Hello again fabian,
Let me quote old topics and interactions:
hmm not sure why it's picking up the ipv6 address.
temporarily commenting the ipv6 entry in /etc/hosts is also worth a shot (however i wasn't able to reproduce your problem)
if that doesn't change anything you can try to edit it manually to use the ipv4 after pasting the join info for now.
"I'm not sure why it's picking the IPv6 address."
"temporarily commenting"
"edit it manually"
Oh, and the preference of IPv6 comes from the RFC 3484 which defines the default order for geaddrinfo calls.
You could also edit /etc/gai.conf add (or uncomment) the line
precedence ::ffff:0:0/96 100
And restart pve-cluster afterwards, sorry for that confusion here, we mostly use getaddrinfo_all nowadays where this doesn't matters.
As you can see from these answers and related issues, getaddressinfo_all and taking preferences from RFC3484 (AS IS SUPPOSED!) is good for general-purpose apps not for an app like Proxmox that requires exquisite control between its member hosts. The proxmox team solutions is to hammer around, but that isn't a proper solution, not for me.
Actually starting on the fact that I can't simply connect my Proxmox cluster to our IDM servers in a simply and easy manner says a lot, and the only ldap implementation is unauthenticated bind, because ... lol. Unlike any other thing, being it gitlab, email servers, firewalls, openshift, the workstations, everything gets to be connected to servers that control users, roles, hosts, etc, but the proxmox genius that do all so well and say google uses debian (like Apple uses freebsd, right) so everything is all always perfectly implemented. (and apt is the best package manager out there, extremely advanced, I could live 1000 years I would never forget that one).
For the Join the IP from a single getaddrinfo call is used, as that is the one the system admin prefers for public destination address for this node, and can be managed using gai.conf
But, this is only a recommendation to have one preselected without forcing the admin to always enter a specific IP, most of the time that works out - as it's really only used for doing the API call to exchange the info required for join.
The last stance here is wrong. Is not only used for doing the api call to exchange the info required to join, but is used for many, many things.
What is described here, and I don't really have all the time in the world to go and pick contradictory information provided by the proxmox team members in this forum (that'd be a full time job), but if the address is picked from getaddrinfo calls then it is not defined by the admin and is a volatile implementation, a poor implementation, which can be seen by the number of issues that come around due to THIS in particular. My first issue was due to an upstream IPv6 issue, where it would try to use the IPv6 as a result of the getaddrinfo call, no fallback mechanism, no admin control over which network to use for API traffic between hosts.
In the end of the day, what stands is: the automatic rules don't work, the documentation is also poor, you can have a properly working cluster, you add an IPSet called management for management purpose as described is for remote access, when you enable the firewall, the Proxmox nodes can't communicate with each other across the cluster.
I also get it that some people who think apt is top of the art package management haven't used much of IPv6 (which explain why some wouldn't know how it picks an ipv6 address somewhere), and don't know how important it is to connect these hosts to central identity management, because proxmox is really good at one thing: KVM virtualisation. Lightweight, good performance. Other than that, most things don't work well. And what works is because technologies do work, or you made it to work (they are supposed to work when they're developed and put out). Other than that... is just things that mirror the people that said much of the above.
local_network is only used for the intra-cluster API communication:
- pveproxy proxying from one node to another
- spiceproxy/vncproxy proxying from one node to another
- SSH tunneling from one node to another (e.g., for migration)
- plain-text migration tunnelling from one node to another
out-of-the-box: does not work.
did not work for intra-cluster api communication,
did not work for proxying nothing from one node to another
did not work for ssh tunnelling from one to another
Code:
2586 if ($localnet && ($ipversion == $localnet_ver)) {
2587 ruleset_addrule($ruleset, $chain, "-d $localnet -p tcp --dport 8006", "-j $accept_action"); # PVE API
2588 ruleset_addrule($ruleset, $chain, "-d $localnet -p tcp --dport 22", "-j $accept_action"); # SSH
2589 ruleset_addrule($ruleset, $chain, "-d $localnet -p tcp --dport 5900:5999", "-j $accept_action"); # PVE VNC Console
2590 ruleset_addrule($ruleset, $chain, "-d $localnet -p tcp --dport 3128", "-j $accept_action"); # SPICE Proxy
2591 }
Code:
root@promox-01 ~ # iptables-save | grep 8006
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 8006 -j RETURN
root@promox-01 ~ # iptables-save | grep 3128
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 3128 -j RETURN
root@proxmox-01 ~# iptables-save | grep 22
53:-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
73:-A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
91:-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 22 -j RETURN
130:-A PVEFW-reject -s 224.0.0.0/4 -j DROP
141:-A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
- management is described on the documentation as remote access hosts, not proxmox nodes among each other, since when I activate the firewall proxmox api comms break, seems a clear issue to me right here;
- v4 ? but you use getaddrinfo which looks for ai_family which can be af_inet or af_inet6.
Code:
root@proxmox-01 ~ # pve-firewall localnet
local hostname: proxmox-01
local IP address: 2a01:xxxx:xxxx:xxxx::1
network auto detect: 2a01:xxxx:xxxx:xxxx:0000:0000:0000:0000/64
using detected local_network: 2a01:xxxx:xxxx:xxxx:0000:0000:0000:0000/64
accepting corosync traffic from/to:
- proxmox-02: 10.xxx.xxx.2 (link: 0)
- proxmox-02: 10.xxx.xxx.2 (link: 1)
- proxmox-02: 10.xxx.xxx.2 (link: 2)
By the way, where are the Ceph rules?
I'm eager to learn. Thank you.