)]}'
{"specs/newton/metadata-add-ipv6-support.rst":[{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"4d5a8883725f6b260fef853ee369792a9143eaed","unresolved":false,"context_lines":[{"line_number":8,"context_line":"IPv6 support in Metadata service"},{"line_number":9,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"https://bugs.launchpad.net/neutron/+bug/1460177"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"Adding IPv6 support for Metadata service."},{"line_number":14,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"dab17558_f7857d59","line":11,"updated":"2016-05-12 15:19:00.000000000","message":"It doesn\u0027t seem a conclusion was ever reached in this bug, but using a DNS SRV record seemed like more of an option than anycast.","commit_id":"db41839f54534042642e8ec4cc570332bc681453"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"26a5c5e1f1c6408471cde77d758f9ee56e5da8e0","unresolved":false,"context_lines":[{"line_number":8,"context_line":"IPv6 support in Metadata service"},{"line_number":9,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"https://bugs.launchpad.net/neutron/+bug/1460177"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"Adding IPv6 support for Metadata service."},{"line_number":14,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"dab17558_f659c336","line":11,"in_reply_to":"dab17558_7d20274a","updated":"2016-05-13 15:56:01.000000000","message":"Alexey - I\u0027m actually fine using a link-local address for this, but I\u0027d rather have it discoverable since that gives us flexibility in deployments.  Perhaps in a provider network it can be a global within the datacenter?","commit_id":"db41839f54534042642e8ec4cc570332bc681453"},{"author":{"_account_id":11061,"name":"Alexey I. Froloff","email":"raorn@raorn.name","username":"raorn"},"change_message_id":"1bed7ba000763cec63294453358678374ca2196d","unresolved":false,"context_lines":[{"line_number":8,"context_line":"IPv6 support in Metadata service"},{"line_number":9,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"https://bugs.launchpad.net/neutron/+bug/1460177"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"Adding IPv6 support for Metadata service."},{"line_number":14,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"dab17558_7d20274a","line":11,"in_reply_to":"dab17558_bc50f15f","updated":"2016-05-13 09:47:35.000000000","message":"DNS and RA require additional configuration, which is not always possible.  For Metadata service, VM only needs to access DHCP agent or L3 router, and it located in the same L2 segment by design.  This is why IPv6 Link Local address is a simplest solution.","commit_id":"db41839f54534042642e8ec4cc570332bc681453"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"06efe4f203e2d28690006c3e7debb9c80c2641ae","unresolved":false,"context_lines":[{"line_number":8,"context_line":"IPv6 support in Metadata service"},{"line_number":9,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"https://bugs.launchpad.net/neutron/+bug/1460177"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"Adding IPv6 support for Metadata service."},{"line_number":14,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"dab17558_bc50f15f","line":11,"in_reply_to":"dab17558_ed02ca08","updated":"2016-05-12 18:02:36.000000000","message":"Because I fell this is an abuse of the \"anycast is indistinguishable from unicast\", since it\u0027s a link-local address.  DNS gets around that, or an RA option.","commit_id":"db41839f54534042642e8ec4cc570332bc681453"},{"author":{"_account_id":11061,"name":"Alexey I. Froloff","email":"raorn@raorn.name","username":"raorn"},"change_message_id":"0bd1cf14e3c67f738049c47e7787b488962b5746","unresolved":false,"context_lines":[{"line_number":8,"context_line":"IPv6 support in Metadata service"},{"line_number":9,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"https://bugs.launchpad.net/neutron/+bug/1460177"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"Adding IPv6 support for Metadata service."},{"line_number":14,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"dab17558_2e15703f","line":11,"in_reply_to":"dab17558_f659c336","updated":"2016-05-16 12:10:58.000000000","message":"Let\u0027s not forget that is must work in all cases, not only provider networks, but also in user-created private networks without router (or with disconnected router). Anyway, there are several choices for such discovery:\n\nGlobal DNS name, like \"instance-data.