'Re: [systemd-devel] IPv6 RA/DHCPv6 support for nspawn?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       systemd-devel
Subject:    Re: [systemd-devel] IPv6 RA/DHCPv6 support for nspawn?
From:       Nick Labich <nick () labich ! org>
Date:       2022-04-18 20:55:49
Message-ID: CABONDVoO3VW6O+bSTuK9yG86HkgwLDqZy2UneF2mCsb4J_c3xg () mail ! gmail ! com
[Download RAW message or body]

On Mon, Apr 18, 2022 at 02:16:56 +0300 <iam@valdikss.org.ru> wrote:
>
> Greetings, everyone.
>
> I'm running systemd v250.4 (Debian 11 backports) and can't find a way to
> automatically configure IPv6 access inside nspawn (machined) container,
> either with or without NAT.
>
> Despite DNAT and MASQUERADE functions for IPv6 being supported since
> v248 and work fine, and networkd's 80-container-ve.network file includes
>      IPMasquerade=both
> by default, there's no records of ULA IPv6 address range to be served
> for the containers.
> If the range is added to the .network file, the IP address from it is
> getting assigned to the interface of host network but not announced to
> guest using RA, at least I tried multiple configuration settings and
> can't get it working.
>
> I ended up configuring IPv6 statically on both host and container, which
> is inconvenient. I found no bugs on bugtracker for this issue. Could it
> be I'm misconfiguring something, and IPv6 RA/DHCPv6 server support
> present in networkd and work for nspawn'ed containers?
>
> P.S. please include me in cc, I'm not subscribed to every email in this
> mail list.

I've had similar issues getting IPv6 DHCP working with QEMU and the
provided 80-vm-vt.network (similar to 80-container-ve.network). I have been
unable to pass through IPv6 RAs from my router/ISP (via my laptop wifi).
The only working IPv6 RA configuration I've found is below--by masquerading
and performing RA with an IPv6 ULA.

The configuration below provides a masqueraded IPv6 address to an image
booted via mkosi boot (systemd-nspawn -bni) with systemd 250
(250.4-2-arch). Making a similar network file with the match changed to
Name=vt-* and Driver=tun gets it working for mkosi qemu as well.

  [Match]
  Name=ve-*
  Driver=veth

  [Network]
  # Rewrite src/dst as necessary for traffic
  IPMasquerade=both

  # Run a IPv4 DHCP server with a static IP from a dynamically chosen subnet
  DHCPServer=yes
  Address=0.0.0.0/24

  # Perform RA with an IPv6 ULA
  LinkLocalAddressing=ipv6
  IPv6AcceptRA=no
  IPv6SendRA=yes

  [IPv6Prefix]
  Prefix=fd00::/64
  Assign=yes

I think there have been a fair amount of changes to the IPv6 settings
lately due to the great work yuwata and others have been doing. Maybe the
provided 80-container-ve.network and 80-vm-vt.network need to be updated to
take recent changes into account for IPv6? I'm not sure.

Cheers,
Nick

[Attachment #3 (text/html)]

<div dir="ltr">On Mon, Apr 18, 2022 at 02:16:56 +0300 &lt;<a \
href="mailto:iam@valdikss.org.ru" target="_blank">iam@valdikss.org.ru</a>&gt; \
wrote:<br>&gt;<br>&gt; Greetings, everyone.<br>&gt;<br>&gt; I&#39;m running systemd \
v250.4 (Debian 11 backports) and can&#39;t find a way to<br>&gt; automatically \
configure IPv6 access inside nspawn (machined) container,<br>&gt; either with or \
without NAT.<br>&gt;<br>&gt; Despite DNAT and MASQUERADE functions for IPv6 being \
supported since<br>&gt; v248 and work fine, and networkd&#39;s \
80-container-ve.network file includes<br>&gt;         IPMasquerade=both<br>&gt; by \
default, there&#39;s no records of ULA IPv6 address range to be served<br>&gt; for \
the containers.<br>&gt; If the range is added to the .network file, the IP address \
from it is<br>&gt; getting assigned to the interface of host network but not \
announced to<br>&gt; guest using RA, at least I tried multiple configuration settings \
and<br>&gt; can&#39;t get it working.<br>&gt;<br>&gt; I ended up configuring IPv6 \
statically on both host and container, which<br>&gt; is inconvenient. I found no bugs \
on bugtracker for this issue. Could it<br>&gt; be I&#39;m misconfiguring something, \
and IPv6 RA/DHCPv6 server support<br>&gt; present in networkd and work for \
nspawn&#39;ed containers?<br>&gt;<br>&gt; P.S. please include me in cc, I&#39;m not \
subscribed to every email in this<br><div>&gt; mail \
list.</div><div><br></div><div>I&#39;ve had similar issues getting IPv6 DHCP working \
with QEMU and the provided 80-vm-vt.network (similar to 80-container-ve.network). I \
have been unable to pass through IPv6 RAs from my router/ISP (via my laptop wifi). \
The only working IPv6 RA configuration I&#39;ve found is below--by masquerading and \
performing RA with an IPv6 ULA.</div><div><br></div><div>The configuration below \
provides a masqueraded IPv6 address to an image booted via mkosi boot (systemd-nspawn \
-bni) with systemd 250 (250.4-2-arch). Making a similar network file with the match \
changed to Name=vt-* and Driver=tun gets it working for mkosi qemu as \
well.<br></div><div><br></div><div>   [Match]<br>   Name=ve-*<br>   Driver=veth<br>   \
<br>   [Network]<br>   # Rewrite src/dst as necessary for traffic<br>   \
IPMasquerade=both<br>   <br>   # Run a IPv4 DHCP server with a static IP from a \
dynamically chosen subnet<br>   DHCPServer=yes<br>   Address=<a \
href="http://0.0.0.0/24" target="_blank">0.0.0.0/24</a><br>   <br>   # Perform RA \
with an IPv6 ULA<br>   LinkLocalAddressing=ipv6<br>   IPv6AcceptRA=no<br>   \
IPv6SendRA=yes<br>   <br>   [IPv6Prefix]<br>   Prefix=fd00::/64<br>   \
Assign=yes<div><br></div><div>I think there have been a fair amount of changes to the \
IPv6 settings lately due to the great work yuwata and others have been doing. Maybe \
the provided 80-container-ve.network and 80-vm-vt.network need to be updated to take \
recent changes into account for IPv6? I&#39;m not \
sure.</div><div><br></div><div>Cheers,<br></div><div>Nick<br></div></div></div>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic