Make ipv6 work to the outside

majst01 · majst01 · commit 6718f21e79ce · 2024-08-08T14:56:14.000+02:00
diff --git a/Makefile b/Makefile
@@ -97,6 +97,9 @@ external_network:
 			--driver=bridge \
 			--gateway=203.0.113.1 \
 			--subnet=203.0.113.0/24 \
+			--ipv6 \
+			--gateway=2001:db8:1::1 \
+			--subnet=2001:db8:1::/64 \
 			--opt "com.docker.network.driver.mtu=9000" \
 			--opt "com.docker.network.bridge.name=mini_lab_ext" \
 			--opt "com.docker.network.bridge.enable_ip_masquerade=true" && \
@@ -134,11 +137,11 @@ _public_ips: env
 
 .PHONY: machine
 machine: _privatenet _public_ips
-	docker compose run $(DOCKER_COMPOSE_TTY_ARG) metalctl machine create --description test --name test --hostname test --project 00000000-0000-0000-0000-000000000001 --partition mini-lab --image $(MACHINE_OS) --size v1-small-x86 --userdata "@/tmp/ignition.json" --ips 203.0.113.130 --networks internet-mini-lab,$(shell docker compose run $(DOCKER_COMPOSE_TTY_ARG) metalctl network list --name user-private-network -o template --template '{{ .id }}')
+	docker compose run $(DOCKER_COMPOSE_TTY_ARG) metalctl machine create --description test --name test --hostname test --project 00000000-0000-0000-0000-000000000001 --partition mini-lab --image $(MACHINE_OS) --size v1-small-x86 --userdata "@/tmp/ignition.json" --networks $(shell docker compose run $(DOCKER_COMPOSE_TTY_ARG) metalctl network list --name user-private-network -o template --template '{{ .id }}')
 
 .PHONY: firewall
 firewall: _privatenet _public_ips
-	docker compose run $(DOCKER_COMPOSE_TTY_ARG) metalctl firewall create --description fw --name fw --hostname fw --project 00000000-0000-0000-0000-000000000001 --partition mini-lab --image firewall-ubuntu-3.0 --size v1-small-x86 --userdata "@/tmp/ignition.json" --ips 203.0.113.129 --firewall-rules-file=/tmp/rules.yaml --networks internet-mini-lab,$(shell docker compose run $(DOCKER_COMPOSE_TTY_ARG) metalctl network list --name user-private-network -o template --template '{{ .id }}')
+	docker compose run $(DOCKER_COMPOSE_TTY_ARG) metalctl firewall create --description fw --name fw --hostname fw --project 00000000-0000-0000-0000-000000000001 --partition mini-lab --image firewall-ubuntu-3.0 --size v1-small-x86 --userdata "@/tmp/ignition.json" --firewall-rules-file=/tmp/rules.yaml --networks internet-mini-lab,$(shell docker compose run $(DOCKER_COMPOSE_TTY_ARG) metalctl network list --name user-private-network -o template --template '{{ .id }}')
 
 # IPv6
 .PHONY: _privatenet6
@@ -273,6 +276,47 @@ connect-to-www:
 		fi; \
 	done
 
+.PHONY: connect-to-www-ipv6
+connect-to-www-ipv6:
+	@echo "Attempting to connect to container www..."
+	@for i in $$(seq 1 $(MAX_RETRIES)); do \
+		if $(MAKE) ssh-machine COMMAND="sudo curl --connect-timeout 1 --fail --silent http://[2001:db8:1::3]" > /dev/null 2>&1; then \
+			echo "Connected successfully"; \
+			exit 0; \
+		else \
+			echo "Connection failed"; \
+			if [ $$i -lt $(MAX_RETRIES) ]; then \
+				echo "Retrying in 2 seconds..."; \
+				sleep 2; \
+			else \
+				echo "Max retries reached"; \
+				exit 1; \
+			fi; \
+		fi; \
+	done
+
+FWIP := $(shell metalctl network ip list --name fw --network $(shell metalctl network list --name user-private-network -o template --template '{{ .id }}') -o template --template "{{ .ipaddress }}" --addressfamily IPv6 )
+
+.PHONY: connect-to-node-exporter-on-firewall
+connect-to-node-exporter-on-firewall:
+	@echo "Attempting to connect to node exporter on the firewall"
+	echo "Firewall IP: $(FWIP)"
+	@for i in $$(seq 1 $(MAX_RETRIES)); do \
+		if $(MAKE) ssh-machine COMMAND="sudo curl --connect-timeout 1 --fail --silent http://[$(FWIP)]:9100/metrics" > /dev/null 2>&1; then \
+			echo "Connected successfully"; \
+			exit 0; \
+		else \
+			echo "Connection failed"; \
+			if [ $$i -lt $(MAX_RETRIES) ]; then \
+				echo "Retrying in 2 seconds..."; \
+				sleep 2; \
+			else \
+				echo "Max retries reached"; \
+				exit 1; \
+			fi; \
+		fi; \
+	done
+
 ## DEV TARGETS ##
 
