While debugging a different problem (which I'll report in an issue in the GitHub repo), I found something which appears to be the underlying cause. I rebooted a machine which has five nspawn containers, all configured identically for networking (except for addresses, of course). Immediately after the boot, 'machinectl list' shows all five containers running, and all five are accessible over IPv4. However, only two are accessible over IPv6, and: --- root@net20:~# ip neigh show proxy 2607:5300:203:5215::1 dev ve-mail20 proxy 2607:5300:203:5215::1 dev ve-diw20 proxy --- Only two are listed with proxy addresses for the host on their veth devices; these are the two that are accessible. --- root@net20:~# machinectl stop ns3 root@net20:~# machinectl start ns3 root@net20:~# ip neigh show proxy 2607:5300:203:5215::1 dev ve-ns3 proxy 2607:5300:203:5215::1 dev ve-mail20 proxy 2607:5300:203:5215::1 dev ve-diw20 proxy --- After a stop/start of the 'ns3' container, it now has the necessary proxy address on its veth device, and it is accessible over IPv6. --- root@net20:~# machinectl stop matrix20 root@net20:~# machinectl start matrix20 root@net20:~# ip neigh show proxy 2607:5300:203:5215::1 dev ve-matrix20 proxy 2607:5300:203:5215::1 dev ve-ns3 proxy 2607:5300:203:5215::1 dev ve-mail20 proxy 2607:5300:203:5215::1 dev ve-diw20 proxy root@net20:~# machinectl stop ldl20 root@net20:~# machinectl start ldl20 root@net20:~# ip neigh show proxy 2607:5300:203:5215::1 dev ve-ldl20 proxy 2607:5300:203:5215::1 dev ve-matrix20 proxy 2607:5300:203:5215::1 dev ve-ns3 proxy 2607:5300:203:5215::1 dev ve-mail20 proxy 2607:5300:203:5215::1 dev ve-diw20 proxy --- Same results for stop/start of the remaining two containers; they get the necessary proxy address, and become reachable. I've got DEBUG logging enabled for systemd-networkd but there is no evidence of any problem related to proxy address addition (https://gist.github.com/kpfleming/4b6c721edaf9d2ff4a24dadbb002fb0c). I think the next step is going to be building systemd from source to verify that the Debian 247.2 packages aren't at fault, and then adding more debugging output in the necessary places. On Sun, Jan 24, 2021 at 10:14 AM Kevin P. Fleming <kevin@xxxxxxx> wrote: > > I've got three systems which host nspawn-based containers, using > networkd for network configuration on both the host and inside the > containers. All of the systems are running Debian systemd packages > (some version 241 (buster) and some 247.2 (bullseye)). The behavior > has been seen with kernels 5.4, 5.9, and 5.10 (both Debian kernel > packages and a hand-built vanilla kernel package). There are no > firewalls in use. > > An example configuration: > > host - /etc/systemd/nspawn/mqtt20.nspawn > ---- > [Files] > PrivateUsersChown=yes > [Network] > VirtualEthernetExtra=mqtt20:srv > > host - /etc/systemd/network/mqtt20.network > --- > [Match] > Name=mqtt20 > > [Network] > Address=192.168.254.108/32 > Address=fd80:ae6b:5f43:254::108/128 > > [Route] > Destination=192.168.64.108 > Scope=link > > [Route] > Destination=2001:470:8afe:64::108 > > [Route] > Destination=fd80:ae6b:5f43:64::108 > > container - /etc/systemd/network/primary.network > --- > [Match] > Name=srv > > [Network] > Address=192.168.64.108/32 > Address=2001:470:8afe:64::108/128 > Address=fd80:ae6b:5f43:64::108/128 > DNS=fd80:ae6b:5f43:1::8 > > [Route] > Destination=192.168.254.108/32 > Scope=link > > [Route] > Gateway=192.168.254.108 > Destination=0.0.0.0/0 > > [Route] > Destination=fd80:ae6b:5f43:254::108/128 > > [Route] > Gateway=fd80:ae6b:5f43:254::108 > Destination=::/0 > > --- > > Layer 3 networking is used, on virtual Ethernet devices. > > Sometimes, after a system startup, some of the containers are not > reachable over IPv6. When this happens, their IPv4 connectivity is > fine. Running 'machinectl stop <c>' followed by 'machinectl start <c>' > always cures the problem. > > When a container is in this state, 'ip link ls' and 'ip addr ls' on > the host and in the container don't display anything out of the > ordinary (the details match those of another container on the same > host which works properly). > > I've run tcpdump on the veth device for a broken container and then > sent ICMPv6 pings from another system on the network; what I see is > that the host sends IPv6 Neighbor Solicitation requests on the veth > device to discover the container's layer 2 address, but no replies are > sent. Running tcpdump inside the container shows the same thing; NS is > received, but no reply is sent. > > It's as if the IPv6 stack in the container's network namespace is > just... not listening at all. > > Can anyone suggest ways to troubleshoot this beyond the simple things > I've listed above? _______________________________________________ systemd-devel mailing list systemd-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: nspawn+networkd sometimes fail to configure IPv6 properly
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: nspawn+networkd sometimes fail to configure IPv6 properly
- From: "Kevin P. Fleming" <kevin@xxxxxxx>
- Date: Tue, 26 Jan 2021 06:53:58 -0500
- In-reply-to: <CAE+UdorjBjYmhFV=M3VhC6KUmHML2mq-1mPNfzN6dMvy12__Zw@mail.gmail.com>
- References: <CAE+UdorjBjYmhFV=M3VhC6KUmHML2mq-1mPNfzN6dMvy12__Zw@mail.gmail.com>
- References:
- nspawn+networkd sometimes fail to configure IPv6 properly
- From: Kevin P. Fleming
- nspawn+networkd sometimes fail to configure IPv6 properly
- Prev by Date: Re: What exactly is multi-seat? -- questions about logind
- Next by Date: Re: What exactly is multi-seat? -- questions about logind
- Previous by thread: nspawn+networkd sometimes fail to configure IPv6 properly
- Next by thread: automount behavior with multiple IPS
- Index(es):
 |