Skip to content

Commit

Permalink
Make ipv6 work to the outside
Browse files Browse the repository at this point in the history
  • Loading branch information
majst01 committed Aug 8, 2024
1 parent d7403b0 commit 9dd32fb
Show file tree
Hide file tree
Showing 8 changed files with 63 additions and 14 deletions.
48 changes: 46 additions & 2 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,9 @@ external_network:
--driver=bridge \
--gateway=203.0.113.1 \
--subnet=203.0.113.0/24 \
--ipv6 \
--gateway=2001:db8:1::1 \
--subnet=2001:db8:1::/64 \
--opt "com.docker.network.driver.mtu=9000" \
--opt "com.docker.network.bridge.name=mini_lab_ext" \
--opt "com.docker.network.bridge.enable_ip_masquerade=true" && \
Expand Down Expand Up @@ -134,11 +137,11 @@ _public_ips: env

.PHONY: machine
machine: _privatenet _public_ips
docker compose run $(DOCKER_COMPOSE_TTY_ARG) metalctl machine create --description test --name test --hostname test --project 00000000-0000-0000-0000-000000000001 --partition mini-lab --image $(MACHINE_OS) --size v1-small-x86 --userdata "@/tmp/ignition.json" --ips 203.0.113.130 --networks internet-mini-lab,$(shell docker compose run $(DOCKER_COMPOSE_TTY_ARG) metalctl network list --name user-private-network -o template --template '{{ .id }}')
docker compose run $(DOCKER_COMPOSE_TTY_ARG) metalctl machine create --description test --name test --hostname test --project 00000000-0000-0000-0000-000000000001 --partition mini-lab --image $(MACHINE_OS) --size v1-small-x86 --userdata "@/tmp/ignition.json" --networks $(shell docker compose run $(DOCKER_COMPOSE_TTY_ARG) metalctl network list --name user-private-network -o template --template '{{ .id }}')

.PHONY: firewall
firewall: _privatenet _public_ips
docker compose run $(DOCKER_COMPOSE_TTY_ARG) metalctl firewall create --description fw --name fw --hostname fw --project 00000000-0000-0000-0000-000000000001 --partition mini-lab --image firewall-ubuntu-3.0 --size v1-small-x86 --userdata "@/tmp/ignition.json" --ips 203.0.113.129 --firewall-rules-file=/tmp/rules.yaml --networks internet-mini-lab,$(shell docker compose run $(DOCKER_COMPOSE_TTY_ARG) metalctl network list --name user-private-network -o template --template '{{ .id }}')
docker compose run $(DOCKER_COMPOSE_TTY_ARG) metalctl firewall create --description fw --name fw --hostname fw --project 00000000-0000-0000-0000-000000000001 --partition mini-lab --image firewall-ubuntu-3.0 --size v1-small-x86 --userdata "@/tmp/ignition.json" --firewall-rules-file=/tmp/rules.yaml --networks internet-mini-lab,$(shell docker compose run $(DOCKER_COMPOSE_TTY_ARG) metalctl network list --name user-private-network -o template --template '{{ .id }}')

# IPv6
.PHONY: _privatenet6
Expand Down Expand Up @@ -273,6 +276,47 @@ connect-to-www:
fi; \
done

.PHONY: connect-to-www-ipv6
connect-to-www-ipv6:
@echo "Attempting to connect to container www..."
@for i in $$(seq 1 $(MAX_RETRIES)); do \
if $(MAKE) ssh-machine COMMAND="sudo curl --connect-timeout 1 --fail --silent http://[2001:db8:1::3]" > /dev/null 2>&1; then \
echo "Connected successfully"; \
exit 0; \
else \
echo "Connection failed"; \
if [ $$i -lt $(MAX_RETRIES) ]; then \
echo "Retrying in 2 seconds..."; \
sleep 2; \
else \
echo "Max retries reached"; \
exit 1; \
fi; \
fi; \
done

FWIP := $(shell metalctl network ip list --name fw --network $(shell metalctl network list --name user-private-network -o template --template '{{ .id }}') -o template --template "{{ .ipaddress }}" --addressfamily IPv6 )

.PHONY: connect-to-node-exporter-on-firewall
connect-to-node-exporter-on-firewall:
@echo "Attempting to connect to node exporter on the firewall"
echo "Firewall IP: $(FWIP)"
@for i in $$(seq 1 $(MAX_RETRIES)); do \
if $(MAKE) ssh-machine COMMAND="sudo curl --connect-timeout 1 --fail --silent http://[$(FWIP)]:9100/metrics" > /dev/null 2>&1; then \
echo "Connected successfully"; \
exit 0; \
else \
echo "Connection failed"; \
if [ $$i -lt $(MAX_RETRIES) ]; then \
echo "Retrying in 2 seconds..."; \
sleep 2; \
else \
echo "Max retries reached"; \
exit 1; \
fi; \
fi; \
done