\".  Requires DNS configuration, doesn\u0027t work if instances uses external DNS servers.\n\nZeroconf/mDNS discovery.  Easy to use, may have security issues(?), esp. in shared networks, requires additional service running on DHCP/L3 agent.\n\n\"Well-known\" IPv6 Multicast address, that is used to discover metadata service (just like DHCPv6 server discovery). A bit more complex for clients, but \"well-known\" address is not cached on client - re-discovery will select next available server. This \"well-known\" address also need to be IANA-registered.\n\nLink-Local IPv6 anycast address described here (no discovery). Uses Linux-specific anycast API on server side, have problems with NDP cache, easy to use for clients, can work in any environment.\n\nUse IPv4 Metadata URL and allow communication on 169.254.0.0/16 network.  Clients will use IPv4LL autoconfiguration.  Additional firewall rules may be specified to only allow client-to-metadata communication.\n\nEvery method have it\u0027s own advantages and disadvantages...","commit_id":"db41839f54534042642e8ec4cc570332bc681453"},{"author":{"_account_id":11061,"name":"Alexey I. Froloff","email":"raorn@raorn.name","username":"raorn"},"change_message_id":"81347ebc3253c658fce9ffc2e3d360b6878e3ee3","unresolved":false,"context_lines":[{"line_number":8,"context_line":"IPv6 support in Metadata service"},{"line_number":9,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"https://bugs.launchpad.net/neutron/+bug/1460177"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"Adding IPv6 support for Metadata service."},{"line_number":14,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"dab17558_ed02ca08","line":11,"in_reply_to":"dab17558_f7857d59","updated":"2016-05-12 15:39:53.000000000","message":"Why you think so?  Anycast address works with only Neutron support, while DNS SRV needs additional configuration, which is not always possible.","commit_id":"db41839f54534042642e8ec4cc570332bc681453"},{"author":{"_account_id":4656,"name":"Sean M. Collins","email":"sean@coreitpro.com","username":"scollins"},"change_message_id":"9536996b054484f571b049f07df6b50ab0010388","unresolved":false,"context_lines":[{"line_number":15,"context_line":"Problem Description"},{"line_number":16,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Metadata service uses \"magic\" IP 169.254.169.254 as endpoint address.  This doesn\u0027t"},{"line_number":19,"context_line":"work in IPv6-only environment."},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"Magic IP is not accessible from IPv6-only VM.  It is possible to add 169.254.0.0/16"}],"source_content_type":"text/x-rst","patch_set":1,"id":"bab6814e_0b904042","line":18,"updated":"2016-05-26 18:20:38.000000000","message":"it\u0027s not magic. It\u0027s just an arbitrary link local v4 address that amazon picked. Let\u0027s be clear.","commit_id":"db41839f54534042642e8ec4cc570332bc681453"},{"author":{"_account_id":10558,"name":"Dustin Lundquist","email":"dustin@null-ptr.net","username":"dlundquist"},"change_message_id":"798c506202cdf15e29a7aa59827d4bab017151e3","unresolved":false,"context_lines":[{"line_number":15,"context_line":"Problem Description"},{"line_number":16,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Metadata service uses \"magic\" IP 169.254.169.254 as endpoint address.  This doesn\u0027t"},{"line_number":19,"context_line":"work in IPv6-only environment."},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"Magic IP is not accessible from IPv6-only VM.  It is possible to add 169.254.0.0/16"}],"source_content_type":"text/x-rst","patch_set":1,"id":"bab6814e_690ab427","line":18,"in_reply_to":"bab6814e_0b904042","updated":"2016-05-26 19:20:08.000000000","message":"I would suggest \"well known\" instead of \"magic\".","commit_id":"db41839f54534042642e8ec4cc570332bc681453"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"4d5a8883725f6b260fef853ee369792a9143eaed","unresolved":false,"context_lines":[{"line_number":32,"context_line":"Metadata proxy listens on dual-stack socket (::)."},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Metadata proxy joins anycast group fe80::a9fe:a9fe (fe80::169.254.169.254) on all"},{"line_number":35,"context_line":"available interfaces (It is OK do do so because it\u0027s running inside namespace)."