Difference between revisions of "Quattor and IPv6"
From PDP/Grid Wiki
Jump to navigationJump to search (Created page with "Quattor and Ipv6 This is a summary of what it has been done so far, in order to configure servers via quattor with IPv6 connectivity. It's divided in 4 parts: The installation a...") |
|||
(7 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
− | + | == Abstract == | |
− | This is a summary of what it has been done so far, in order to configure servers via quattor with IPv6 connectivity. It's divided in 4 parts | + | This is a summary of what it has been done so far, in order to configure servers via quattor with '''IPv6''' connectivity. It's divided in 4 parts: |
− | |||
− | |||
− | |||
− | |||
− | + | * The installation and configuration of a quattor server. | |
− | + | * The changes that have been made in the templates. | |
− | + | * The changes of the network component written by Stijn de Weirdt. | |
− | + | * The changes of the iptables component written by Joao Martins, Alasdair Earl, and Jan Iven. | |
− | + | ||
− | + | == Configuration of a Quattor server == | |
− | + | I'm gonna skip all the steps to configure a quattor server and focus on the adaption of the DNS protocol to support '''IPv6'''. From the moment that it's possible to boot via PXE with '''IPv6''', then we can include information about DHCPv6, but so far it's nonsense. | |
− | + | ||
− | + | === DNS === | |
+ | The prefix that I was given is ''2001:610:120:e120::\64''. We need need to define two different zones in ''/etc/named.conf'', one for localhost (::1), and another one for the servers in general: | ||
− | + | zone "1::.ip6.arpa"{ | |
+ | type master; | ||
+ | file "data/db.1"; | ||
+ | }; | ||
+ | zone "0.2.1.e.0.2.1.0.0.1.6.0.1.0.0.2.ip6.arpa"{ | ||
+ | type master; | ||
+ | file "data/db.2001:610:120:e120"; | ||
+ | }; | ||
− | db.1: | + | Then, in ''/var/named/data'', we need to create two new files for the reverse DNS of locahost and the other servers via IPv6 (''db.1'' and ''db.2001:610:120:e120''), which have as content: |
− | |||
− | |||
− | |||
− | db.2001:610:120:e120: | + | db.1: |
− | ... | + | ... |
− | 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR quattor-server.nikhef.nl. | + | 1 IN PTR localhost.nikhef.nl. |
− | 3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR ce.nikhef.nl. | + | ... |
− | 4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR wn-001.nikhef.nl. | + | db.2001:610:120:e120: |
− | 5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR wn-002.nikhef.nl. | + | ... |
− | 6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR torque.nikhef.nl. | + | 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR quattor-server.nikhef.nl. |
− | 7.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR wms.nikhef.nl. | + | 3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR ce.nikhef.nl. |
− | 8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR bdii.nikhef.nl. | + | 4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR wn-001.nikhef.nl. |
− | 9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR ui.nikhef.nl. | + | 5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR wn-002.nikhef.nl. |
− | ... | + | 6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR torque.nikhef.nl. |
+ | 7.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR wms.nikhef.nl. | ||
+ | 8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR bdii.nikhef.nl. | ||
+ | 9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR ui.nikhef.nl. | ||
+ | ... | ||
− | For the direct resolution, I just need to make modifications in /var/named/data/db.nikhef.nl: | + | For the direct resolution, I just need to make modifications in ''/var/named/data/db.nikhef.nl'': |
− | nikhef.nl. IN A 10.50.50.1 | + | nikhef.nl. IN A 10.50.50.1 |
− | + | IN AAAA 2001:610:120:e120::1 | |
− | localhost IN A 127.0.0.1 | + | localhost IN A 127.0.0.1 |
− | + | IN AAAA ::1 | |
− | quattor-server.nikhef.nl. IN A 10.50.50.2 | + | quattor-server.nikhef.nl. IN A 10.50.50.2 |
− | + | IN AAAA 2001:610:120:e120::2 | |
− | ce.nikhef.nl. IN A 10.50.50.3 | + | ce.nikhef.nl. IN A 10.50.50.3 |
− | + | IN AAAA 2001:610:120:e120::3 | |
− | wn-001.nikhef.nl. IN A 10.50.50.4 | + | wn-001.nikhef.nl. IN A 10.50.50.4 |
− | + | IN AAAA 2001:610:120:e120::4 | |
