LXC with Rocky Linux and IPV6 drops the IPV6 connection after a couple of minutes

[nemanja]

When i create a container with Rocky Linux from the image provided by proxmox (rockylinux-9-default_20221109) and try to assign an IPv6 address to it, the IPv6 works for a couple of minutes, after which it simply drops. When i run ip -6 route, the routes that were previously there disappear. Using the same exact set of steps but when instead of going for rocky linux i go for debian-12-standard_12.2-1, everything works fine.

I looked for a long while but have not found anything that would help, and i'm not sure if this is a rocky linux issue, LXC/RL, Proxmox/LXC/RL issue... I'm happy to provide any info deemed useful, as i am not sure what that could be upfront since it works with debian...

I have the following proxmox setup:

Kernel Version Linux 6.5.13-1-pve (2024-02-05T13:50Z)
Manager Version pve-manager/8.1.4/ec5affc9e41f1d7

 

[domi2]

I'm having a very similar issue where Rocky Linux fails to get a DHCPv6 address on boot with the following error:

<warn>  [1720894763.9910] ndisc[0x5dc9b8185410,"eth0"]: solicit: failure sending router solicitation: Address family not supported by protocol (97)

After a couple of minutes it will properly get a DHCPv6 IP address and after another couple of minutes it will loose that IP again and once more on the next refresh it will get another DHCPv6 IP but it will have switched its DUID so it gets the wrong one.

Very strange.

 

[encryptedserver]

Are IPv6 router advertisement allowed inbound

 

[domi2]

Are IPv6 router advertisement allowed inbound

Yes, the router advertisments go through (and get a response) on the second attempt and the correct IP is assigned.

The other containers running Fedora and Ubuntu also don't have this issue on the same network.

 

[_gabriel]

edit: ipv6 automatic address , require firewall inbound NPD rules which Proxmox allow by default.
"Router Advertisement" in Firewall settings is for CT acting as "ipv6 router" not ipv6 "client".

To confirm missing firewall rules, disable firewall within guest, temporarly.

 

[domi2]

ipv6 automatic address SLAAC , require firewall inbound rules.
to confirm missing firewall rules, disable firewall within guest, temporarly.

The firewall is disabled on all my containers.

 

[_gabriel]

within guest AND the CT NIC ?

 

[domi2]

within guest AND the CT NIC ?

I don't think Rocky Linux has any firewall enabled by default. It is disabled on the NIC.

 

[_gabriel]

edit: seems confirmed : Rocky9 ipv6 automatic address broken since kernel 6.8
edit2 : it seems works after many minutes where ipv6 is instant with kernel before 6.8

just tried a Rocky 9 CT on PVE 8.0 + Kernel 6.2.16-3 , ipv6 works with DHCP or SLAAC.
upgraded PVE to 8.2 + Kernel 6.8.4-2 (shipped with the iso) , unable to get an ipv6 with DHCP or SLAAC.
upgraded to Kernel 6.8.8-2 from no subscription repo , unable to get automatic ipv6
reboot with older kernel 6.2.16 , ipv6 works with DHCP or SLAAC.
upgraded to kernel 6.5.13-5 , ipv6 works with DHCP or SLAAC.

debian11+12+ alpine CT ok with kernel 6.8.

 

[andres.moya]

The problem is that promoximplemented wrong template for Centos/RedHat scripts. Plus NetworkManager interpret it maybe wrong way.

So after creating a file in:
/etc/sysconfig/network-scripts/ifcfg-eth0

It missing the line:
IPV6AUTOCONFIG=no

As a result
```
[root@foreman-11 ~]# nmcli conn show "System eth0" | grep method
ipv4.method: disabled
ipv6.method: auto
proxy.method: none
```
That auto even with IP address set will try to auto-configure IPv6. And once failed disables interface.


Need to add line: $data .= "IPV6_AUTOCONF=no\n";

Into this block:
```
if ($d->{ip6} && $d->{ip6} ne 'manual') {
$bootproto = 'none' if !$bootproto;
$data .= "IPV6INIT=yes\n";
if ($d->{ip6} eq 'auto') {
$data .= "IPV6_AUTOCONF=yes\n";
} elsif ($d->{ip6} eq 'dhcp') {
$data .= "DHCPV6C=yes\n";
} else {
$data .= "IPV6_AUTOCONF=no\n";
$data .= "IPV6ADDR=$d->{ip6}\n";
if (defined($d->{gw6})) {
if (!PVE::Network::is_ip_in_cidr($d->{gw6}, $d->{ip6}, 6) &&
!PVE::Network::is_ip_in_cidr($d->{gw6}, 'fe80::/10', 6)
) {
$routes6 .= "$d->{gw6} dev $d->{name}\n";
$routes6 .= "default via $d->{gw6} dev $d->{name}\n";
} else {
$data .= "IPV6_DEFAULTGW=$d->{gw6}\n";
}
}
}
}

```
Because file belongs to:
```
root@compute-20-1:~# dpkg -S /usr/share/perl5/PVE/LXC/Setup/CentOS.pm
pve-container: /usr/share/perl5/PVE/LXC/Setup/CentOS.pm
root@compute-20-1:~# apt info pve-container
Package: pve-container
Version: 5.2.0
Priority: optional
Section: perl
Maintainer: Proxmox Support Team <support@proxmox.com>
...
```


So as a workaround, need to change file. Or ask Proxmox to update file. Static IPv6 should not attempt to auto configure IPv6.

 

[andres.moya]

Bug reported:
https://bugzilla.proxmox.com/show_bug.cgi?id=5745