 .PHONY: dev-env
diff --git a/files/inet/frr.conf b/files/inet/frr.conf
@@ -6,7 +6,7 @@ ipv6 forwarding
 vrf vrfInternet
  vni 104009
  ip route 0.0.0.0/0 203.0.113.1
- ipv6 route ::/0 2001:db8:1::42
+ ipv6 route ::/0 2001:db8:1::1
 exit-vrf
 !
 interface eth1
@@ -19,6 +19,7 @@ interface eth2
 !
 interface ext
  ip address 203.0.113.2/24
+ ipv6 address 2001:db8:1::2/64
 !
 interface lo
  ip address 10.0.0.21/32
diff --git a/files/inet/network.sh b/files/inet/network.sh
@@ -26,6 +26,3 @@ bridge vlan del vid 1 untagged pvid dev vniInternet
 bridge vlan add vid 1000 dev vniInternet
 bridge vlan add vid 1000 untagged pvid dev vniInternet
 ip link set up dev vniInternet
-
-# Does not have a ipv6 address on eth0 on startup, fix this
-ip ad add 2001:db8:1::42/64 dev eth0
diff --git a/files/rules.yaml b/files/rules.yaml
@@ -6,6 +6,12 @@ egress:
     protocol: TCP
     to:
       - 0.0.0.0/0
+  - comment: allow outgoing http
+    ports:
+      - 80
+    protocol: TCP
+    to:
+      - ::/0
   - comment: allow outgoing https
     ports:
       - 443
diff --git a/inventories/group_vars/control-plane/metal.yml b/inventories/group_vars/control-plane/metal.yml
@@ -18,7 +18,8 @@ metal_api_images:
   name: Firewall 3 Ubuntu
   description: Firewall 3 Ubuntu Latest Release
   # url: https://images.metal-stack.io/metal-os/{{ metal_api_latest_os_image_release_name }}/firewall/3.0-ubuntu/img.tar.lz4
-  url: https://images.metal-stack.io/metal-os/pull_requests/247-ipv6-support/firewall/3.0-ubuntu/img.tar.lz4
+  url: https://images.metal-stack.io/metal-os/pull_requests/252-allow-ipv6-firewall-rules/firewall/3.0-ubuntu/img.tar.lz4
+  # url: https://images.metal-stack.io/metal-os/stable/firewall/3.0-ubuntu/img.tar.lz4
   features:
     - firewall
 - id: ubuntu-24.04
@@ -82,7 +83,7 @@ metal_api_networks:
   vrf: 104009
   prefixes:
   - 203.0.113.128/25
-  - 2001:db8:3::/48
+  - 2001:db8:1:1::/80
   labels:
     network.metal-stack.io/default: ""
     network.metal-stack.io/default-external: ""
diff --git a/mini-lab.sonic.yaml b/mini-lab.sonic.yaml
@@ -48,6 +48,9 @@ topology:
       exec:
         - ip addr add 203.0.113.3/24 dev ext
         - ip route add 203.0.113.128/25 via 203.0.113.2 dev ext
+        - ip -6 addr add 2001:db8:1::3/64 dev ext
+        - ip -6 route add 2001:db8:2::/64 via 2001:db8:1::2 dev ext
+        - ip -6 route add 2001:db8:1:1::/64 via  2001:db8:1::2 dev ext
   links:
     - endpoints: ["inet:ext", "mini_lab_ext:inet"]
       mtu: 9000
diff --git a/test/integration.sh b/test/integration.sh
@@ -45,6 +45,9 @@ echo "$phoned/$minPhoned machines have phoned home"
 echo "Test connectivity to outside"
 make connect-to-www
 
+echo "Test connectivity to outside ipv6"
+make connect-to-www-ipv6
+
 echo "Test connectivity from outside"
 ssh -o StrictHostKeyChecking=no -o "PubkeyAcceptedKeyTypes +ssh-rsa" -i files/ssh/id_rsa metal@203.0.113.130 -C exit
 

Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@ ipv6 forwarding`
`6`	`6`	`vrf vrfInternet`
`7`	`7`	`vni 104009`
`8`	`8`	`ip route 0.0.0.0/0 203.0.113.1`
`9`		`- ipv6 route ::/0 2001:db8:1::42`
	`9`	`+ ipv6 route ::/0 2001:db8:1::1`
`10`	`10`	`exit-vrf`
`11`	`11`	`!`
`12`	`12`	`interface eth1`
`@@ -19,6 +19,7 @@ interface eth2`
`19`	`19`	`!`
`20`	`20`	`interface ext`
`21`	`21`	`ip address 203.0.113.2/24`
	`22`	`+ ipv6 address 2001:db8:1::2/64`
`22`	`23`	`!`
`23`	`24`	`interface lo`
`24`	`25`	`ip address 10.0.0.21/32`