Server, perhaps connected with IPv6

Root server with IPv6-only KVM guests (IV): The IPv6-first guide 1


Root ser­ver with IPv6-only KVM guests

About two years ago I star­ted imple­men­ting a ser­ver set­up which is based on vir­tu­al machi­nes for the ser­vices and a phy­si­cal host orches­tra­ting them. The spe­cial fea­ture was that all vir­tu­al machi­nes are only con­nec­ted via IPv6. I only nee­ded IPv4 on the phy­si­cal host and on vir­tu­al machi­nes with ser­vices whe­re an exter­nal IP pro­to­col con­ver­si­on was impos­si­ble (hel­lo, e‑mail…).

Server, perhaps connected with IPv6

Ser­ver, perhaps con­nec­ted with IPv6

Ori­gi­nal­ly, I plan­ned five to six arti­cles in this seri­es. I publis­hed three: One about the basic set­up of the phy­si­cal host, one about the basic set­up of the vir­tu­al machi­nes and one about how to imple­ment an e‑mail ser­ver on this set­up. Unfor­tu­n­a­te­ly, things got a bit stuck after that. The arti­cles about web ser­vers, inte­gra­ti­on with Let’s Encrypt and imple­men­ting a Crypt­pad instance were somehow finis­hed but I never got them „over the line” and online.

Nevertheless, I used my com­pu­ter with all the­se sche­mes con­stant­ly (and still use it, you just read this arti­cle on it…) and even star­ted imple­men­ting it on other sys­tems. I found some mista­kes and short­co­mings in the set­up and cor­rec­ted them in the blog arti­cles. I even got some amount of feed­back from peop­le who – suc­cess­ful­ly – used my inst­ruc­tions to imple­ment the descri­bed IPv6-based ser­ver sche­mes on their own ser­vers. Marvellous!

By July 2020, two things hap­pen­ed – total­ly unre­la­ted but almost at the same time. First was a leng­thy con­ver­sa­ti­on with a rea­der of my arti­cles. He tried to imple­ment the ser­ver with Ubun­tu 20.04 and ran into stran­ge pro­blems. I also had tried this set­up once by the end of May 2020, but I did not dig real­ly deep into it and over­saw the problems.

The second thing was my com­pa­ny. We deci­ded to move some pro­duc­tion sys­tems onto a new ser­ver clus­ter and tho­se ser­vers should – for the first time – also be vir­tua­li­zed and IPv6-based for the main com­mu­ni­ca­ti­on channels.

Both inci­dents lead me deeper into my set­up again. I che­cked the Ubun­tu 20.04 pro­blems and was able to cir­cum­vent the pro­blem, which I think is rai­sed by the sys­temd-net­workd dae­mon. I fixed some quirks in the IPv4 con­fi­gu­ra­ti­on. I added infor­ma­ti­on about rou­ting, fixed a bunch of – well – incor­rect state­ments and over­all brought the docu­ments back in shape.

And I deci­ded, that some blog arti­cles are not suf­fi­ci­ent as base for the ongo­ing work on this docu­men­ta­ti­on. So, I moved ever­ything into Asciidoc docu­ments, reor­ga­ni­zed and sor­ted it and made a „real” lar­ge gui­de docu­ment of it (which I some­ti­mes refer to as „book”…).

So, bad news: Today, the arti­cle seri­es about IPv6 net­wor­king on KVM set­ups in this blog ends. But, good news: It is repla­ced by a much bet­ter docu­ment! Just look for

The IPv6 First Gui­de – Net­work Con­fi­gu­ra­ti­ons With Linux And KVM

Read it as HTML docu­ment on http://​ipv6​-first​-gui​de​.hill​brecht​.de.

Read it as PDF docu­ment on http://​ipv6​-first​-gui​de​.hill​brecht​.de/​i​p​v​6​-​f​i​r​s​t​-​g​u​i​d​e​.​pdf.

Or down­load or brow­se its Asciidoc sources on https://​git​hub​.com/​d​i​r​k​h​i​l​l​b​r​e​c​h​t​/​i​p​v​6​-​f​i​r​s​t​-​g​u​ide.

The gui­de does not only inclu­de the (updated) con­tent of the blog arti­cles, but also all the stuff which was unpu­blis­hed so far. Namely:

  • How to obtain SSL cer­ti­fi­ca­tes from Let’s encrypt
  • How to set­up web ser­vers on IPv6-only machi­nes and make them acces­si­ble from IPv4 clients
  • How to install a Crypt­pad instance on a IPv6-only machi­ne and make it acces­si­ble from IPv4

The­se are rather lar­ge topics and I am qui­te hap­py that I final­ly mana­ged to publish all this stuff.

I have released the who­le gui­de under the CC-BY-SA licen­se, so feel free to get it, enhan­ce it, cor­rect it.


Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.