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"DHCP agent or L3 agent adds firewall rule, that redirects traffic directed for"},{"line_number":38,"context_line":"\"magic\" anycast IP to Metadata proxy port."}],"source_content_type":"text/x-rst","patch_set":1,"id":"dab17558_1cedc68e","line":35,"updated":"2016-05-12 15:19:00.000000000","message":"That really isn\u0027t an anycast address (even if RFC 4291 is unclear on it) as a router should be able to forward packets to one of a group of systems with it.  Link-local addresses are not forwarded.  And you\u0027d need an assignment from IANA (RFC 2526).  And you\u0027re using the word \"group\" which is a multicast concept, so I\u0027m confused.","commit_id":"db41839f54534042642e8ec4cc570332bc681453"},{"author":{"_account_id":11061,"name":"Alexey I. Froloff","email":"raorn@raorn.name","username":"raorn"},"change_message_id":"81347ebc3253c658fce9ffc2e3d360b6878e3ee3","unresolved":false,"context_lines":[{"line_number":32,"context_line":"Metadata proxy listens on dual-stack socket (::)."},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Metadata proxy joins anycast group fe80::a9fe:a9fe (fe80::169.254.169.254) on all"},{"line_number":35,"context_line":"available interfaces (It is OK do do so because it\u0027s running inside namespace)."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"DHCP agent or L3 agent adds firewall rule, that redirects traffic directed for"},{"line_number":38,"context_line":"\"magic\" anycast IP to Metadata proxy port."}],"source_content_type":"text/x-rst","patch_set":1,"id":"dab17558_b202e309","line":35,"in_reply_to":"dab17558_1cedc68e","updated":"2016-05-12 15:39:53.000000000","message":"This is an address that can be IPV6_JOIN_ANYCAST\u0027ed (option 27 for setsockopt(2)). RFC 4291 says, that \"anycast addresses are syntactically indistinguishable from unicast addresses\". It also doesn\u0027t says, that this address MUST be Reserved IPv6 Anycast (RFC 2526).","commit_id":"db41839f54534042642e8ec4cc570332bc681453"},{"author":{"_account_id":10558,"name":"Dustin Lundquist","email":"dustin@null-ptr.net","username":"dlundquist"},"change_message_id":"4a132d5e2d8e0f2cab11808a6a5ee401e555b242","unresolved":false,"context_lines":[{"line_number":32,"context_line":"Metadata proxy listens on dual-stack socket (::)."},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Metadata proxy joins anycast group fe80::a9fe:a9fe (fe80::169.254.169.254) on all"},{"line_number":35,"context_line":"available interfaces (It is OK do do so because it\u0027s running inside namespace)."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"DHCP agent or L3 agent adds firewall rule, that redirects traffic directed for"},{"line_number":38,"context_line":"\"magic\" anycast IP to Metadata proxy port."}],"source_content_type":"text/x-rst","patch_set":1,"id":"dab17558_cac35e89","line":35,"in_reply_to":"dab17558_221df866","updated":"2016-05-12 20:37:19.000000000","message":"Ah, the reverse mapping is done automatically by the kernel. Well, we need an address in the global unicast scope to be the well known metadata IPv6 metadata address.","commit_id":"db41839f54534042642e8ec4cc570332bc681453"},{"author":{"_account_id":8818,"name":"Yury Konovalov","email":"YKonovalov@gmail.com","username":"yurix"},"change_message_id":"057668cc5fc5b23e89ad2def8d1edc4d77085eeb","unresolved":false,"context_lines":[{"line_number":32,"context_line":"Metadata proxy listens on dual-stack socket (::)."},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Metadata proxy joins anycast group fe80::a9fe:a9fe (fe80::169.254.169.254) on all"},{"line_number":35,"context_line":"available interfaces (It is OK do do so because it\u0027s running inside namespace)."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"DHCP agent or L3 agent adds firewall rule, that redirects traffic directed for"},{"line_number":38,"context_line":"\"magic\" anycast IP to Metadata proxy port."}],"source_content_type":"text/x-rst","patch_set":1,"id":"dab17558_6e2b2aec","line":35,"in_reply_to":"dab17558_56e7ef11","updated":"2016-05-13 21:28:55.000000000","message":"Brian, you are right, there is a window for metadata availability in IPv6 anycast \"failover\" scenario. For IPv4 it is much worse, because we have metadata IPv4LL assigned on the interface, so clients will get ARP replies from inactive agents as well, e.g. no failover at all.","commit_id":"db41839f54534042642e8ec4cc570332bc681453"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"26a5c5e1f1c6408471cde77d758f9ee56e5da8e0","unresolved":false,"context_lines":[{"line_number":32,"context_line":"Metadata proxy listens on dual-stack socket (::)."