1220997 – resource-agents:azure-lb IPv6 support

Bug 1220997 - resource-agents:azure-lb IPv6 support

Summary: resource-agents:azure-lb IPv6 support

Status:	RESOLVED FIXED

Alias:	None

Product:	PUBLIC SUSE Linux Enterprise High Availability 15 SP3
Classification:	SUSE Linux Enterprise High Availability Extension
Component:	Other (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P2 - High Severity: Normal
Target Milestone:	unspecified
Assignee:	Peter Varkoly
QA Contact:	SUSE Linux Enterprise High Availability Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-03-05 23:26 UTC by Robert Biro
Modified:	2024-04-17 16:30 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Biro 2024-03-05 23:26:38 UTC

To support IPv6 with Azure load balancer, the load balancer health probe polls the VM/OS an open port. Within pacemaker this is performed by azure-lb resource agent in resource-agents.

Today, the socat syntax used is https://github.com/ClusterLabs/resource-agents/blob/b63f44b8aa0018e0dade05770f0445d7ec62978a/heartbeat/azure-lb#L117
		cmd="$OCF_RESKEY_nc -U TCP-LISTEN:$OCF_RESKEY_port,backlog=10,fork,reuseaddr /dev/null"

TCP-LISTEN is used, without specifying -4/-6 the IP protocol version. Thus the behaviour with current syntax is to answer on IPv4 traffic only. 
Asking for support for IPv6, ideally through a configurable parameter of the resource agent to allow IPv4/IPv6 only (-4/-6 with TCP-LISTEN) or dual stack (TCP6-LISTEN without -4/-6). Such change is necessary to allow IPv6 flows through the Azure load balancer for pacemaker environments.

Comment 1 Peter Varkoly 2024-03-14 12:39:21 UTC

I think it is better to make socat to listen both ipv4 and ipv6. This is then the nc behavior. You can configure socat to listen on both IPv4 and IPv6 by, counter-intuitively, always use the "TCP6-LISTENER". This causes socat to listen in a dual-stack manner. This is because by default Linux (and I suspect the BSDs) also accept IPv4 when the socket has been bound for ::.

We have only change TCP-LISTEN into TCP6-LISTEN:
cmd="$OCF_RESKEY_nc -U TCP6-LISTEN:$OCF_RESKEY_port,backlog=10,fork,reuseaddr /dev/null"

Do you agree with this solution?

Comment 2 Robert Biro 2024-03-14 12:56:10 UTC

Indeed with TCP6-LISTEN, socat behaves like you noted - both v4 and v6 protocols. Within Azure we have currently no IPv6-only network environment possible so I cannot confirm if such dual-stack socat setting would work correctly with IPv6-only envirionment in future. Dual-stack support for socat like you suggested would resolve current lack of v6 support in this resource agent. 

But looking forward with v6-only at some point in time. My suggestion if a change is made, is to enable dual-stack v4/v6 (default) and additionally an optional setting for v4 and v6 only as well. For TCP6-LISTEN option ipv6only should allow v6 stack only.

Comment 3 Andreas Jaeger 2024-04-02 15:07:08 UTC

Clearing needinfo as information was provided.

Comment 4 Peter Varkoly 2024-04-03 18:09:41 UTC

(In reply to Robert Biro from comment #2)
> Indeed with TCP6-LISTEN, socat behaves like you noted - both v4 and v6
> protocols. Within Azure we have currently no IPv6-only network environment
> possible so I cannot confirm if such dual-stack socat setting would work
> correctly with IPv6-only envirionment in future. Dual-stack support for
> socat like you suggested would resolve current lack of v6 support in this
> resource agent. 
> 
> But looking forward with v6-only at some point in time. My suggestion if a
> change is made, is to enable dual-stack v4/v6 (default) and additionally an
> optional setting for v4 and v6 only as well. For TCP6-LISTEN option ipv6only
> should allow v6 stack only.
I've created a PR in github. You can discuss it.
I've tested and in this format works socat under all circumstances.
https://github.com/ClusterLabs/resource-agents/pull/1922

