This shows you the differences between two versions of the page.
snipets:solaris:smartos-ipv6 [2014/07/26 20:56] sjorge [example configuration for zone] |
snipets:solaris:smartos-ipv6 [2014/10/09 22:02] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ===== Introduction ===== | ||
- | While doing my migration from ESXi @ Kimsufi to SmartOS @ SyS I noticed I had a full IPv6 /64 available for me. | ||
- | Sounds like a good idea to drop my current tunneled setup. Below is how to make your GZ IPv6 reachable and a template to do the same for zones. | ||
- | |||
- | ===== SmartOS Global Zone Configuration ===== | ||
- | ==== network helper ==== | ||
- | A helper script to setup IPv6 in the GZ and do some other things also. | ||
- | |||
- | :?: can't figure out the default gateway? Head [[http://www.gestioip.net/cgi-bin/subnet_calculator.cgi|here]] enter YOUR:IP:V6:BLOCK::1/56 grab the end address of your 'network range' and change the last 4 ffff entries to ff and your should have your gateway. | ||
- | |||
- | <file bash /opt/custom/bin/net-setup> | ||
- | #!/usr/bin/sh | ||
- | |||
- | . /lib/svc/share/smf_include.sh | ||
- | |||
- | ## enable ipv6 | ||
- | ipadm create-addr -t -T addrconf e1000g0/v6a | ||
- | ipadm create-addr -t -T static -a YOUR:IP:V6:BLOCK::1 e1000g0/v6s | ||
- | route add -inet6 YOUR:IP:V6:BLOCK::1/56 YOUR:IP:V6:BLOCK::1 -interface | ||
- | route add -inet6 default YOUR:IP:V6:BLOff:ff:ff:ff:ff | ||
- | |||
- | ## clear firewall rules | ||
- | [ -e /etc/ipf/ipf.conf ] && rm /etc/ipf/ipf.conf | ||
- | |||
- | ## firewall rules | ||
- | echo "# Default policies" >> /etc/ipf/ipf.conf | ||
- | echo "pass out all keep state" >> /etc/ipf/ipf.conf | ||
- | echo "block in all" >> /etc/ipf/ipf.conf | ||
- | echo "block return-rst in log first proto tcp all" >> /etc/ipf/ipf.conf | ||
- | echo "block return-icmp(host-unr) in log proto udp all" >> /etc/ipf/ipf.conf | ||
- | echo "# Allow Loopback" >> /etc/ipf/ipf.conf | ||
- | echo "pass in quick on lo0 all" >> /etc/ipf/ipf.conf | ||
- | echo "pass out quick on lo0 all" >> /etc/ipf/ipf.conf | ||
- | echo "# Allow ICMP" >> /etc/ipf/ipf.conf | ||
- | echo "pass out quick proto icmp all keep state" >> /etc/ipf/ipf.conf | ||
- | echo "pass in quick proto icmp all keep state" >> /etc/ipf/ipf.conf | ||
- | echo "# Allow SSH" >> /etc/ipf/ipf.conf | ||
- | echo "pass in quick proto tcp from any to any port = 22 flags S/FSRPAU keep state keep frags" >> /etc/ipf/ipf.conf | ||
- | |||
- | ## enable firewall | ||
- | /usr/sbin/ipf -E -Fa -v -f /etc/ipf/ipf.conf | ||
- | |||
- | exit $SMF_EXIT_OK | ||
- | </file> | ||
- | |||
- | Don't forget to make this file executable! ''chmod +x /opt/custom/bin/net-setup'' | ||
- | |||
- | ==== smf manifest to run net-setup at boot ==== | ||
- | <file xml /opt/custom/smf/net-setup.xml> | ||
- | <?xml version="1.0"?> | ||
- | <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> | ||
- | |||
- | <service_bundle type='manifest' name='site:net-setup'> | ||
- | <service name='site/net-setup' type='service' version='1'> | ||
- | <create_default_instance enabled='true' /> | ||
- | <single_instance /> | ||
- | <dependency name='net-physical' grouping='require_all' restart_on='none' type='service'> | ||
- | <service_fmri value='svc:/network/physical'/> | ||
- | </dependency> | ||
- | <dependency name='filesystem' grouping='require_all' restart_on='none' type='service'> | ||
- | <service_fmri value='svc:/system/filesystem/local'/> | ||
- | </dependency> | ||
- | |||
- | <exec_method type='method' name='start' exec='/opt/custom/bin/net-setup' timeout_seconds='0' /> | ||
- | <exec_method type='method' name='stop' exec=':true' timeout_seconds='0' /> | ||
- | |||
- | <property_group name='startd' type='framework'> | ||
- | <propval name='duration' type='astring' value='transient' /> | ||
- | </property_group> | ||
- | |||
- | <stability value='Unstable' /> | ||
- | </service> | ||
- | </service_bundle> | ||
- | </file> | ||
- | **<fc #FF0000>make sure to remove the first set of indetations that happens when copying from this wiki!</fc>** | ||
- | |||
- | After a reboot check your connectivity using ''ipadm show-addr'' and ''ping -A inet6 google.com'' | ||
- | |||
- | ===== example configuration for zone ===== | ||
- | <code json> | ||
- | { | ||
- | "brand": "joyent", | ||
- | "image_uuid": "d34c301e-10c3-11e4-9b79-5f67ca448df0", | ||
- | "hostname": "<fqdn>", | ||
- | "alias": "<name>", | ||
- | "autoboot": true, | ||
- | "nowait": false, | ||
- | "quota": 25, | ||
- | "cpu_shares": 100, | ||
- | "max_physical_memory": 512, | ||
- | "zfs_io_priority": 100, | ||
- | "zfs_root_compression": "lz4", | ||
- | "resolvers": [ "8.8.8.8", "8.8.4.4" ], | ||
- | "nics": [ | ||
- | { | ||
- | "nic_tag": "admin", | ||
- | "mac": "<mac>", | ||
- | "ip": "<ip4_block>.<host>", | ||
- | "netmask": "255.255.255.255", | ||
- | "allow_ip_spoofing": true, | ||
- | "primary": true | ||
- | } | ||
- | ], | ||
- | "customer_metadata": { | ||
- | "user-script": | ||
- | "route add <ip4_block>.0/24 5.135.127.99 -interface ; route add default <gateway-from-server> ; ipadm create-addr -t -T addrconf net0/v6a ; ipadm create-addr -t -T static -a <ip6_block>::<host> net0/v6s ; route add -inet6 <ip6_block>::/56 <ip6_block>::<host> -interface ; route add -inet6 default <ip6_block_part>ff:ff:ff:ff:ff" | ||
- | } | ||
- | } | ||
- | </code> | ||