Can't access containers' IPv6 address

Discussion in 'Networking Questions' started by SteveITS, Mar 27, 2015.

  1. SteveITS

    SteveITS Tera Poster

    Messages:
    251
    With PCS/Virtuozzo 6.0.9 I've noticed that while my newly-created CentOS 6 containers can ping and be pinged on IPv4, using IPv6 a container can only ping its hardware node, and the node is the only IPv6 than can ping a container. Nodes can ping the router and other hosts using IPv6. I found this article (http://kb.odin.com/en/113756, "known issue" 1415269) which says it should work if the node has an IPv6 address. "ip -6 neigh show" on the nodes shows only the router/gateway, while in a container it shows no result. I completely restarted a hardware node to see if that made a difference, but it did not. The containers were created with IPv6 addresses if that makes a difference, and all use routed networking.

    Traceroute to a container from a different hardware node ( ::5):
    traceroute to 2607:ff50:0:4c::14 (2607:ff50:0:4c::14), 30 hops max, 80 byte packets
    1 2607:ff50:0:4c::5 (2607:ff50:0:4c::5) 3000.664 ms !H 3000.662 ms !H 3000.659 ms !H

    Traceroute to a container from the router ( ::2, FreeBSD/pfSense):
    1 2607:ff50:0:4c::2 2998.407 ms !A 2999.856 ms !A 2999.966 ms !A

    Telnet to container on different node:
    # telnet 2607:ff50:0:4c::14 80
    Trying 2607:ff50:0:4c::14...
    telnet: connect to address 2607:ff50:0:4c::14: No route to host
     
    Last edited: Mar 27, 2015
  2. SteveITS

    SteveITS Tera Poster

    Messages:
    251
    According to PVA, the "firewall is not active now" on the containers.

    Routing table on container ( ::11):
    # ip -6 route |grep venet
    2607:ff50:0:4c::/64 dev venet0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
    fe80::/64 dev venet0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
    default dev venet0 metric 1 mtu 1500 advmss 1440 hoplimit 4294967295

    Routing table on that container's host:
    # ip -6 route |grep 2607
    2607:ff50:0:4c::11 dev venet0 metric 1000 mtu 1500 advmss 1440 hoplimit 4294967295
    2607:ff50:0:4c::12 dev venet0 metric 1000 mtu 1500 advmss 1440 hoplimit 4294967295
    2607:ff50:0:4c::16 dev venet0 metric 1000 mtu 1500 advmss 1440 hoplimit 4294967295
    2607:ff50:0:4c::17 dev venet0 metric 1000 mtu 1500 advmss 1440 hoplimit 4294967295
    2607:ff50:0:4c::/64 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
    default via 2607:ff50:0:4c::1 dev eth0 metric 1 mtu 1500 advmss 1440 hoplimit 4294967295
     
    Last edited: Mar 27, 2015
  3. SteveITS

    SteveITS Tera Poster

    Messages:
    251
    Changing a container from host-routed mode to bridged mode lets IPv6 work. So that's a workaround but it would be nice to find out why routed mode isn't working especially since that's the default.
     
  4. IP^__^

    IP^__^ Odin Team

    Messages:
    80
    Dear Steve,

    Please try to disable mc snooping on bridge, like:
    # brctl setmcsnoop br1 0

    Please let us know about the results.
     
  5. KonstantinB

    KonstantinB Odin Team

    Messages:
    68
    For host-routed mode, host itself must have an IPv6 address.
    Please re-check IPv6 address on eth0.
     
  6. SteveITS

    SteveITS Tera Poster

    Messages:
    251
    Sorry it took me a while to get to this but I changed a container to bridged, and ran that on the hardware node:

    [root@hn4 ~]# brctl showstp br1 |grep snoo
    mc router 1 mc snooping 1
    [root@hn4 ~]# brctl setmcsnoop br1 0
    [root@hn4 ~]# brctl showstp br1 |grep snoo
    mc router 1 mc snooping 0

    Same results, I can ping6 the container from its hardware node but not other nodes. Do I need to restart either the node or the container to have that applied?

    And yes, the node has IPv6 and is itself pingable.
     
  7. KonstantinB

    KonstantinB Odin Team

    Messages:
    68
    Steve,

    I think once this issue become longer and longer it worth to create support request for it.

    Best regards,
     
  8. SteveITS

    SteveITS Tera Poster

    Messages:
    251
    I agree, I've just had trouble getting signed up through sales so do you know if they will open support cases for what is still officially a trial version?
     
  9. IP^__^

    IP^__^ Odin Team

    Messages:
    80
  10. SteveITS

    SteveITS Tera Poster

    Messages:
    251
    Yeah, I was kind of hoping to just buy the software licenses. :) I'll open a case when we get signed up.

    Interestingly I did find a note in the documentation today that "PPA is unable to add IP addresses on host-routed Virtuozzo / OpenVZ containers automatically. Therefore, you should manually add all IP addresses from the pool to such nodes." Since we're using PPA, routed mode won't work anyway.

    Edit: in case anyone finds this thread and reads the above quote, per this thread IP addresses added to a container through PPA do not work in bridged mode either...one should add IP(s) to the container from the hardware node or PVA, then create a pool in PPA to match, then assign an IP to the website.
     
    Last edited: Apr 22, 2015

Share This Page