF0298BBA0D@SBPOMB402.sbp.lan>
	<CA+96GG7xMhJmsW+_aExeEPpyiwrFU_se33cuBB46mU6YP3qWpg@mail.gmail.com>
	<6DE00C9FDF08A34683DF71786C70EBF0298BE081@SBPOMB402.sbp.lan>
	<9161673258099718008@unknownmsgid>
	<6DE00C9FDF08A34683DF71786C70EBF0298BE4D5@SBPOMB402.sbp.lan>
	<CA+96GG6CUMKHc8T5z3VOgCx1RR0QR2h=fyvA_dBVcU0N8GZOTg@mail.gmail.com>
	<6DE00C9FDF08A34683DF71786C70EBF0298BE655@SBPOMB402.sbp.lan>
 <CA+96GG445M=uCbJqmUcmoKqP_G8CfG6SHkeJNdb=PHh0oOgm+A@mail.gmail.com>
In-Reply-To: 
 <CA+96GG445M=uCbJqmUcmoKqP_G8CfG6SHkeJNdb=PHh0oOgm+A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0

Hey,

I just pushed a fix that will disable IPv6 immediately and reinstate the di=
sable-ipv6 file. This should take care of the current situation for people =
with the support pack. So far my testing has revealed no adverse effects.=20

Anybody any idea why IPv6 support is enabled by the cloud support pack?=20
What about distribution of the support pack, it is currently available from=
 downloads.cloud.com, how do we deal with this in release 4.0?

Cheers,

Hugo

-----Original Message-----
From: Chip Childers [mailto:chip.childers@sungard.com]=20
Sent: Monday, July 30, 2012 5:11 PM
To: cloudstack-dev@incubator.apache.org
Subject: Re: Disable IPv6 for systemvm

Indeed - I'm testing in an advanced networking zone, so we didn't bother do=
ing the support pack installation.  That would be the difference.

I think your scripts will work, excluding the error condition that my envir=
onment introduces.  IMO - if that pack isn't required, then we should expec=
t to see environments like the one I'm using right now.