Comment 5 Robert Biro 2024-04-04 08:09:17 UTC

(In reply to Peter Varkoly from comment #4)
> (In reply to Robert Biro from comment #2)
> > Indeed with TCP6-LISTEN, socat behaves like you noted - both v4 and v6
> > protocols. Within Azure we have currently no IPv6-only network environment
> > possible so I cannot confirm if such dual-stack socat setting would work
> > correctly with IPv6-only envirionment in future. Dual-stack support for
> > socat like you suggested would resolve current lack of v6 support in this
> > resource agent. 
> > 
> > But looking forward with v6-only at some point in time. My suggestion if a
> > change is made, is to enable dual-stack v4/v6 (default) and additionally an
> > optional setting for v4 and v6 only as well. For TCP6-LISTEN option ipv6only
> > should allow v6 stack only.
> I've created a PR in github. You can discuss it.
> I've tested and in this format works socat under all circumstances.
> https://github.com/ClusterLabs/resource-agents/pull/1922

Thanks, this works fine, and I confirm TCP6-LISTENER worked well in dual-stack situation. I see PR now merged to main branch.
Ideally for this bug, if possible, downports to SUSE 15 SP4 and SP5 would be very welcome.

Comment 6 Peter Varkoly 2024-04-05 11:11:19 UTC

Update is comming soon.

Comment 8 OBSbugzilla Bot 2024-04-05 14:35:02 UTC

This is an autogenerated message for OBS integration:
This bug (1220997) was mentioned in
https://build.opensuse.org/request/show/1165659 Factory / resource-agents

Comment 9 Peter Varkoly 2024-04-08 09:55:32 UTC

@Robert please take care that by setting "sysctl -w net.ipv6.bindv6only=1" dual bind does not work. But I think in this case IPV6 only is OK.

Comment 10 Peter Varkoly 2024-04-08 09:55:47 UTC

Fixed and released.

Comment 11 Maintenance Automation 2024-04-17 16:30:05 UTC

SUSE-RU-2024:1330-1: An update that has one fix can now be installed.

Category: recommended (moderate)
Bug References: 1220997
Maintenance Incident: [SUSE:Maintenance:33228](https://smelt.suse.de/incident/33228/)
Sources used:
openSUSE Leap 15.4 (src):
 resource-agents-4.10.0+git40.0f4de473-150400.3.25.2
SUSE Linux Enterprise High Availability Extension 15 SP4 (src):
 resource-agents-4.10.0+git40.0f4de473-150400.3.25.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 12 Maintenance Automation 2024-04-17 16:30:09 UTC

SUSE-RU-2024:1329-1: An update that has one fix can now be installed.

Category: recommended (moderate)
Bug References: 1220997
Maintenance Incident: [SUSE:Maintenance:33230](https://smelt.suse.de/incident/33230/)
Sources used:
openSUSE Leap 15.3 (src):
 resource-agents-4.8.0+git30.d0077df0-150300.8.40.2
SUSE Linux Enterprise High Availability Extension 15 SP3 (src):
 resource-agents-4.8.0+git30.d0077df0-150300.8.40.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 13 Maintenance Automation 2024-04-17 16:30:10 UTC

SUSE-RU-2024:1328-1: An update that has one fix can now be installed.

Category: recommended (moderate)
Bug References: 1220997
Maintenance Incident: [SUSE:Maintenance:33227](https://smelt.suse.de/incident/33227/)
Sources used:
openSUSE Leap 15.5 (src):
 resource-agents-4.12.0+git30.7fd7c8fa-150500.3.6.2
SUSE Linux Enterprise High Availability Extension 15 SP5 (src):
 resource-agents-4.12.0+git30.7fd7c8fa-150500.3.6.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.