},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Metadata proxy joins anycast group fe80::a9fe:a9fe (fe80::169.254.169.254) on all"},{"line_number":35,"context_line":"available interfaces (It is OK do do so because it\u0027s running inside namespace)."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"DHCP agent or L3 agent adds firewall rule, that redirects traffic directed for"},{"line_number":38,"context_line":"\"magic\" anycast IP to Metadata proxy port."}],"source_content_type":"text/x-rst","patch_set":1,"id":"dab17558_56e7ef11","line":35,"in_reply_to":"dab17558_78a3159f","updated":"2016-05-13 15:56:01.000000000","message":"There is still a window where a client could do NDP, get a response, but the anycast is removed right after.  The resulting http get would fail until the cached entry goes stale, even if another host has the anycast.  Perhaps we have the same problem with IPv4 but have never seen it.","commit_id":"db41839f54534042642e8ec4cc570332bc681453"},{"author":{"_account_id":8818,"name":"Yury Konovalov","email":"YKonovalov@gmail.com","username":"yurix"},"change_message_id":"c46ee20e1094c854c7389c186e3dcd65ba10f533","unresolved":false,"context_lines":[{"line_number":32,"context_line":"Metadata proxy listens on dual-stack socket (::)."},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Metadata proxy joins anycast group fe80::a9fe:a9fe (fe80::169.254.169.254) on all"},{"line_number":35,"context_line":"available interfaces (It is OK do do so because it\u0027s running inside namespace)."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"DHCP agent or L3 agent adds firewall rule, that redirects traffic directed for"},{"line_number":38,"context_line":"\"magic\" anycast IP to Metadata proxy port."}],"source_content_type":"text/x-rst","patch_set":1,"id":"dab17558_fe8543ad","line":35,"in_reply_to":"dab17558_813f86d5","updated":"2016-05-13 01:14:05.000000000","message":"If an anycast address is registered in the kernel, neighbour discovery logic changes to keep single neighbour by always sending neighbour advertisments with non-override flag. On reprobe the client will get multiple replies and will pick the one which does not override the current address. In case metadata-proxy process exits for any reason the kernel will unregister and stop responding to NDP on IPv6 anycast address, so the client will choose different agent for metadata. That\u0027s how anycast supposed to work on local subnet.\n\nIPv6 link local as a metadata address provides the same advantages as IPv4 link local (169.254.169.254) we use now, plus better support on clients (link local is not optional in IPv6 as it in IPv4).","commit_id":"db41839f54534042642e8ec4cc570332bc681453"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"06efe4f203e2d28690006c3e7debb9c80c2641ae","unresolved":false,"context_lines":[{"line_number":32,"context_line":"Metadata proxy listens on dual-stack socket (::)."},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Metadata proxy joins anycast group fe80::a9fe:a9fe (fe80::169.254.169.254) on all"},{"line_number":35,"context_line":"available interfaces (It is OK do do so because it\u0027s running inside namespace)."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"DHCP agent or L3 agent adds firewall rule, that redirects traffic directed for"},{"line_number":38,"context_line":"\"magic\" anycast IP to Metadata proxy port."}],"source_content_type":"text/x-rst","patch_set":1,"id":"dab17558_813f86d5","line":35,"in_reply_to":"dab17558_b202e309","updated":"2016-05-12 18:02:36.000000000","message":"But the whole point of anycast is for the last-hop router to only forward it to *one* of many systems, and that can\u0027t happen in this case.\n\nAnd regarding Reserved - it seems we are trying to standardize something, how do we do that without agreeing to what this address should be?  Baking it into neutron isn\u0027t the place to standardize it.  This was mentioned in the bug as well.","commit_id":"db41839f54534042642e8ec4cc570332bc681453"},{"author":{"_account_id":10558,"name":"Dustin Lundquist","email":"dustin@null-ptr.net","username":"dlundquist"},"change_message_id":"275730881eba135de7d332b23e5be84d376d5291","unresolved":false,"context_lines":[{"line_number":32,"context_line":"Metadata proxy listens on dual-stack socket (::)."