Hetzner, Debian, KVM and IPv6

Well, I’ve had my share of troubles with Hetzner, Debian, KVM and IPv6 addresses. After figuring out how to get around the IPv6 neighbor stuff (npd6 for teh win!), I battled with the problem that after restarting (rebooting/resetting - doesn’t really matter) a domain it’s IPv6 address would no longer work.

Well, today I decided to take a closer look. After the reboot, the guest comes up with this:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
pinguinfuss:(thanatos.heimdaheim.de/webs) PWD:~
Mon Sep 09, 19:01:27 [0] > ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 52:54:00:96:ed:35 brd ff:ff:ff:ff:ff:ff
    inet 78.46.37.114 peer 78.46.37.118/32 brd 78.46.37.114 scope global eth0
    inet6 2a01:4f8:110:3148::5/64 scope global tentative dadfailed
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fe96:ed35/64 scope link
       valid_lft forever preferred_lft forever

A quick peek into ip 6 neigh show reveals this:

1
2
3
pinguinfuss:(kvm.heimdaheim.de/KVM) PWD:~
Mon Sep 09, 19:02:27 [0] > sudo ip -6 neigh show
2a01:4f8:110:3148::5 dev eth0  FAILED

At this point I had no idea were to look (I haven’t used IPv6 much), so thanks to a friend I ended up googling whatever dadfailed meant … as it turns out dadfailed indicates that a duplicate address had been detected. A short peek into kern.log/dmesg fuelled that idea:

1
2
3
pinguinfuss:(thanatos.heimdaheim.de/webs) PWD:/var/log
Mon Sep 09, 19:33:46 [0] > sudo grep eth kern.log
Sep  9 19:03:25 thanatos kernel: [    9.150549] eth0: IPv6 duplicate address 2a01:4f8:110:3148::5 detected!

So, I went on googling IPv6, KVM and duplicate address, and guess what .. I don’t seem to be the only one that has this issue … I haven’t found the root cause of this, but I have a quick fix … I usually don’t assign duplicate IPv6 addresses to multiple domains (each domain has it’s on block of IPv6 addresses), so I ended up writing a short puppet class, that’ll disable the Duplicate Adress Detection for all my KVM guests!

1
2
3
4
5
6
7
8
class kvm-ipv6-domain {
        file { 'kvm-ipv6.conf':
                path    =>      '/etc/sysctl.d/kvm-ipv6.conf',
                ensure  =>      'present',
                mode    =>      '0644',
                content =>      'net.ipv6.conf.eth0.accept_dad=0',
        }
}