[rhelv6-list] Red Hat 6.4, keepalived and ipv6

Matthias Saou matthias at saou.eu
Thu Jun 27 14:07:09 UTC 2013 

On Thu, 27 Jun 2013 10:52:35 +0000
Martinsson Patrik <patrik.martinsson at smhi.se> wrote:

> Hi Matthias, 
> 
> Thanks for getting back to me regarding keepalived and ipv6, and
> sharing your configuration. 
> 
> >> If I were you, I'd start tcpdump'ing traffic to check what's going
> >> on with that port 21 check. Also, I don't think the check will be
> >> done with a source address set to the virtual_server-address, but
> >> with the main IPv6 address (at least by default, I think).
> Well, that's just the thing, I've already done that. And those dumps
> are showing me that the source address *is* set to the
> virtual-server-address, not the "main"-address. And from what I
> understand, there is a simple and logical explanation to this, which
> is basically that the source-address of the outgoing traffic is going
> to be the address of the "last added address", and that is the
> virtual-server-address brought up by keepalived. There is from what I
> understand rules about the source-address-selection on ipv6, you can
> read about it here
> http://www.davidc.net/networking/ipv6-source-address-selection-linux .
> And as you can see, if none of the criterias are fulfilled the
> source-address is going to be the last one added (which then again,
> is the virtual-server-address brought up by keepalived). 
> 
> So, the way I see it (and please correct me if I'm wrong), keepalived
> should set 'preferred_lft' to 0 (or at least provide an option to do
> it if you want) on all ipv6-virtual-addresses it brings up. This will
> mark the address as deprecated and thus it wont be used as a source
> address (you'll still be able to receive packets on that address of
> course). And, there is a patch for this posted at
> http://marc.info/?l=keepalived-devel&m=130200733315039 but for some
> reason it never got accepted. 
> 
> >> Why do you want the checks to be done with the virtual_server
> >> address as the source to begin with? I can only think of possible
> >> issues with that, with no real gain.
> That's exactly what I *NOT* want. But that's currently what's
> happening if you use the configuration I posted (have you used
> tcp-dump to check what the source-address of the packets are on the
> http-check you are using, if you have not manually set the
> preferred_lft to 0 on the virtual-server-address, and that interface
> is the one brought up last, the source-address should be the
> virtual-server-address.)
> 
> So, what's happening in my case is that the check never returns,
> since the source-address of the check_tcp is the virtual-address
> brought up by keepalived (and that src-address is also on
> loopback-interface on the real-server). Here is picture of how it is
> today, and how it's suppose to work (at least to my understanding),
> http://i.imgur.com/cIGr4wI.png

All this makes sense, and it's easy to understand why my setup works :
My checks are being made using the RFC4193 IPv6 addresss of the IPv6
network I use on my private LAN. My LVS real servers are referenced in
the configuration with these addresses and all my servers have
addresses on that network. The address which is managed by keepalived
and used for LVS is only on the LVS server's public interface and on
the real servers' loopback.

Check the configuration I posted again. The fdcd:24cd:315e:13::/64
network is really the one I use locally for IPv6, in addition to
192.168.13.0/24 for IPv4 on the same "private LAN" segment.

I did run into the same issues as you at some point, but didn't
remember them at first. It's mostly coming back to me now, and I think
it's exactly why I switched to using a "proper" local-only IPv6
addressing for LVS-DR.
That same behavior also affects puppet's facter, where the main IPv6
address reported for a server is the keepalived-managed one (the last
one added).

I hope this clears things up, and by using RFC4193 addresses, you should
be able to get something working!

Matthias

-- 
            Matthias Saou                  ██          ██
                                             ██      ██
Web: http://matthias.saou.eu/              ██████████████
Mail/XMPP:  matthias at saou.eu             ████  ██████  ████
                                       ██████████████████████
GPG: 4096R/E755CC63                    ██  ██████████████  ██
     8D91 7E2E F048 9C9C 46AF          ██  ██          ██  ██
     21A9 7A51 7B82 E755 CC63                ████  ████

More information about the rhelv6-list mailing list