-chip

On Mon, Jul 30, 2012 at 11:07 AM, Hugo Trippaers <HTrippaers@schubergphilis=
.com> wrote:
> Hey Chip,
>
> Think I found it.  Do you have the cloud support pack (http://download.cl=
oud.com/releases/3.0.1/XS-6.0.2/xenserver-cloud-supp.tgz ) installed? My gu=
ess is you don't.
>
> During the firstboot of xen the file " /etc/modprobe.d/disable-ipv6" is r=
emoved by that pack. This enables IPv6, which is indeed disabled by default=
 by XenServer.
>
> We (or actually the Cloudstack basic install guide) actively promotes tha=
t this should be installed to enable security groups.
>
> Cheers,
>
> Hugo
>
> -----Original Message-----
> From: Chip Childers [mailto:chip.childers@sungard.com]
> Sent: Monday, July 30, 2012 4:57 PM
> To: cloudstack-dev@incubator.apache.org
> Subject: Re: Disable IPv6 for systemvm
>
> Looks like we are using the same version, but different configuration?:
>
> # uname -a
> Linux xshost2 2.6.32.12-0.7.1.xs6.0.2.542.170665xen #1 SMP Tue Jan 17
> 15:14:24 EST 2012 i686 i686 i386 GNU/Linux
>
> # cat /etc/redhat-release
> XenServer release 6.0.2-53456p (xenenterprise)
>
> # ls /proc/sys/net/ipv6/conf/all/autoconf
> ls: /proc/sys/net/ipv6/conf/all/autoconf: No such file or directory
>
> I can't get a simpel ipv6 table list, because the protocol # ip6tables -L=
 ip6tables v1.3.5: can't initialize ip6tables table `filter': Address famil=
y not supported by protocol Perhaps ip6tables or your kernel needs to be up=
graded.
>
> The ip6tables commands will fail with the above error if it's not enabled=
.  Other than that, I think the script would work (if v6 is enabled on the =
host).
>
> On Mon, Jul 30, 2012 at 10:44 AM, Hugo Trippaers <HTrippaers@schubergphil=
is.com> wrote:
>> Hey Chip,
>>
>> Interesting, which version are you using?
>>
>> My box:
>> Linux XXXXXX 2.6.32.12-0.7.1.xs6.0.2.542.170665xen #1 SMP Tue Jan 17
>> 15:14:24 EST 2012 i686 i686 i386 GNU/Linux [root@XXXXX ~]# cat=20
>> /etc/redhat-release XenServer release 6.0.2-53456p (xenenterprise)=20
>> [root@XXXXX ~]# ls /proc/sys/net/ipv6/conf/all/autoconf
>> /proc/sys/net/ipv6/conf/all/autoconf
>> [root@XXXXX ~]# cat /proc/sys/net/ipv6/conf/all/autoconf
>> 1
>>
>> Btw I plan to add this to setupxenserver.sh:
>> # setup ip6tables
>> if [ -x "/sbin/ip6tables" ] ; then
>>     /sbin/ip6tables -P INPUT DROP
>>     /sbin/ip6tables -P OUTPUT DROP
>>     /sbin/ip6tables -P FORWARD DROP
>>     if [ -x "/etc/init.d/ip6tables" ] ; then
>>         /etc/init.d/ip6tables save
>>     fi
>> fi
>>
>> # disable IPv6
>> if [ -d "/proc/sys/net/ipv6/conf/all" ] ; then
>>     /sbin/sysctl -w net.ipv6.conf.all.forwarding=3D0
>>     /sbin/sysctl -w net.ipv6.conf.all.accept_ra=3D0
>>     /sbin/sysctl -w net.ipv6.conf.all.accept_redirects=3D0
>>     /sbin/sysctl -w net.ipv6.conf.all.autoconf=3D0
>>     /sbin/sysctl -w net.ipv6.conf.all.disable_ipv6=3D1 fi
>>
>> Cheers,
>>
>> Hugo
>>
>> -----Original Message-----
>> From: Chip Childers [mailto:chip.childers@sungard.com]
>> Sent: Monday, July 30, 2012 4:06 PM
>> To: <cloudstack-dev@incubator.apache.org>
>> Subject: Re: Disable IPv6 for systemvm
>>
>> The latest Xen Server install seems to have IPv6 disabled (just checked =
in my lab). Is it enabled in XCP?
>>
>> (I may be showing my Xen ignorance here)
>>
>> - chip
>>
>> On Jul 30, 2012, at 9:24 AM, Hugo Trippaers <HTrippaers@schubergphilis.c=
om> wrote:
>>
>>> Hey Chip,
>>>
>>> Yeah, I want help :-)
>>>
>>> I just committed the sysctl.conf changes for the systemvm. This morning=
 i applied them to my test environment and they do the job.
>>>
>>> We could add the actual sysctl command to the vmops next to adding the =
IPv6 ip6tables statements I think.
>>>
>>> Cheers,
>>>
>>> Hugo
>>>
>>>
>>> -----Original Message-----
>>> From: Chip Childers [mailto:chip.childers@sungard.com]
>>> Sent: Monday, July 30, 2012 3:13 PM
>>> To: cloudstack-dev@incubator.apache.org
>>> Subject: Re: Disable IPv6 for systemvm
>>>
>>> On Mon, Jul 30, 2012 at 7:32 AM, Hugo Trippaers <HTrippaers@schubergphi=
lis.com> wrote:
>>>> By the way, we might want to add the same configuration to vmops for X=
enServer.
>>>>
>>>> Currently it is possible to have a tenant vm send a router advertiseme=
nt on the isolated lan that is picked up by XenServer. Even though XenServe=
r only has a bridge interface in the tenant lan that interface will be auto=
configured. A simple ping to the local all-node address (ff02::1) will tell=
 you the mac off of the XenServer interface. As XenServer has ssh active on=
 all interfaces you can directly connect to the ssh daemon on the XenServer=
. We only push a IPv4 firewall to the XenServer so the IPv6 firewall is def=
ault (ACCEPT everything).
>>>>
>>>> Still you only gain access to the ssh port, but that is something that=
 should not be possible from a tenant lan.
>>>>
>>>> Cheers,
>>>>
>>>> Hugo
>>>
>>> As a provider, this one is even more concerning.  Unless someone has an=
 objection, I'd agree with your solution.  We can remove a DENY rule in the=
 future, after IPv6 support is added properly / completely.
>>>
>>> If you want help working up the fix for this, please let me know!
>>>
>>> -chip
>>>
>>
>