Best Network option for publicly accessible IPV6 addresses in the containers and VMs

LXD
, ,
#1

I have 3 bare metal or root servers from Hetzner and all of them are in the same Data Center and rack. I am planning to setup the LXD cluster using OVN network so that the containers/vms are in the same logical network irrespective of the host on which they are placed.

One another requirement is to assign Public IPV6 addresses on these containers/VMs and would like the access to these instances directly without any having to going through NAT or proxy or forward setups.

Each servers comes with its own /64 IPV6 public subnet but these cannot be used as they are tied to a physical host. I found out that Hetzner allows you to have a /64 Public IPV6 Subnet that is assigned to a vSwitch which then can be linked to all the 3 servers I have.

The vSwitch will consume 1 IPV6 address from the /64 subnet as the gateway address. I can assign a VLAN interface on each of the host that is tied to the vSwitch with the public /64 IPV6 subnet.

My question is how do I go about automatically assigning these IPV6 addresses to the containers and VMs that are launched by LXD. I would like to avoid using any manual setup or changing the network configuration after the containers/vms are created.

I looked in to the Macvlan, Ipvlan, bridge and OVN network, not sure which one of these I need to use to have the ability to get the IPV6 addressed assigned to the instances. The instances need to use the VLAN interface on the host for any external communication.

Note the public IPV6 subnet does not have any MAC address restrictions but the vSwitch provided by Hetzner does not have DHCPv6 service to auto assign the IPV6 addresses to the instances. I would need to have a network type that allows auto allocation of IPV6 via DHCP and that should work across all the 3 nodes I have.

Any help would be greatly appreciated. Tried following the videos and tutorials on the OVN LXD clustering but quite not able to get the right solution figured out.

#2

I haven’t try ovn yet, but so for the bridge, ipvlan, macvlan, network forwards … they more confuse than help!

Macvlan:

  1. container can’t communicate with host and vice versa.

  2. You can have it as network or directly as device injected either by profile or container config.
    As network, it supposed to simplify with some predefined values, but not really a relief.
    There are manuals out there, playing around with injectjng fixed P address, to config and additionally to container along with a fake routing to container iface as cloud-init … Real pain, real manual work.
    IPvlan similar.

Network forwards same game with fixing static IP for container, only available on managed bridges and no snat available. can only forward one tco port/udp port or a range. No 1:1 snat forwarding.

In your case, make your own (unmanaged) bridge, let dnsmasq listen on your bridge GW and distribute IP6 from your defined range.
Make sure, your Servers in a private VLan, so your dnsmasq is not offering IP6 to the world.

For IP4, 2 lines of iptables or a simple nftables rules might suffice and saves you the hassle of choosing among big variety, most with manual work and upside/downside.

#3

Just realized the /64 per Server.
Subnetting /64 in order to assign to containers is not recommended, but with dhcp6 possible. dnsmasq can deal with it.
Safer would be a /56 or even /48 where you could assign a /64 to each container.

#4

If there are no mac restrictions then you should be able to use a macvlan or bridged NIC type (the latter requiring that you also setup an unmanaged bridge br0 onto the external interface for the NIC to connect to).

You don’t need DHCPv6 support, but for auto config you would need the upstream router to be sending router advertisements with the SLAAC indicator.

Does Hetzner do this?

#5

Unfortunately, Hetzner does not do router advertisements for IPV6.

#6

OK as you’re looking into using OVN and have a shared /64 subnet that can be used across all of the servers, you should be able to use a physical LXD network as the uplink for your OVN network.

But what is your plan with IPv4 firstly? How many IPv4 addresses do you have?