Add Re6st on a SlapOS Node

Add Re6st on a SlapOS Node

How To Add Re6st IPv6 To A SlapOS Node

This document explains how to add Re6st IPv6 to a SlapOS node. It is mandatory as part of the installation and configuration of every node (COMP-0 and COMP-1,2,3) in a network managed by a SlapOS Master. For more details on why IPv6 is preferred in SlapOS please refer to the SlapOS architecture design document and system requirements.

For the following steps, a Re6st Registry master-url and access token are required. If you are using Grandenet you can follow how to request a Freefib token XXX where does the master url come from? XXX, for ViFiB directly, follow XXX how does this work? XXX or, in case you are using your own SlapOS Master you can follow the steps outlined in configuring a SlapOS node, which will eventually point to instantiating a Re6st Registry providing the parameters XXX add to connection parameters of registry? XXX .

Table of Content

  • IPv6 in SlapOS
  • Installing Re6st
  • Verify IPv6 Availability
 

IPv6 in SlapOS

SlapOS is configured to use IPv6 addresses by default although it is not a requirement (IPv4-only deployment is possible). However, IPv6 greatly simplifies the deployment of SlapOS for both public and private cloud applications. In case of the first, IPv6 helps interconnecting SlapOS Slave nodes hosted at home without having to setup tunnels of complex port redirections. In the latter case, IPv6 replaces existing corporate tunnels with a more resilient protocol and a wider, flat address space. IPv6 addressing can help allocating hundreds of IPv6 addresses on a single server. Each running service can thus be attached to a different IPv6 address without having to change its default port settings also simplifying accounting for network traffic per computer partition.

All this would be possible with IPv4 or through VPNs but it would be more complex and less resilient besides IPv4 address exhaution preventing allocation of so many public IPv4 adresses on a single computer.

Installing Re6st

Before installing Re6st, check network connectivity and whether IPv6 is already available:

debian@slapostest:~$ ping google.com

PING google.com (216.58.213.174) 56(84) bytes of data.
64 bytes from par21s04-in-f14.1e100.net (216.58.213.174): icmp_seq=1 ttl=53 time=6.08 ms
64 bytes from par21s04-in-f14.1e100.net (216.58.213.174): icmp_seq=2 ttl=53 time=5.96 ms
^C
--- google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 5.961/6.023/6.085/0.062 ms
debian@slapostest:~$ ping6 ipv6.google.com

connect: Network is unreachable
debian@svenslapostest2:~$ ping6 2401:5180:0::1

connect: Network is unreachable

If the ping6 fails, there is no IPv6 on this server. In case IPv6 is enabled by default, XXX how do we override it? XXX .

To install Re6st, enter the following command:

root@slapostest:/home/debian# wget https://deploy.erp5.net/gnet/re6st && bash re6st

This will trigger the installation of re6st. At some point the ansible script will ask you to:

What is the Url of the Re6st registry [https://re6stnet.nexedi.com]:
Please insert your re6stnet token [notoken]:

Provide the master_url and the token and continue. The setup should finish without errors:

...
PLAY RECAP *********************************************************************
127.0.0.1                  : ok=24   changed=7   unreachable=0   failed=0

Verify the configuration files were created:

root@slapostest:/home/debian# ls /etc/re6stnet/
ca.crt     cert.cert     cert.key     re6stnet.conf     README

The last step only applies to installation of Re6st on the COMP-0 node. You need to modifiy the Re6stnet configuration file:

root@slapostest:/home/debian# nano /etc/re6stnet/re6stnet.conf
registry http://167.114.246.26:9201/
ca ca.crt
cert cert.crt
key cert.key
# increase re6stnet verbosity:
#verbose 3
# enable OpenVPN logging:
#ovpnlog
# increase OpenVPN verbosity:
#O--verb
#O3
O--socket-flags
O"TCP_NODELAY"

adding the following (using your master_url IPv4 adress):

# added on first node
ip 167.114.246.26
gateway

Don't forget to restart Re6st afterwards using service re6stnet restart.

Verify IPv6 Availablity

You can use the following commands to see whether IPv6 is working correctly (taken from Grandenet documentation):

root@slapostest:/home/debian# service re6stnet status

● re6stnet.service - (null)
   Loaded: loaded (/etc/init.d/re6stnet)
   Active: active (running) since Fri 2018-03-09 16:43:23 UTC; 6min ago
   Process: 26395 ExecStop=/etc/init.d/re6stnet stop (code=exited, status=0/SUCCESS)
   Process: 26423 ExecStart=/etc/init.d/re6stnet start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/re6stnet.service
           ├─26431 /opt/re6st/parts/python2.7/bin/python2.7 /usr/sbin/re6stnet @re6stnet.conf
           ├─26437 openvpn --dev-type tap --dev re6stnet-tcp --persist-tun --persist-key --script-security 2 --up /opt/re6st/eggs/re6stnet-0.485-py2.7.egg/re6st/ovpn-client --tls-server --mode server --clien...
           ├─26444 babeld -h 15 -H 15 -L /var/log/re6stnet/babeld.log -S /var/lib/re6stnet/babeld.state -I /var/run/re6stnet/babeld.pid -s -C ipv6-subtrees true -C default max-rtt-penalty 5000 rtt-max 500 rt...
           ├─26537 openvpn --dev-type tap --dev re6stnet1 --persist-tun --persist-key --script-security 2 --up /opt/re6st/eggs/re6stnet-0.485-py2.7.egg/re6st/ovpn-client --nobind --client --remote 163.172.45...
           └─26862 openvpn --dev-type tap --dev re6stnet2 --persist-tun --persist-key --script-security 2 --up /opt/re6st/eggs/re6stnet-0.485-py2.7.egg/re6st/ovpn-client --nobind --client --remote 52.36.124....