## DEV TARGETS ##

.PHONY: dev-env
Expand Down
6 changes: 0 additions & 6 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -30,12 +30,6 @@ The mini-lab is a small, virtual setup to locally run the metal-stack. It deploy
Here is some code that should help you to set up most of the requirements:

```bash
# Enable IPv6 for docker
# cat /etc/docker/daemon.json
{
"ipv6": true,
"fixed-cidr-v6": "2001:db8:1::/64"
}
# systemctl restart docker if changes where made to this file

# If UFW enabled.
Expand Down
3 changes: 2 additions & 1 deletion files/inet/frr.conf
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ ipv6 forwarding
vrf vrfInternet
vni 104009
ip route 0.0.0.0/0 203.0.113.1
ipv6 route ::/0 2001:db8:1::42
ipv6 route ::/0 2001:db8:1::1
exit-vrf
!
interface eth1
Expand All @@ -19,6 +19,7 @@ interface eth2
!
interface ext
ip address 203.0.113.2/24
ipv6 address 2001:db8:1::2/64
!
interface lo
ip address 10.0.0.21/32
Expand Down
3 changes: 0 additions & 3 deletions files/inet/network.sh
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,3 @@ bridge vlan del vid 1 untagged pvid dev vniInternet
bridge vlan add vid 1000 dev vniInternet
bridge vlan add vid 1000 untagged pvid dev vniInternet
ip link set up dev vniInternet

# Does not have a ipv6 address on eth0 on startup, fix this
ip ad add 2001:db8:1::42/64 dev eth0
6 changes: 6 additions & 0 deletions files/rules.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,12 @@ egress:
protocol: TCP
to:
- 0.0.0.0/0
- comment: allow outgoing http
ports:
- 80
protocol: TCP
to:
- ::/0
- comment: allow outgoing https
ports:
- 443
Expand Down
5 changes: 3 additions & 2 deletions inventories/group_vars/control-plane/metal.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,8 @@ metal_api_images:
name: Firewall 3 Ubuntu
description: Firewall 3 Ubuntu Latest Release
# url: https://images.metal-stack.io/metal-os/{{ metal_api_latest_os_image_release_name }}/firewall/3.0-ubuntu/img.tar.lz4
url: https://images.metal-stack.io/metal-os/pull_requests/247-ipv6-support/firewall/3.0-ubuntu/img.tar.lz4
url: https://images.metal-stack.io/metal-os/pull_requests/252-allow-ipv6-firewall-rules/firewall/3.0-ubuntu/img.tar.lz4
# url: https://images.metal-stack.io/metal-os/stable/firewall/3.0-ubuntu/img.tar.lz4
features:
- firewall
- id: ubuntu-24.04
Expand Down Expand Up @@ -82,7 +83,7 @@ metal_api_networks:
vrf: 104009
prefixes:
- 203.0.113.128/25
- 2001:db8:3::/48
- 2001:db8:1:1::/80
labels:
network.metal-stack.io/default: ""
network.metal-stack.io/default-external: ""
Expand Down
3 changes: 3 additions & 0 deletions mini-lab.sonic.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,9 @@ topology:
exec:
- ip addr add 203.0.113.3/24 dev ext
- ip route add 203.0.113.128/25 via 203.0.113.2 dev ext
- ip -6 addr add 2001:db8:1::3/64 dev ext
- ip -6 route add 2001:db8:2::/64 via 2001:db8:1::2 dev ext
- ip -6 route add 2001:db8:1:1::/64 via 2001:db8:1::2 dev ext
links:
- endpoints: ["inet:ext", "mini_lab_ext:inet"]
mtu: 9000
Expand Down
3 changes: 3 additions & 0 deletions test/integration.sh
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,9 @@ echo "$phoned/$minPhoned machines have phoned home"
echo "Test connectivity to outside"
make connect-to-www

echo "Test connectivity to outside ipv6"
make connect-to-www-ipv6

echo "Test connectivity from outside"
ssh -o StrictHostKeyChecking=no -o "PubkeyAcceptedKeyTypes +ssh-rsa" -i files/ssh/id_rsa [email protected] -C exit

Expand Down

0 comments on commit 9dd32fb

Please sign in to comment.