大家好,快乐的人 o/~
昨天我大胆地重启了一台远程 Linux 服务器。Ubuntu 64、12.04 安装从内核 3.11.0-19-generic 升级到 3.13.0-32-generic,并且从能够同时通过 IPv4 和 IPv6 进行通信变为只能接收和发送 IPv4 流量。
### Hetzner's default network, modified to fit a bridge
# Loopback device:
auto lo
iface lo inet loopback
# device: eth0
auto virbr1
iface virbr1 inet static
address 5.9.87.134
broadcast 5.9.87.159
netmask 255.255.255.224
gateway 5.9.87.129
bridge_ports eth0
bridge_stp on
bridge_maxwait 0
# Set-up IPv6 and Hetzner routes
# guarantee idempotency:
pre-up ip addr del 2a01:4f8:162:11c5::2/64 dev virbr1 || true
up ip addr add 2a01:4f8:162:11c5::2/64 dev virbr1
# default route to access subnet
# idempotency here is easier, because we have 'replace'
up ip route replace to 5.9.87.128/255.255.255.224 via 5.9.87.129 dev virbr1
# add Hetzner IPv6 route
up ip route replace default via fe80::1 dev virbr1
结果如下:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master virbr1 state UP qlen 1000
link/ether c8:60:00:df:06:35 brd ff:ff:ff:ff:ff:ff
inet6 fe80::ca60:ff:fedf:635/64 scope link
valid_lft forever preferred_lft forever
3: virbr1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
link/ether c8:60:00:df:06:35 brd ff:ff:ff:ff:ff:ff
inet 5.9.87.134/27 brd 5.9.87.159 scope global virbr1
valid_lft forever preferred_lft forever
inet6 2a01:4f8:162:11c5::2/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::ca60:ff:fedf:635/64 scope link
valid_lft forever preferred_lft forever
4: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
link/ether 52:54:00:65:05:b0 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
inet6 2a01:4f8:162:11c5::10:1/112 scope global
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:fe65:5b0/64 scope link
valid_lft forever preferred_lft forever
5: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc noop master virbr0 state DOWN qlen 500
link/ether 52:54:00:65:05:b0 brd ff:ff:ff:ff:ff:ff
6: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master virbr0 state UNKNOWN qlen 500
link/ether fe:54:00:dc:99:21 brd ff:ff:ff:ff:ff:ff
inet6 fe80::fc54:ff:fedc:9921/64 scope link
valid_lft forever preferred_lft forever
路由:
igalic@steak ~ % ip r
default via 5.9.87.129 dev virbr1 metric 100
5.9.87.128/27 via 5.9.87.129 dev virbr1
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1
igalic@steak ~ % ip -6 r
2a01:4f8:162:11c5::10:0/112 dev virbr0 proto kernel metric 256
2a01:4f8:162:11c5::/64 dev virbr1 proto kernel metric 256
fe80::/64 dev eth0 proto kernel metric 256
fe80::/64 dev vnet0 proto kernel metric 256
fe80::/64 dev vnet1 proto kernel metric 256
fe80::/64 dev vnet2 proto kernel metric 256
fe80::/64 dev vnet3 proto kernel metric 256
fe80::/64 dev vnet4 proto kernel metric 256
fe80::/64 dev vnet5 proto kernel metric 256
fe80::/64 dev vnet6 proto kernel metric 256
fe80::/64 dev vnet7 proto kernel metric 256
fe80::/64 dev vnet8 proto kernel metric 256
fe80::/64 dev virbr0 proto kernel metric 256
fe80::/64 dev vnet9 proto kernel metric 256
fe80::/64 dev vnet10 proto kernel metric 256
fe80::/64 dev virbr1 proto kernel metric 256
default via fe80::1 dev virbr1 metric 1024
igalic@steak ~ %
为简洁起见,这里省略了,因为服务器有很多虚拟机。它可以通过 IPv4 和 IPv6 与这些虚拟机顺利通信。它可以通过 IPv4 与世界顺利通信——它的虚拟机也是如此。
让我们在这里停下来,考虑一下##networking 和这里的评论中经常被问到的问题:
为什么你的设计所以诡异的?
