Well, I’ve had my share of troubles with Hetzner, Debian, KVM and IPv6 addresses. After figuring out how to get around the IPv6 neighbor stuff (npd6 for teh win!), I battled with the problem that after restarting (rebooting/resetting – doesn’t really matter) a domain it’s IPv6 address would no longer work.
Well, today I decided to take a closer look. After the reboot, the guest comes up with this:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
pinguinfuss:(thanatos.heimdaheim.de/webs) PWD:~ Mon Sep 09, 19:01:27 [0] > ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 52:54:00:96:ed:35 brd ff:ff:ff:ff:ff:ff inet 78.46.37.114 peer 78.46.37.118/32 brd 78.46.37.114 scope global eth0 inet6 2a01:4f8:110:3148::5/64 scope global tentative dadfailed valid_lft forever preferred_lft forever inet6 fe80::5054:ff:fe96:ed35/64 scope link valid_lft forever preferred_lft forever |
A quick peek into ip 6 neigh show reveals this:
|
1 2 3 |
pinguinfuss:(kvm.heimdaheim.de/KVM) PWD:~ Mon Sep 09, 19:02:27 [0] > sudo ip -6 neigh show 2a01:4f8:110:3148::5 dev eth0 FAILED |
At this point I had no idea were to look (I haven’t used IPv6 much), so thanks to a friend I ended up googling whatever dadfailed meant … as it turns out dadfailed indicates that a duplicate address had been detected. A short peek into kern.log/dmesg fuelled that idea:
|
1 2 3 |
pinguinfuss:(thanatos.heimdaheim.de/webs) PWD:/var/log Mon Sep 09, 19:33:46 [0] > sudo grep eth kern.log Sep 9 19:03:25 thanatos kernel: [ 9.150549] eth0: IPv6 duplicate address 2a01:4f8:110:3148::5 detected! |
So, I went on googling IPv6, KVM and duplicate address, and guess what .. I don’t seem to be the only one that has this issue … I haven’t found the root cause of this, but I have a quick fix … I usually don’t assign duplicate IPv6 addresses to multiple domains (each domain has it’s on block of IPv6 addresses), so I ended up writing a short puppet class, that’ll disable the Duplicate Adress Detection for all my KVM guests!
|
1 2 3 4 5 6 7 8 |
class kvm-ipv6-domain { file { 'kvm-ipv6.conf': path => '/etc/sysctl.d/kvm-ipv6.conf', ensure => 'present', mode => '0644', content => 'net.ipv6.conf.eth0.accept_dad=0', } } |
I just upgraded from Xen 4.3 to Xen 4.4 and now all domUs have their IPv6 addresses dadfailed. Even the link local addresses, which are based on the MAC address! I’m thinking they are somehow hearing their own DAD back, not realizing that what it is.
Disabling DAD is an interesting workaround, but it feels “wrong” — but I’ll keep it in mind, if I can’t find a “proper” solution. Do you still have DAD disabled?
Xen uses Qemu, and it indeed has “fixed” its multicast handling so that hosts hear their own transmits now.
http://t339093.emulators-qemu.emulatortalk.info/multicast-vpn-breaks-ipv6-duplicateaddress-detection-t339093.html
Yeah, I still have DAD disabled. I haven’t even looked at again. Well, seeing as KVM uses Qemu in some form also, I should maybe look at this again 🙂