Ein Gedanke zu “Root server with IPv6-only KVM guests (IV): The IPv6-first guide

  • Jörg Esser

    Hi Dirk,

    thx for this Guide.
    I almost made it, but got stuck at obtai­ning dhcpV6 ip for the vir­tu­al machine.
    I use virt-install com­mand line and pre­seed file for the
    Debi­an Instal­ler but it should work without preseed.
    Here is my script.
    preseed=”/KVM/preseed.cfg”
    #Over­wri­te MAC if not exist yet.…; \
    echo „Plea­se enter new Host­na­me”; read host;\
    [ ‑z ${mac} ] && mac=$(openssl rand ‑hex 3 | sed „s/\(..\)/\1:/g; s/.$//; s/^/52:54:00:/”);\
    echo „Mac ist: ${mac} und host­na­me ist ${host}”; \
    echo ‑e ‚HTTP/1.1 200 OK\r\n’; cat ${pre­seed} | nc ‑lv 127.0.0.1 8080 ‑q 1 & \
    sudo virt-install –cpu host –virt-type kvm –name ${host} \
    –network=bridge:br0,model=virtio,mac=${mac} \
    –memo­ry 2096 –vcpus=4 \
    –con­trol­ler type=scsi,model=virtio-scsi \
    –disk path=/KVM/${host}.qcow2,format=qcow2,bus=scsi,discard=‚unmap’,cache=none,size=20 \
    –loca­ti­on http://​deb​.debi​an​.org/​d​e​b​i​a​n​/​d​i​s​t​s​/​b​u​s​t​e​r​/​m​a​i​n​/​i​n​s​t​a​l​l​e​r​-​a​m​d​64/ \
    –os-type linux –os-vari­ant debian10 –acce­le­ra­te –hvm \
    –gra­phics spice,keymap=de-de,listen=0.0.0.0 –video qxl –chan­nel spicevmc \
    –con­so­le pty,target_type=serial \
    –initrd-inject=${preseed} \
    –extra-args=„url=http://127.0.0.1:8080/preseed.cfg DEBCONF_DEBUG=5”;

    When debi­an instal­ler try to con­fi­gu­re DHCP it dont get an IP and my sys­log says…

    Feb 23 21:44:44 h2910728 ker­nel: [20908.431781] audit: type=1400 audit(1614113084.037:81): apparmor=„STATUS” operation=„profile_load” profile=„unconfined” name=„libvirt-4baf6ec7-f85f-4ff5-9779-f573f200d1c7” pid=6106 comm=„apparmor_parser”
    Feb 23 21:44:44 h2910728 ker­nel: [20908.530129] audit: type=1400 audit(1614113084.133:82): apparmor=„STATUS” operation=„profile_replace” info=„same as cur­rent pro­fi­le, skip­ping” profile=„unconfined” name=„libvirt-4baf6ec7-f85f-4ff5-9779-f573f200d1c7” pid=6109 comm=„apparmor_parser”
    Feb 23 21:44:44 h2910728 ker­nel: [20908.603012] audit: type=1400 audit(1614113084.209:83): apparmor=„STATUS” operation=„profile_replace” info=„same as cur­rent pro­fi­le, skip­ping” profile=„unconfined” name=„libvirt-4baf6ec7-f85f-4ff5-9779-f573f200d1c7” pid=6112 comm=„apparmor_parser”
    Feb 23 21:44:44 h2910728 systemd-udevd[6117]: Using default inter­face naming sche­me ‚v240’.
    Feb 23 21:44:44 h2910728 ker­nel: [20908.676933] audit: type=1400 audit(1614113084.281:84): apparmor=„STATUS” operation=„profile_replace” info=„same as cur­rent pro­fi­le, skip­ping” profile=„unconfined” name=„libvirt-4baf6ec7-f85f-4ff5-9779-f573f200d1c7” pid=6115 comm=„apparmor_parser”
    Feb 23 21:44:44 h2910728 ker­nel: [20908.680594] br0: port 2(vnet0) ent­e­red blo­cking state
    Feb 23 21:44:44 h2910728 ker­nel: [20908.732107] br0: port 2(vnet0) ent­e­red dis­ab­led state
    Feb 23 21:44:44 h2910728 ker­nel: [20908.742826] device vnet0 ent­e­red pro­mis­cuous mode
    Feb 23 21:44:44 h2910728 systemd-udevd[6117]: link_config: auto­n­ego­tia­ti­on is unset or enab­led, the speed and duplex are not writable.
    Feb 23 21:44:44 h2910728 systemd-networkd[801]: vnet0: Gai­ned carrier
    Feb 23 21:44:44 h2910728 ker­nel: [20908.752990] br0: port 2(vnet0) ent­e­red blo­cking state
    Feb 23 21:44:44 h2910728 ker­nel: [20908.763609] br0: port 2(vnet0) ent­e­red lis­tening state
    Feb 23 21:44:44 h2910728 ker­nel: [20908.849308] audit: type=1400 audit(1614113084.453:85): apparmor=„STATUS” operation=„profile_replace” info=„same as cur­rent pro­fi­le, skip­ping” profile=„unconfined” name=„libvirt-4baf6ec7-f85f-4ff5-9779-f573f200d1c7” pid=6126 comm=„apparmor_parser”
    Feb 23 21:44:45 h2910728 ntpd[871]: bind(27) AF_INET6 fe80::fc54:ff:fe2a:2faf%18#123 flags 0x11 fai­led: Can­not assign reques­ted address
    Feb 23 21:44:45 h2910728 ntpd[871]: unab­le to crea­te socket on vnet0 (24) for fe80::fc54:ff:fe2a:2faf%18#123
    Feb 23 21:44:45 h2910728 ntpd[871]: fai­led to init inter­face for address fe80::fc54:ff:fe2a:2faf%18
    Feb 23 21:44:45 h2910728 systemd-networkd[801]: vnet0: Gai­ned IPv6LL
    Feb 23 21:44:47 h2910728 ntpd[871]: Lis­ten nor­mal­ly on 25 vnet0 [fe80::fc54:ff:fe2a:2faf%18]:123
    Feb 23 21:44:47 h2910728 ntpd[871]: new interface(s) found: waking up resolver
    Feb 23 21:44:59 h2910728 ker­nel: [20923.782886] br0: port 2(vnet0) ent­e­red lear­ning state
    Feb 23 21:45:14 h2910728 ker­nel: [20938.887015] br0: port 2(vnet0) ent­e­red for­war­ding state
    Feb 23 21:45:14 h2910728 ker­nel: [20938.897935] br0: topo­lo­gy chan­ge detec­ted, propagating

    Any Ide­as?