我virbr1
使用外部的IPv4 地址的网桥。根据 Hetzner 的网络设计或其建议,我必须将主 IPv6 地址绑定到它上面。
看,http://wiki.hetzner.de/index.php/Zusaetzliche_IP-Adressen#IPv6_Subnetz(注:关于如何拆分 /64 的建议在同一文档的英文版中并不存在:http://wiki.hetzner.de/index.php/Zusaetzliche_IP-Adressen/en)
但我仅将 IPv6 地址用于内部的通信,也就是说,我仅使用它来连接不需要与外界联系的服务器之间的服务:puppet、数据库等……我不能在这里使用 ULA 地址,原因与我不能坚持使用 IPv4 相同:需要互相通信的服务器不在同一个 DC 中,私有 IPv4 或 ULA 将毫无用处。
我也需要这些内部链路上的 IPv4:我使用它们进行配置。Hetzner 不允许不受其控制的 PXE,因此我必须在设置服务器上运行每服务器。(您是否尝试过通过 VPN 进行预安装?通过 IPv6 进行 PXE 启动?这就是原因)
短暂休息后,让我们回到……
IPv6:毫无作用
主机无法通过 IPv6 与外界通信。外界无法通过 IPv6 与主机通信。主机可以通过 IPv6 连接到自己的虚拟机。虚拟机可以通过 IPv6 连接到主机。但虚拟机无法相互连接。
igalic@steak ~ % ping6 google.com -c5
PING google.com(fra07s30-in-x08.1e100.net) 56 data bytes
From steak icmp_seq=1 Destination unreachable: Address unreachable
From steak icmp_seq=2 Destination unreachable: Address unreachable
From steak icmp_seq=3 Destination unreachable: Address unreachable
From steak icmp_seq=4 Destination unreachable: Address unreachable
From steak icmp_seq=5 Destination unreachable: Address unreachable
--- google.com ping statistics ---
5 packets transmitted, 0 received, +5 errors, 100% packet loss, time 4024ms
1 igalic@steak ~ %
我有第二台服务器,其设置完全相同,可以正常工作。以下是从培根(可以工作)到牛排(不可以工作)的 ping 操作:
igalic@bacon ~ % ping6 a01:4f:16:c5::2 -c5
PING 2a01:4f8:162:11c5::2(a01:4f:16:c5::2) 56 data bytes
--- a01:4f:16:c5::2 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4032ms
1 igalic@bacon ~ %
当我这样做时,tcpdump 会显示发生的情况:
igalic@steak ~ % sudo tcpdump -vi any icmp6
[sudo] password for igalic:
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
10:17:31.712316 IP6 (hlim 59, next-header ICMPv6 (58) payload length: 64) 2a01:4f8:150:5024::2 > steak: [icmp6 sum ok] ICMP6, echo request, seq 1
10:17:31.712316 IP6 (hlim 59, next-header ICMPv6 (58) payload length: 64) 2a01:4f8:150:5024::2 > steak: [icmp6 sum ok] ICMP6, echo request, seq 1
10:17:31.712429 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) steak > ff02::1:ff00:1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::1
source link-address option (1), length 8 (1): c8:60:00:df:06:35
10:17:32.709170 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) steak > ff02::1:ff00:1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::1
source link-address option (1), length 8 (1): c8:60:00:df:06:35
10:17:32.718647 IP6 (hlim 59, next-header ICMPv6 (58) payload length: 64) 2a01:4f8:150:5024::2 > steak: [icmp6 sum ok] ICMP6, echo request, seq 2
10:17:32.718647 IP6 (hlim 59, next-header ICMPv6 (58) payload length: 64) 2a01:4f8:150:5024::2 > steak: [icmp6 sum ok] ICMP6, echo request, seq 2
10:17:33.709162 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) steak > ff02::1:ff00:1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::1
source link-address option (1), length 8 (1): c8:60:00:df:06:35
10:17:33.729483 IP6 (hlim 59, next-header ICMPv6 (58) payload length: 64) 2a01:4f8:150:5024::2 > steak: [icmp6 sum ok] ICMP6, echo request, seq 3
10:17:33.729483 IP6 (hlim 59, next-header ICMPv6 (58) payload length: 64) 2a01:4f8:150:5024::2 > steak: [icmp6 sum ok] ICMP6, echo request, seq 3
10:17:34.709180 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 112) steak > steak: [icmp6 sum ok] ICMP6, destination unreachable, unreachable address 2a01:4f8:150:5024::2
10:17:34.709214 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 112) steak > steak: [icmp6 sum ok] ICMP6, destination unreachable, unreachable address 2a01:4f8:150:5024::2
10:17:34.709239 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 112) steak > steak: [icmp6 sum ok] ICMP6, destination unreachable, unreachable address 2a01:4f8:150:5024::2
10:17:34.735945 IP6 (hlim 59, next-header ICMPv6 (58) payload length: 64) 2a01:4f8:150:5024::2 > steak: [icmp6 sum ok] ICMP6, echo request, seq 4
10:17:34.735945 IP6 (hlim 59, next-header ICMPv6 (58) payload length: 64) 2a01:4f8:150:5024::2 > steak: [icmp6 sum ok] ICMP6, echo request, seq 4
10:17:34.736042 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) steak > ff02::1:ff00:1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::1
source link-address option (1), length 8 (1): c8:60:00:df:06:35
10:17:35.733165 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) steak > ff02::1:ff00:1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::1
source link-address option (1), length 8 (1): c8:60:00:df:06:35
10:17:35.745519 IP6 (hlim 59, next-header ICMPv6 (58) payload length: 64) 2a01:4f8:150:5024::2 > steak: [icmp6 sum ok] ICMP6, echo request, seq 5
10:17:35.745519 IP6 (hlim 59, next-header ICMPv6 (58) payload length: 64) 2a01:4f8:150:5024::2 > steak: [icmp6 sum ok] ICMP6, echo request, seq 5
10:17:36.733160 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) steak > ff02::1:ff00:1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::1
source link-address option (1), length 8 (1): c8:60:00:df:06:35
10:17:37.733188 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 112) steak > steak: [icmp6 sum ok] ICMP6, destination unreachable, unreachable address 2a01:4f8:150:5024::2
10:17:37.733215 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 112) steak > steak: [icmp6 sum ok] ICMP6, destination unreachable, unreachable address 2a01:4f8:150:5024::2
^C
21 packets captured
26 packets received by filter
0 packets dropped by kernel
igalic@steak ~ %
禁用 iptables不对行为的影响。
这些都是我认为有用的信息。我现在有点不知所措,不知道如何进行调试。