Hi,
On 05/06/2015 02:53 PM, Dan Kenigsberg wrote:
On Wed, May 06, 2015 at 01:28:30PM +0200, Rik Theys wrote:
> Hi,
>
> I'm looking for a way to selectively disable IPv6 on the bridge interfaces
> on the oVirt hosts.
>
> When oVirt creates the bridges for all logical networks on the host, it
> keeps the default settings for IPv6 which means all bridges get a link-local
> address and accept router advertisements.
>
> When a VM is created on the logical network, it can now reach the host over
> IPv6 (but not over IPv4 if no IP address has been assigned on the host). If
> it sends out a router advertisement it can even create a global IPv6 address
> (haven't tested this).
>
> How can I prevent this?
>
> I would like to prevent the guest from IPv6 access to the host but the guest
> itself still needs IPv6 access (global IPv6 addresses).
>
> Is it sufficient to create a sysctl config file that says:
>
> net.ipv6.conf.default.disable_ipv6 = 1
Yes, I believe that this would do the trick. For any newly-created
device on the system, regardless of ovirt bridges.
I've tried that and it seems to work. But IPv6 seems partially broken
anyway even without applying this trick :-(.
When two VM's run on the same host and the host has ipv6 enabled (but no
global addresses assigned), they can not reach each other when they are
in the same network (and have statically configured IPv6 addresses).
They can ping hosts in the same network that are on other physical boxes.
When you migrate one of the hosts to another physical machine they can
ping each other. But not when they're running on the same host.
We have the same issue with hosts running on our CentOS 6 hosts with
libvirt (no ovirt involved), so this isn't ovirt specific.
The neighbor solicitations are visible on the vnet0 (tcpdump running on
the host) interface of the VM running the ping, and on the ovirtmgmt
bridge. But not on the vnet1 (tcpdump running on the host) of the target VM.
I now see that el7 has changed the default for IPV6INIT to
"yes". We
should be more prudent and set IPV6INIT=no on all our devices.
Would you open a bug about this, so it is tracked?
OK, will do.
Regards,
Rik
--
Rik Theys
System Engineer
KU Leuven - Dept. Elektrotechniek (ESAT)
Kasteelpark Arenberg 10 bus 2440 - B-3001 Leuven-Heverlee
+32(0)16/32.11.07
----------------------------------------------------------------
<<Any errors in spelling, tact or fact are transmission errors>>