  Mar 09 16:43:23 svenslapostest2 systemd[1]: Started (null).
root@slapostest:/home/debian# ifconfig
# or use: ifconfig re6stnet-tcp

re6stnet-tcp Link encap:Ethernet  HWaddr 3a:e3:64:d1:eb:d5
                  inet6 addr: fe80::38e3:64ff:fed1:ebd5/64 Scope:Link
                  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
                  RX packets:0 errors:0 dropped:0 overruns:0 frame:0
                  TX packets:49 errors:0 dropped:0 overruns:0 carrier:0
                  collisions:0 txqueuelen:100
                  RX bytes:0 (0.0 B)  TX bytes:12507 (12.2 KiB)
root@slapostest:/home/debian# ip -6 a l dev lo

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536
    inet6 2401:5180:0:42::1/64 scope global
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever

To finish, retry the initial ping6 commands:

debian@slapostest:~$ ping6 2401:5180:0::1

PING 2401:5180:0::1(2401:5180::1) 56 data bytes
64 bytes from 2401:5180::1: icmp_seq=1 ttl=62 time=293 ms
64 bytes from 2401:5180::1: icmp_seq=2 ttl=62 time=295 ms
64 bytes from 2401:5180::1: icmp_seq=3 ttl=62 time=293 ms

We can now communicate over IPv6 over the gateway created.

debian@slapostest:~$ ping6 ipv6.google.com

connect: Network is unreachable

But the "outside" internet is still not reachable.

It is not really necessary or recommended to tunnel all web traffic through Re6st, but it is possible by changing the re6stnet configuration file and restarting Re6st. Add default to the res6stnet.config:

root@slapostest:/home/debian# nano /etc/re6stnet/re6stnet.conf

registry http://167.114.246.26:9201/
ca ca.crt
cert cert.crt
key cert.key
# increase re6stnet verbosity:
#verbose 3
# enable OpenVPN logging:
#ovpnlog
# increase OpenVPN verbosity:
#O--verb
#O3
O--socket-flags
O"TCP_NODELAY"
default
(...)

Restart Re6st (you can also use the following command):

root@slapostest:/home/debian# /etc/init.d/re6stnet restart

[ ok ] Restarting re6stnet (via systemctl): re6stnet.service.

Then check for entries outside of your network.

root@slapostest:/home/debian# ip -6 r
2401:5180::/64 via fe80::5c74:f1ff:fed6:80b4 dev re6stnet6  proto 42  src 2401:5180:0:42::1  metric 1024 
2401:5180:0:8::/64 via fe80::5c74:f1ff:fed6:80b4 dev re6stnet6  proto 42  src 2401:5180:0:42::1  metric 1024 
...
2401:5180:0:3e::/64 via fe80::5c74:f1ff:fed6:80b4 dev re6stnet6  proto 42  src 2401:5180:0:42::1  metric 1024 
unreachable 2401:5180:0:40::/64 dev lo  proto 42  metric 4294967295  error -101
unreachable 2401:5180:0:42::/64 dev lo  proto kernel  metric 256  error -101
...
2401:5180:0:7c::/64 via fe80::5c74:f1ff:fed6:80b4 dev re6stnet6  proto 42  src 2401:5180:0:42::1  metric 1024 
unreachable 2401:5180::/32 dev lo  metric 1024  error -101
fe80::/64 dev eth0  proto kernel  metric 256 
fe80::/64 dev re6stnet-tcp  proto kernel  metric 256 
fe80::/64 dev re6stnet4  proto kernel  metric 256 
fe80::/64 dev re6stnet8  proto kernel  metric 256 
fe80::/64 dev re6stnet6  proto kernel  metric 256

Then try ping6 again.

debian@slapostest:~$  ping6 ipv6.google.com

PING ipv6.google.com(par21s04-in-x0e.1e100.net) 56 data bytes
64 bytes from par21s04-in-x0e.1e100.net: icmp_seq=1 ttl=55 time=35.5 ms
64 bytes from par21s04-in-x0e.1e100.net: icmp_seq=3 ttl=55 time=35.1 ms
64 bytes from par21s04-in-x0e.1e100.net: icmp_seq=4 ttl=55 time=35.6 ms

Thank You

Image Nexedi Office
  • Nexedi GmbH
  • 147 Rue du Ballon
  • 59110 La Madeleine
  • France