− | wn-002.nikhef.nl. IN A 10.50.50.5 | + | wn-002.nikhef.nl. IN A 10.50.50.5 |
− | + | IN AAAA 2001:610:120:e120::5 | |
− | torque.nikhef.nl. IN A 10.50.50.6 | + | torque.nikhef.nl. IN A 10.50.50.6 |
− | + | IN AAAA 2001:610:120:e120::6 | |
− | wms.nikhef.nl. IN A 10.50.50.7 | + | wms.nikhef.nl. IN A 10.50.50.7 |
− | + | IN AAAA 2001:610:120:e120::7 | |
− | bdii.nikhef.nl. IN A 10.50.50.8 | + | bdii.nikhef.nl. IN A 10.50.50.8 |
− | + | IN AAAA 2001:610:120:e120::8 | |
− | ui.nikhef.nl. IN A 10.50.50.9 | + | ui.nikhef.nl. IN A 10.50.50.9 |
− | + | IN AAAA 2001:610:120:e120::9 | |
− | + | == The templates == | |
Since the original schema only supports one IP per interface, some changes were necessary, in order to support two IPs for the interface. | Since the original schema only supports one IP per interface, some changes were necessary, in order to support two IPs for the interface. | ||
− | + | ||
+ | === $L/cfg/standard/components/network/config.tpl === | ||
+ | |||
This template invokes the installation of the network component, and since the new version needs to be installed, I just changed it to invoke the new one: | This template invokes the installation of the network component, and since the new version needs to be installed, I just changed it to invoke the new one: | ||
Line 67: | Line 74: | ||
�/software/components/network/version� ?= �1.2.7�; | �/software/components/network/version� ?= �1.2.7�; | ||
+ | === $L/cfg/standard/components/network/core-schema.tpl === | ||
+ | Several solutions were considered for making possible the adaption of the schema to '''IPv6''' addresses. The first one is to change the the definition of ''type_ip'' to: | ||
− | |||
− | |||
type type_ip = { | type type_ip = { | ||
"ipv4" : type_ipv4 | "ipv4" : type_ipv4 | ||
"ipv6" ? type_ipv6 | "ipv6" ? type_ipv6 | ||
}; | }; | ||
− | |||
− | |||
− | |||
− | |||
− | + | This one was quickly out, since this would need more changes in the network component, and since so far sites use only IPv4, it would make no sense to have a ''type_ip'' with only one parameter. | |
− | + | ||
− | + | The second one was to define ''ip'' as ''type_ip[]'' in the ''structure_interface'' and ''structure_interface_alias'', but this also would make more difficult the changes in the component. | |
− | + | ||
− | + | Finally, the third solution, which is the adopted one, just includes some extra parameters in the types ''structure_network'', ''structure_interface'', and ''structure_interface_alias''. I thought that this solution would be the easiest one to implement, since not all the parameters in a structure would need to be defined, so this would be ideal for sites that wanted only IPv4. | |
− | + | The interface (Also the alias) need to include an extra IP (Only ''type_ipv6''). The interface includes the gateway for '''IPv6''' and a parameter to initialize '''IPv6''' in that interface. I have added an asterisk after the new parameters: | |
− | + | type structure_interface_alias = { | |
− | + | "ip" ? type_ip | |
− | + | "ipv6" ? type_ipv6 * | |
− | + | "netmask" : type_ip | |
− | + | "broadcast" ? type_ip | |
− | + | }; | |
− | + | type structure_interface = { | |
− | + | "ip" ? type_ip | |
− | + | "gateway" ? type_ip | |
− | + | "ipv6" ? type_ipv6 * | |
− | + | "gateway6" ? type_ipv6 * | |
− | + | "ipv6init" ? string * | |
− | + | "netmask" ? type_ip | |
− | + | "broadcast" ? type_ip | |
− | + | "driver" ? string | |
− | + | "bootproto" ? string | |
− | + | "onboot" ? string | |
− | + | "type" ? string | |
− | + | "device" ? string | |
− | + | "master" ? string | |
− | + | "mtu" ? long | |
− | + | "route" ? structure_route[] | |
− | + | "aliases" ? structure_interface_alias{} | |
− | + | "set_hwaddr" ? boolean | |
− | + | "bridge" ? string with exists ("/system/network/interfaces/" + SELF) | |
− | + | "bonding_opts" ? structure_bonding_options | |
− | + | "offload" ? structure_ethtool_offload | |
+ | "ring" ? structure_ethtool_ring | ||
+ | "ethtool" ? structure_ethtool | ||
+ | "vlan" ? boolean | ||
+ | "physdev" ? string with exists ("/system/network/interfaces/" + SELF) | ||
+ | }; | ||
This is for the network in general and a default gateway needs to be defined also for IPv6. | This is for the network in general and a default gateway needs to be defined also for IPv6. | ||
− | + | type structure_network = { | |
