yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1460177] Re: [RFE] Support metadata service with IPv6-only tenant network

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1460177@xxxxxxxxxxxxxxxxxx>
Date: Fri, 04 Sep 2020 14:22:23 -0000
Reply-to: Bug 1460177 <1460177@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/718729
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=a818c41c25c33a3491254c74f33b7d273fb16f1b
Submitter: Zuul
Branch:    master

commit a818c41c25c33a3491254c74f33b7d273fb16f1b
Author: Bence Romsics <bence.romsics@xxxxxxxxx>
Date:   Thu Apr 9 16:49:00 2020 +0200

    metadata-ipv6: Accept link local address in X-Forwarded-For
    
    In the spec we said:
    """
    When the metadata proxy processes a request, it gathers the L2 addresses
    of a VM, and the source interface, and passes it to the metadata service.
    
    The Metadata service, instead of using the VM IP, uses the "VM MAC" and
    "Gateway MAC" to identify the instance.
    """
    
    But since we switched from the home-grown metadata-ns-proxy to haproxy
    we no longer control some of the headers included, like X-Forwarded-For.
    haproxy allows us to turn X-Forwarded-For on or off, but it cannot
    give us an X-Forwarded-For-MAC header.
    
    Instead it seems we have to rely on the source address being the IPv6
    link local address generated from the NIC's MAC address as specified
    in RFC 4291:
    https://tools.ietf.org/html/rfc4291#section-2.5.6
    https://tools.ietf.org/html/rfc4291#appendix-A
    
    Note that means you cannot use IPv6 Privacy Extensions:
    https://tools.ietf.org/html/rfc4941
    
    Change-Id: Ife592fcfc69e26f61ec1f45c06821cb025cc7cf2
    Closes-Bug: #1460177


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1460177

Title:
  [RFE] Support metadata service with IPv6-only tenant network

Status in neutron:
  Fix Released

Bug description:
  EC2 metatdata service is supported by nova metadata service that is
  running in the management network. Cloud-init running in the instance
  normally accesses the service at 169.254.169.254. Cloud-init can be
  configured with metadata_urls other than the default
  http://169.254.169.254 to access the service. But such configuration
  is not currently supported by openstack.  In order for the instance to
  access the nova metadata service, neutron provides proxy service that
  terminates http://169.254.169.254 and forwards the request to the nova
  metadata service, and responds back to the instance. Apparently, this
  works only when IPv4 is available in the tenant network. For an
  IPv6-only tenant work, to continue the support of this service, the
  instance has to access it at an IPv6 address. This requires
  enhancement in Neutron to support it.

  A few options have been discussed so far:
     -- define a well-known ipv6 link-local address to access the metadata service.
     -- enhance IPv6 RA to advertise the metadata service endpoint to instances. This would require standards work and enhance cloud-init to support it.
     -- define a well-known name for the metadata service and configure metadata_urls to use the name.  The name will be resolved to a datacenter specific IP address. The corresponding DNS record should be pre-provisioned in the datacenter DNS server for the instance to resolve the name.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1460177/+subscriptions

References

[Bug 1460177] [NEW] Support metadata service with IPv6 only tenant network
From: Baodong (Robert) Li, 2015-05-29