diff --git a/Makefile b/Makefile index 22b5ac5..fccd525 100644 --- a/Makefile +++ b/Makefile @@ -97,6 +97,9 @@ external_network: --driver=bridge \ --gateway=203.0.113.1 \ --subnet=203.0.113.0/24 \ + --ipv6 \ + --gateway=2001:db8:1::1 \ + --subnet=2001:db8:1::/64 \ --opt "com.docker.network.driver.mtu=9000" \ --opt "com.docker.network.bridge.name=mini_lab_ext" \ --opt "com.docker.network.bridge.enable_ip_masquerade=true" && \ @@ -134,11 +137,11 @@ _public_ips: env .PHONY: machine machine: _privatenet _public_ips - docker compose run $(DOCKER_COMPOSE_TTY_ARG) metalctl machine create --description test --name test --hostname test --project 00000000-0000-0000-0000-000000000001 --partition mini-lab --image $(MACHINE_OS) --size v1-small-x86 --userdata "@/tmp/ignition.json" --ips 203.0.113.130 --networks internet-mini-lab,$(shell docker compose run $(DOCKER_COMPOSE_TTY_ARG) metalctl network list --name user-private-network -o template --template '{{ .id }}') + docker compose run $(DOCKER_COMPOSE_TTY_ARG) metalctl machine create --description test --name test --hostname test --project 00000000-0000-0000-0000-000000000001 --partition mini-lab --image $(MACHINE_OS) --size v1-small-x86 --userdata "@/tmp/ignition.json" --networks $(shell docker compose run $(DOCKER_COMPOSE_TTY_ARG) metalctl network list --name user-private-network -o template --template '{{ .id }}') .PHONY: firewall firewall: _privatenet _public_ips - docker compose run $(DOCKER_COMPOSE_TTY_ARG) metalctl firewall create --description fw --name fw --hostname fw --project 00000000-0000-0000-0000-000000000001 --partition mini-lab --image firewall-ubuntu-3.0 --size v1-small-x86 --userdata "@/tmp/ignition.json" --ips 203.0.113.129 --firewall-rules-file=/tmp/rules.yaml --networks internet-mini-lab,$(shell docker compose run $(DOCKER_COMPOSE_TTY_ARG) metalctl network list --name user-private-network -o template --template '{{ .id }}') + docker compose run $(DOCKER_COMPOSE_TTY_ARG) metalctl firewall create --description fw --name fw --hostname fw --project 00000000-0000-0000-0000-000000000001 --partition mini-lab --image firewall-ubuntu-3.0 --size v1-small-x86 --userdata "@/tmp/ignition.json" --firewall-rules-file=/tmp/rules.yaml --networks internet-mini-lab,$(shell docker compose run $(DOCKER_COMPOSE_TTY_ARG) metalctl network list --name user-private-network -o template --template '{{ .id }}') # IPv6 .PHONY: _privatenet6 @@ -273,6 +276,47 @@ connect-to-www: fi; \ done +.PHONY: connect-to-www-ipv6 +connect-to-www-ipv6: + @echo "Attempting to connect to container www..." + @for i in $$(seq 1 $(MAX_RETRIES)); do \ + if $(MAKE) ssh-machine COMMAND="sudo curl --connect-timeout 1 --fail --silent http://[2001:db8:1::3]" > /dev/null 2>&1; then \ + echo "Connected successfully"; \ + exit 0; \ + else \ + echo "Connection failed"; \ + if [ $$i -lt $(MAX_RETRIES) ]; then \ + echo "Retrying in 2 seconds..."; \ + sleep 2; \ + else \ + echo "Max retries reached"; \ + exit 1; \ + fi; \ + fi; \ + done + +FWIP := $(shell metalctl network ip list --name fw --network $(shell metalctl network list --name user-private-network -o template --template '{{ .id }}') -o template --template "{{ .ipaddress }}" --addressfamily IPv6 ) + +.PHONY: connect-to-node-exporter-on-firewall +connect-to-node-exporter-on-firewall: + @echo "Attempting to connect to node exporter on the firewall" + echo "Firewall IP: $(FWIP)" + @for i in $$(seq 1 $(MAX_RETRIES)); do \ + if $(MAKE) ssh-machine COMMAND="sudo curl --connect-timeout 1 --fail --silent http://[$(FWIP)]:9100/metrics" > /dev/null 2>&1; then \ + echo "Connected successfully"; \ + exit 0; \ + else \ + echo "Connection failed"; \ + if [ $$i -lt $(MAX_RETRIES) ]; then \ + echo "Retrying in 2 seconds..."; \ + sleep 2; \ + else \ + echo "Max retries reached"; \ + exit 1; \ + fi; \ + fi; \ + done + ## DEV TARGETS ## .PHONY: dev-env diff --git a/README.md b/README.md index cf1ce25..94f5c62 100644 --- a/README.md +++ b/README.md @@ -30,12 +30,6 @@ The mini-lab is a small, virtual setup to locally run the metal-stack. It deploy Here is some code that should help you to set up most of the requirements: ```bash -# Enable IPv6 for docker -# cat /etc/docker/daemon.json -{ - "ipv6": true, - "fixed-cidr-v6": "2001:db8:1::/64" -} # systemctl restart docker if changes where made to this file # If UFW enabled. diff --git a/files/inet/frr.conf b/files/inet/frr.conf index fd5a1eb..b69f4cd 100644 --- a/files/inet/frr.conf +++ b/files/inet/frr.conf @@ -6,7 +6,7 @@ ipv6 forwarding vrf vrfInternet vni 104009 ip route 0.0.0.0/0 203.0.113.1 - ipv6 route ::/0 2001:db8:1::42 + ipv6 route ::/0 2001:db8:1::1 exit-vrf ! interface eth1 @@ -19,6 +19,7 @@ interface eth2 ! interface ext ip address 203.0.113.2/24 + ipv6 address 2001:db8:1::2/64 ! interface lo ip address 10.0.0.21/32 diff --git a/files/inet/network.sh b/files/inet/network.sh index 54265bb..f71ff75 100644 --- a/files/inet/network.sh +++ b/files/inet/network.sh @@ -26,6 +26,3 @@ bridge vlan del vid 1 untagged pvid dev vniInternet bridge vlan add vid 1000 dev vniInternet bridge vlan add vid 1000 untagged pvid dev vniInternet ip link set up dev vniInternet - -# Does not have a ipv6 address on eth0 on startup, fix this -ip ad add 2001:db8:1::42/64 dev eth0 \ No newline at end of file diff --git a/files/rules.yaml b/files/rules.yaml index 55f7595..4b97f8d 100644 --- a/files/rules.yaml +++ b/files/rules.yaml @@ -6,6 +6,12 @@ egress: protocol: TCP to: - 0.0.0.0/0 + - comment: allow outgoing http + ports: + - 80 + protocol: TCP + to: + - ::/0 - comment: allow outgoing https ports: - 443 diff --git a/inventories/group_vars/control-plane/metal.yml b/inventories/group_vars/control-plane/metal.yml index 344603e..eb5520c 100644 --- a/inventories/group_vars/control-plane/metal.yml +++ b/inventories/group_vars/control-plane/metal.yml @@ -18,7 +18,8 @@ metal_api_images: name: Firewall 3 Ubuntu description: Firewall 3 Ubuntu Latest Release # url: https://images.metal-stack.io/metal-os/{{ metal_api_latest_os_image_release_name }}/firewall/3.0-ubuntu/img.tar.lz4 - url: https://images.metal-stack.io/metal-os/pull_requests/247-ipv6-support/firewall/3.0-ubuntu/img.tar.lz4 + url: https://images.metal-stack.io/metal-os/pull_requests/252-allow-ipv6-firewall-rules/firewall/3.0-ubuntu/img.tar.lz4 + # url: https://images.metal-stack.io/metal-os/stable/firewall/3.0-ubuntu/img.tar.lz4 features: - firewall - id: ubuntu-24.04 @@ -82,7 +83,7 @@ metal_api_networks: vrf: 104009 prefixes: - 203.0.113.128/25 - - 2001:db8:3::/48 + - 2001:db8:1:1::/80 labels: network.metal-stack.io/default: "" network.metal-stack.io/default-external: "" diff --git a/mini-lab.sonic.yaml b/mini-lab.sonic.yaml index 4e2e82d..73c6863 100644 --- a/mini-lab.sonic.yaml +++ b/mini-lab.sonic.yaml @@ -48,6 +48,9 @@ topology: exec: - ip addr add 203.0.113.3/24 dev ext - ip route add 203.0.113.128/25 via 203.0.113.2 dev ext + - ip -6 addr add 2001:db8:1::3/64 dev ext + - ip -6 route add 2001:db8:2::/64 via 2001:db8:1::2 dev ext + - ip -6 route add 2001:db8:1:1::/64 via 2001:db8:1::2 dev ext links: - endpoints: ["inet:ext", "mini_lab_ext:inet"] mtu: 9000 diff --git a/test/integration.sh b/test/integration.sh index 543583e..91964db 100755 --- a/test/integration.sh +++ b/test/integration.sh @@ -45,6 +45,9 @@ echo "$phoned/$minPhoned machines have phoned home" echo "Test connectivity to outside" make connect-to-www +echo "Test connectivity to outside ipv6" +make connect-to-www-ipv6 + echo "Test connectivity from outside" ssh -o StrictHostKeyChecking=no -o "PubkeyAcceptedKeyTypes +ssh-rsa" -i files/ssh/id_rsa metal@203.0.113.130 -C exit