},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Metadata proxy joins anycast group fe80::a9fe:a9fe (fe80::169.254.169.254) on all"},{"line_number":35,"context_line":"available interfaces (It is OK do do so because it\u0027s running inside namespace)."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"DHCP agent or L3 agent adds firewall rule, that redirects traffic directed for"},{"line_number":38,"context_line":"\"magic\" anycast IP to Metadata proxy port."}],"source_content_type":"text/x-rst","patch_set":1,"id":"dab17558_e712e257","line":35,"in_reply_to":"dab17558_b202e309","updated":"2016-05-12 18:13:56.000000000","message":"fe80::169.254.169.254 is in the link-local prefix, as such any packets sent to it will be sent from other link-local addresses rather than global unicast addresses. Redirecting link-local traffic is in effect routing it, which is prohibited. Could we use the IPv6 mapped IPv4 address for metadata instead (::ffff:168.254.169.254) instead since it is in the global unicast scope?\n\nAdditionally I\u0027m unclear how this anycast would be implemented: IPv6 provides multicast, but using multicast with TCP is problematic since the client will receive a reply from each member of the group.","commit_id":"db41839f54534042642e8ec4cc570332bc681453"},{"author":{"_account_id":11061,"name":"Alexey I. Froloff","email":"raorn@raorn.name","username":"raorn"},"change_message_id":"1bed7ba000763cec63294453358678374ca2196d","unresolved":false,"context_lines":[{"line_number":32,"context_line":"Metadata proxy listens on dual-stack socket (::)."},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Metadata proxy joins anycast group fe80::a9fe:a9fe (fe80::169.254.169.254) on all"},{"line_number":35,"context_line":"available interfaces (It is OK do do so because it\u0027s running inside namespace)."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"DHCP agent or L3 agent adds firewall rule, that redirects traffic directed for"},{"line_number":38,"context_line":"\"magic\" anycast IP to Metadata proxy port."}],"source_content_type":"text/x-rst","patch_set":1,"id":"dab17558_78a3159f","line":35,"in_reply_to":"dab17558_cac35e89","updated":"2016-05-13 09:47:35.000000000","message":"Link Local address is better because this network is not routed.  In networks with external router, this router will receive packets directed to this \"global unicast\" address.  Then it should redirect it to Metadata proxy, but altering external router configuration is not always possible.\n\nInstead of messing with \"well-known\" addresses, it is possible to use DHCP agent\u0027s Link Local address, but client needs a way to discover it.  cloud-init for CloudStack datasource parses *.lease files from DHCP client and uses DHCP server\u0027s address as metadata URI.  This will not work for IPv6-only SLAAC networks.  Using address of default router will not work for networks with external router...","commit_id":"db41839f54534042642e8ec4cc570332bc681453"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"ca573058fa7ff110e4cd675b7f664e8c2ba9673b","unresolved":false,"context_lines":[{"line_number":32,"context_line":"Metadata proxy listens on dual-stack socket (::)."},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Metadata proxy joins anycast group fe80::a9fe:a9fe (fe80::169.254.169.254) on all"},{"line_number":35,"context_line":"available interfaces (It is OK do do so because it\u0027s running inside namespace)."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"DHCP agent or L3 agent adds firewall rule, that redirects traffic directed for"},{"line_number":38,"context_line":"\"magic\" anycast IP to Metadata proxy port."}],"source_content_type":"text/x-rst","patch_set":1,"id":"dab17558_221df866","line":35,"in_reply_to":"dab17558_e712e257","updated":"2016-05-12 18:49:37.000000000","message":"\u003e Could we use the IPv6 mapped IPv4 address for metadata \n\u003e instead (::ffff:168.254.169.254) instead since it is in the \n\u003e global unicast scope?\n\nThat would just be transmitted as an IPv4 address, so don\u0027t know if it would work without the presence of an IPv4 source address on the system.  