Indeed - I'm testing in an advanced networking zone, so we didn't bother doing the support pack installation. That would be the difference.
I think your scripts will work, excluding the error condition that my environment introduces. IMO - if that pack isn't required, then we should expect to see environments like the one I'm using right now. -chip On Mon, Jul 30, 2012 at 11:07 AM, Hugo Trippaers <htrippa...@schubergphilis.com> wrote: > Hey Chip, > > Think I found it. Do you have the cloud support pack > (http://download.cloud.com/releases/3.0.1/XS-6.0.2/xenserver-cloud-supp.tgz ) > installed? My guess is you don't. > > During the firstboot of xen the file " /etc/modprobe.d/disable-ipv6" is > removed by that pack. This enables IPv6, which is indeed disabled by default > by XenServer. > > We (or actually the Cloudstack basic install guide) actively promotes that > this should be installed to enable security groups. > > Cheers, > > Hugo > > -----Original Message----- > From: Chip Childers [mailto:chip.child...@sungard.com] > Sent: Monday, July 30, 2012 4:57 PM > To: cloudstack-dev@incubator.apache.org > Subject: Re: Disable IPv6 for systemvm > > Looks like we are using the same version, but different configuration?: > > # uname -a > Linux xshost2 2.6.32.12-0.7.1.xs6.0.2.542.170665xen #1 SMP Tue Jan 17 > 15:14:24 EST 2012 i686 i686 i386 GNU/Linux > > # cat /etc/redhat-release > XenServer release 6.0.2-53456p (xenenterprise) > > # ls /proc/sys/net/ipv6/conf/all/autoconf > ls: /proc/sys/net/ipv6/conf/all/autoconf: No such file or directory > > I can't get a simpel ipv6 table list, because the protocol # ip6tables -L > ip6tables v1.3.5: can't initialize ip6tables table `filter': Address family > not supported by protocol Perhaps ip6tables or your kernel needs to be > upgraded. > > The ip6tables commands will fail with the above error if it's not enabled. > Other than that, I think the script would work (if v6 is enabled on the host). > > On Mon, Jul 30, 2012 at 10:44 AM, Hugo Trippaers > <htrippa...@schubergphilis.com> wrote: >> Hey Chip, >> >> Interesting, which version are you using? >> >> My box: >> Linux XXXXXX 2.6.32.12-0.7.1.xs6.0.2.542.170665xen #1 SMP Tue Jan 17 >> 15:14:24 EST 2012 i686 i686 i386 GNU/Linux [root@XXXXX ~]# cat >> /etc/redhat-release XenServer release 6.0.2-53456p (xenenterprise) >> [root@XXXXX ~]# ls /proc/sys/net/ipv6/conf/all/autoconf >> /proc/sys/net/ipv6/conf/all/autoconf >> [root@XXXXX ~]# cat /proc/sys/net/ipv6/conf/all/autoconf >> 1 >> >> Btw I plan to add this to setupxenserver.sh: >> # setup ip6tables >> if [ -x "/sbin/ip6tables" ] ; then >> /sbin/ip6tables -P INPUT DROP >> /sbin/ip6tables -P OUTPUT DROP >> /sbin/ip6tables -P FORWARD DROP >> if [ -x "/etc/init.d/ip6tables" ] ; then >> /etc/init.d/ip6tables save >> fi >> fi >> >> # disable IPv6 >> if [ -d "/proc/sys/net/ipv6/conf/all" ] ; then >> /sbin/sysctl -w net.ipv6.conf.all.forwarding=0 >> /sbin/sysctl -w net.ipv6.conf.all.accept_ra=0 >> /sbin/sysctl -w net.ipv6.conf.all.accept_redirects=0 >> /sbin/sysctl -w net.ipv6.conf.all.autoconf=0 >> /sbin/sysctl -w net.ipv6.conf.all.disable_ipv6=1 fi >> >> Cheers, >> >> Hugo >> >> -----Original Message----- >> From: Chip Childers [mailto:chip.child...@sungard.com] >> Sent: Monday, July 30, 2012 4:06 PM >> To: <cloudstack-dev@incubator.apache.org> >> Subject: Re: Disable IPv6 for systemvm >> >> The latest Xen Server install seems to have IPv6 disabled (just checked in >> my lab). Is it enabled in XCP? >> >> (I may be showing my Xen ignorance here) >> >> - chip >> >> On Jul 30, 2012, at 9:24 AM, Hugo Trippaers <htrippa...@schubergphilis.com> >> wrote: >> >>> Hey Chip, >>> >>> Yeah, I want help :-) >>> >>> I just committed the sysctl.conf changes for the systemvm. This morning i >>> applied them to my test environment and they do the job. >>> >>> We could add the actual sysctl command to the vmops next to adding the IPv6 >>> ip6tables statements I think. >>> >>> Cheers, >>> >>> Hugo >>> >>> >>> -----Original Message----- >>> From: Chip Childers [mailto:chip.child...@sungard.com] >>> Sent: Monday, July 30, 2012 3:13 PM >>> To: cloudstack-dev@incubator.apache.org >>> Subject: Re: Disable IPv6 for systemvm >>> >>> On Mon, Jul 30, 2012 at 7:32 AM, Hugo Trippaers >>> <htrippa...@schubergphilis.com> wrote: >>>> By the way, we might want to add the same configuration to vmops for >>>> XenServer. >>>> >>>> Currently it is possible to have a tenant vm send a router advertisement >>>> on the isolated lan that is picked up by XenServer. Even though XenServer >>>> only has a bridge interface in the tenant lan that interface will be >>>> autoconfigured. A simple ping to the local all-node address (ff02::1) will >>>> tell you the mac off of the XenServer interface. As XenServer has ssh >>>> active on all interfaces you can directly connect to the ssh daemon on the >>>> XenServer. We only push a IPv4 firewall to the XenServer so the IPv6 >>>> firewall is default (ACCEPT everything). >>>> >>>> Still you only gain access to the ssh port, but that is something that >>>> should not be possible from a tenant lan. >>>> >>>> Cheers, >>>> >>>> Hugo >>> >>> As a provider, this one is even more concerning. Unless someone has an >>> objection, I'd agree with your solution. We can remove a DENY rule in the >>> future, after IPv6 support is added properly / completely. >>> >>> If you want help working up the fix for this, please let me know! >>> >>> -chip >>> >> >
