vnet with ipv6 subnet?

[devilkin]

Proxmox 8.4.1

I was trying to add an IPv6 ranges to my SDN setup - so I added an ULA /48 to the vnet, and added a dhcp range. In /etc/pve/sdn/subnets.cfg I see

subnet: local-fdaa:b3a8:7e93::-48
        vnet vnet0
        dhcp-range start-address=fdaa:b3a8:7e93::100,end-address=fdaa:b3a8:7e93::200
        gateway fdaa:b3a8:7e93::1

which looks correct.

When trying to start any container I get the following:

# pct start 103 --debug
run_buffer: 571 Script exited with status 11
lxc_init: 845 Failed to run lxc.hook.pre-start for container "103"
__lxc_start: 2034 Failed to initialize container "103"
0 hostid 100000 range 65536
INFO     lsm - ../src/lxc/lsm/lsm.c:lsm_init_static:38 - Initialized LSM security driver AppArmor
INFO     utils - ../src/lxc/utils.c:run_script_argv:587 - Executing script "/usr/share/lxc/hooks/lxc-pve-prestart-hook" for container "103", config section "lxc"
DEBUG    utils - ../src/lxc/utils.c:run_buffer:560 - Script exec /usr/share/lxc/hooks/lxc-pve-prestart-hook 103 lxc pre-start produced output: org.freedesktop.DBus.Error.ServiceUnknown: The name uk.org.thekelleys.dnsmasq.local was not provided by any .service files

ERROR    utils - ../src/lxc/utils.c:run_buffer:571 - Script exited with status 11
ERROR    start - ../src/lxc/start.c:lxc_init:845 - Failed to run lxc.hook.pre-start for container "103"
ERROR    start - ../src/lxc/start.c:__lxc_start:2034 - Failed to initialize container "103"
INFO     utils - ../src/lxc/utils.c:run_script_argv:587 - Executing script "/usr/share/lxcfs/lxc.reboot.hook" for container "103", config section "lxc"
startup for container '103' failed

I'm wondering what exactly is going wrong?
Once I remove the IP address from the IPAM and remove the subnet from the vnet, things start without an issue.

 

[shanreich]

Did you install dnsmasq, as described in the documentation [1]?

[1] https://pve.proxmox.com/pve-docs/pve-admin-guide.html#pvesdn_install_dhcp_ipam

 

[devilkin]

Yes. It works fine as long as I do not add the ipv6 configuration.

 

[devilkin]

Ok, I figured out you need to supply a /64, not a /48. Atleast the containers will start again, now just have to figure out what else I need to get this to work.

 

[devilkin]

Other things:
* using isc-dhcp-client I get a lot of udp bad chksum messages with tcpdump. Replacing that with dhcpcd removes that.
* added necessary rule allowing dhcpv6 and icmpv6 in towards the host. Pinging on the LLA works, but still no dhcpv6 address.

 

[shanreich]

Can you check if the dnsmasq configuration gets generated in the first place?

ls -alh /etc/dnsmasq.d/

If yes, what are the contents of the files in that folder? And what is the status of the dnsmasq@<zone>.service ?

Can you post the full SDN configuration?

cat /etc/pve/sdn/*.cfg

 

[devilkin]

So, I decided to trash my config and re-create it, and also re-create my test LXC.

* Using an /64 ipv6 subnet, bog-standard LXC Debian 12, everything works.
* Enabled SNAT for ipv6, and manually configuring ip_forwarding in iptables: works.

So I guess I screwed up a few things in all my messing about

@shanreich I have noticed though that while containers that existed prior to me adding the ipv6 subnet to the vnet get an ipv6 assigned in the IPAM view when i reconfigure the network interdace, the ip does not get added to /etc/dnsmasq.d/local/ethers. Any newly created container gets added.

The missing entry in the ethers file means they don't get the ip issued by dnsmasq.

# cat /etc/pve/lxc/107.conf
arch: amd64
cores: 1
features: nesting=1
hostname: test
memory: 512
net0: name=eth0,bridge=vnet0,firewall=1,hwaddr=BC:24:11:B2:1D:29,ip=dhcp,ip6=dhcp,type=veth
ostype: debian
rootfs: local-lvm:vm-107-disk-0,size=5G
swap: 512
unprivileged: 1

# cat /etc/dnsmasq.d/local/ethers  
BC:24:11:39:BE:83,10.0.0.100
BC:24:11:8D:76:F1,10.0.0.101
BC:24:11:95:E7:76,10.0.0.2
BC:24:11:0F:AC:D9,10.0.0.4
BC:24:11:97:BA:15,10.0.0.103
BC:24:11:9E:DE:CF,10.0.0.102
BC:24:11:B2:1D:29,10.0.0.104
BC:24:11:DD:FE:07,10.0.0.105
BC:24:11:BA:6B:4A,10.0.0.106
BC:24:11:AE:8D:C9,10.0.0.107,[fdaa:b3a8:7e93::100]

 

[shanreich]

* Enabled SNAT for ipv6, and manually configuring ip_forwarding in iptables: works.

Yes, the problem there currently is that IPv6 forwarding can only be a enabled globally, but we are working on upstreaming a kernel patch that allows enabling it on a per-interface basis as with IPv4

@shanreich I have noticed though that while containers that existed prior to me adding the ipv6 subnet to the vnet get an ipv6 assigned in the IPAM view when i reconfigure the network interdace, the ip does not get added to /etc/dnsmasq.d/local/ethers. Any newly created container gets added.

Yes, that's sadly a current limitation - you can re-create the network interface and it should work as intended though. Would you mind opening a report in Bugzilla [1]? It might be a bit trickier to implement than it sounds though, so I cannot promise anything.


[1] https://bugzilla.proxmox.com

 

[devilkin]

Done, https://bugzilla.proxmox.com/show_bug.cgi?id=6749