− | + | "domainname" : type_fqdn | |
− | + | "hostname" : type_shorthostname | |
− | + | "realhostname" ? type_fqdn | |
− | + | "default_gateway" ? type_ip | |
− | + | "gatewaydev" ? string with exists ("/system/network/interfaces/" + SELF) | |
− | + | "default_gateway6" ? type_ipv6 * | |
− | + | "networking_ipv6" ? string * | |
− | + | "interfaces" : structure_interface{} | |
− | + | "nameserver" : type_ip[] | |
− | + | "nisdomain" ? type_fqdn | |
− | + | "nozeroconf" ? boolean | |
− | + | "set_hwaddr" ? boolean | |
− | + | }; | |
− | + | ||
− | This is just to give the value to NETWORKING_IPV6 which enables IPv6 in the server. | + | === $L/cfg/sites/ndpf/site/network.tpl === |
+ | This is just to give the value to ''NETWORKING_IPV6'' which enables '''IPv6''' in the server. | ||
+ | |||
+ | "/system/network/networking_ipv6" = NETWORKING_IPV6; | ||
− | + | === $L/cfg/sites/ndpf/site/global_variables.tpl === | |
− | + | In this template, first I give the real value to ''NETWORKING_IPv6'' (= yes), and then I modify the variable ''NETWORK_PARAMS'' to get the DB in ''myip6'' with the ''HOSTNAME <--> IPv6'' resolution | |
− | In this template, first I give the real value to NETWORKING_IPv6 (= yes), and then I modify the variable NETWORK_PARAMS to get the DB in 'myip6' with the HOSTNAME <--> IPv6 resolution | ||
... | ... | ||
− | #IPv6 | + | |
− | final variable NETWORKING_IPV6 = "yes"; | + | #IPv6 |
− | ... | + | final variable NETWORKING_IPV6 = "yes"; |
− | variable NETWORK_PARAMS = { | + | ... |
+ | variable NETWORK_PARAMS = { | ||
myip = DB_IP[escape(FULL_HOSTNAME)]; | myip = DB_IP[escape(FULL_HOSTNAME)]; | ||
myip6 = DB_IP6[escape(FULL_HOSTNAME)]; | myip6 = DB_IP6[escape(FULL_HOSTNAME)]; | ||
Line 152: | Line 163: | ||
npar["ipv6init"] = ip6init; | npar["ipv6init"] = ip6init; | ||
npar; | npar; | ||
− | }; | + | }; |
− | While I was writing this document, it came to my head that this is going to set to yes NETWORKING_IPV6 and IPV6INIT, either we want it or not; so I need to modify this somehow... I'm thinking of �If myip6 is empty, then don't initialize those two variables� | + | '''TO DO''' |
− | + | While I was writing this document, it came to my head that this is going to set to yes ''NETWORKING_IPV6'' and ''IPV6INIT'', either we want it or not; so I need to modify this somehow... I'm thinking of �If myip6 is empty, then don't initialize those two variables� | |
− | |||
− | + | === $L/cfg/sites/ndpf/site/databases.tpl === | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | This is just the database with the hostnames and their IPs (Copied from ''DB_IP''): | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
+ | final variable DB_IP6 = nlist( | ||
+ | escape("ce.nikhef.nl"),"2001:610:120:e120::3", | ||
+ | escape("wn-001.nikhef.nl"),"2001:610:120:e120::4", | ||
+ | escape("wn-002.nikhef.nl"),"2001:610:120:e120::5", | ||
+ | escape("torque.nikhef.nl"),"2001:610:120:e120::6", | ||
+ | escape("wms.nikhef.nl"),"2001:610:120:e120::7", | ||
+ | escape("bdii.nikhef.nl"),"2001:610:120:e120::8", | ||
+ | escape("ui.nikhef.nl"),"2001:610:120:e120::9", | ||
+ | ); | ||
− | + | === $L/cfg/sites/ndpf/site/config/network-table.tpl === | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
+ | I just included the gateway for '''IPv6''' with its IP: | ||
− | + | final variable NETWORK_TABLE = nlist( | |
+ | "farmnet-public", nlist( | ||
+ | "subnet", "10.50.50.0", | ||
+ | "gateway", "10.50.50.1", | ||
+ | "gateway6", "2001:610:120:e120::1", | ||
+ | "netmask", "255.255.255.0", | ||
+ | "broadcast", "10.255.255.255", | ||
+ | "nameservers", list("10.50.50.2", ) | ||
+ | ), | ||
+ | ); | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
+ | == Network component == | ||
− | + | I've made a diff between the versions ''1.2.6'' and the new version ''1.2.7'', which supports IPv6. Explained in few lines, the component backups the current configuration, it reads from ''/system/network'', and it updates the different files (Mainly ''/etc/sysconfig/network'' and ''/etc/sysconfig/network-scripts/ifcg-eth0'') according to the read information, in case the network tests (With the new info) are successful: | |
− | |||
− | |||
− | |||
− | |||
− | + | The first modification is regarding the variable ''IPV6INIT'', if it's defined (A value was given), then it's included (Same for the rest of the '''IPv6''' parameters defined in the schema): | |
− | |||
− | |||
− | |||
− | + | 250a251,256 | |
− | > | + | > if ($net{$iface}{ipv6init}) { |
− | + | > $text .= "IPV6INIT=".$net{$iface}{ipv6init}."\n"; | |
− | > | + | > } |
− | > | ||
− | + | ''' | |
− | + | '''TO DO''': I need to remove the 'else', since it shouldn't be an error that ''IPV6ADDR'' is not defined (This would be the case of sites with only IPv4): | |
− | |||
− | |||
− | |||
+ | 319a326,332 | ||
+ | > ### set ipv6addr | ||
+ | > if ($net{$iface}{'ipv6'}) { | ||
+ | > $text .= "IPV6ADDR=".$net{$iface}{'ipv6'}."\n"; | ||
+ | > } else { | ||
+ | > $self->error("Using static bootproto and no ", | ||
+ | > "ipv6address configured for $iface"); | ||
+ | > } | ||
+ | 387a401,404 | ||
+ | > if ( $net{$iface}{route}{$rt}{'gateway6'}) {############## NEW FOR IPV6 | ||
+ | > $text .= "IPV6_DEFAULTGW$rt=" . | ||
+ | > $net{$iface}{route}{$rt}{'gateway6'}."\n"; | ||
+ | > } | ||
+ | 406a424,426 | ||
+ | > if ( $net{$iface}{aliases}{$al}{'ipv6'}) { | ||
+ | > $text .= "IPV6ADDR=".$net{$iface}{aliases}{$al}{'ipv6'}."\n"; | ||
+ | > } | ||
+ | 429a450,453 | ||
+ | > ## checking ipv6 networking | ||
+ | > if ($config->elementExists($path."/networking_ipv6")) { | ||
+ | > $text .= "NETWORKING_IPV6=".$config->getValue($path."/networking_ipv6")."\n"; | ||
+ | > } | ||
− | + | 468a493,496 | |
− | This component works with the path /software/components/iptables. After a fist look at the component, it seems that not many changes are needed. | + | > ## ipv6 gateway New for IPv6 |
− | The first one would be in the variable that contains the definition of the different iptables options. I haven't done any change yet, so what you see at '-s' (source) and '-d' (destiny) is for IPv4 addresses, but I guess also that can be improved, because if I'm not wrong, that also allows the address 999.999.999.999. Anyway, I need to find the right regular expression, so that it also allows IPv6 addresses: | + | > if ($config->elementExists($path."/default_gateway6")) { |
− | my %options_arg = ( '-A' => "", #defined as "($regexp_chains)" on a table by table basis | + | > $text .= "IPV6_DEFAULTGW=".$config->getValue($path."/default_gateway6")."\n"; |
+ | > } | ||
+ | |||
+ | |||
+ | == Iptables component == | ||
+ | |||
+ | This component works with the path ''/software/components/iptables''. After a fist look at the component, it seems that not many changes are needed. | ||
+ | The first one would be in the variable that contains the definition of the different iptables options. I haven't done any change yet, so what you see at ''-s'' (source) and ''-d'' (destiny) is for IPv4 addresses, but I guess also that can be improved, because if I'm not wrong, that also allows the address ''999.999.999.999''. Anyway, I need to find the right regular expression, so that it also allows '''IPv6''' addresses: | ||
+ | |||
+ | my %options_arg = ( '-A' => "", #defined as "($regexp_chains)" on a table by table basis | ||
'-D' => "", | '-D' => "", | ||
'-I' => "", | '-I' => "", | ||
Line 239: | Line 258: | ||
'-s' => '(\!?\s*\d{0,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\/\d{1,2}){0,1}|\S+)', | '-s' => '(\!?\s*\d{0,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\/\d{1,2}){0,1}|\S+)', | ||
'-d' => '(\!?\s*\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\/\d{1,2}){0,1}|\S+)', | '-d' => '(\!?\s*\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\/\d{1,2}){0,1}|\S+)', | ||
− | ... | + | ... |
+ | |||
+ | I have also copied from the ip6tables man pages some extensions that would need to be included in the options hash table: | ||
− | + | === icmp6 === | |
− | icmp6 | ||
This extension can be used if '--protocol ipv6-icmp' or '--protocol icmpv6' is specified. It provides the following option: | This extension can be used if '--protocol ipv6-icmp' or '--protocol icmpv6' is specified. It provides the following option: | ||
[!] --icmpv6-type type[/code]|typename | [!] --icmpv6-type type[/code]|typename | ||
Line 248: | Line 268: | ||
ip6tables -p ipv6-icmp -h | ip6tables -p ipv6-icmp -h | ||
− | ipv6header | + | === ipv6header === |
This module matches IPv6 extension headers and/or upper layer header. | This module matches IPv6 extension headers and/or upper layer header. | ||
--soft | --soft |