A system shouldn\u0027t ever send this address on the wire as-is.","commit_id":"db41839f54534042642e8ec4cc570332bc681453"},{"author":{"_account_id":4656,"name":"Sean M. Collins","email":"sean@coreitpro.com","username":"scollins"},"change_message_id":"9536996b054484f571b049f07df6b50ab0010388","unresolved":false,"context_lines":[{"line_number":37,"context_line":"DHCP agent or L3 agent adds firewall rule, that redirects traffic directed for"},{"line_number":38,"context_line":"\"magic\" anycast IP to Metadata proxy port."},{"line_number":39,"context_line":""},{"line_number":40,"context_line":"VM uses address fe80::a9fe:a9fe (fe80::169.254.169.254) to access Metadata service."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"When Metadata proxy processes request, it gathers L2 addresses of a VM and source"},{"line_number":43,"context_line":"interface and passes it to Metadata service."}],"source_content_type":"text/x-rst","patch_set":1,"id":"bab6814e_ab43f4ad","line":40,"updated":"2016-05-26 18:20:38.000000000","message":"Please, no IPv4 embedded addresses. Just no.","commit_id":"db41839f54534042642e8ec4cc570332bc681453"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"4d5a8883725f6b260fef853ee369792a9143eaed","unresolved":false,"context_lines":[{"line_number":37,"context_line":"DHCP agent or L3 agent adds firewall rule, that redirects traffic directed for"},{"line_number":38,"context_line":"\"magic\" anycast IP to Metadata proxy port."},{"line_number":39,"context_line":""},{"line_number":40,"context_line":"VM uses address fe80::a9fe:a9fe (fe80::169.254.169.254) to access Metadata service."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"When Metadata proxy processes request, it gathers L2 addresses of a VM and source"},{"line_number":43,"context_line":"interface and passes it to Metadata service."}],"source_content_type":"text/x-rst","patch_set":1,"id":"dab17558_57b3a90a","line":40,"updated":"2016-05-12 15:19:00.000000000","message":"fe80::169.254.169.254 isn\u0027t a valid IPv6 address, are you thinking of a 6to4 address?","commit_id":"db41839f54534042642e8ec4cc570332bc681453"},{"author":{"_account_id":11708,"name":"Atsuko Ito","email":"me@yottatsa.name","username":"yottatsa"},"change_message_id":"fbcae796ca560d984919b5b9516a2a3da15220cf","unresolved":false,"context_lines":[{"line_number":37,"context_line":"DHCP agent or L3 agent adds firewall rule, that redirects traffic directed for"},{"line_number":38,"context_line":"\"magic\" anycast IP to Metadata proxy port."},{"line_number":39,"context_line":""},{"line_number":40,"context_line":"VM uses address fe80::a9fe:a9fe (fe80::169.254.169.254) to access Metadata service."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"When Metadata proxy processes request, it gathers L2 addresses of a VM and source"},{"line_number":43,"context_line":"interface and passes it to Metadata service."}],"source_content_type":"text/x-rst","patch_set":1,"id":"9abb7d3a_e4a3204e","line":40,"in_reply_to":"bab6814e_ab43f4ad","updated":"2016-05-27 09:11:18.000000000","message":"Sean M. Collins, It\u0027s not actually embedding. It\u0027s mnemonic. Do you have any objections about fe80::a9fe:a9fe?\n\nBrian Haley, it couldn\u0027t be autoassigned in any way (see Dmitry Bilunov comment). Futhermore, attribution to \"infrastructure\" ports could be enforced with SG framework (like it was done for e.g. DHCPv4).","commit_id":"db41839f54534042642e8ec4cc570332bc681453"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"06efe4f203e2d28690006c3e7debb9c80c2641ae","unresolved":false,"context_lines":[{"line_number":37,"context_line":"DHCP agent or L3 agent adds firewall rule, that redirects traffic directed for"},{"line_number":38,"context_line":"\"magic\" anycast IP to Metadata proxy port."},{"line_number":39,"context_line":""},{"line_number":40,"context_line":"VM uses address fe80::a9fe:a9fe (fe80::169.254.169.254) to access Metadata service."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"When Metadata proxy processes request, it gathers L2 addresses of a VM and source"},{"line_number":43,"context_line":"interface and passes it to Metadata service."}],"source_content_type":"text/x-rst","patch_set":1,"id":"dab17558_414e3e97","line":40,"in_reply_to":"dab17558_0dfe2e05","updated":"2016-05-12 18:02:36.000000000","message":"Ok, valid, but not the correct way:\n\nhttp://v6decode.com/#address\u003dfe80%3A%3A169.254.169.254\n\nI\u0027ve never seen a link-local address using dotted notation.","commit_id":"db41839f54534042642e8ec4cc570332bc681453"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"ca573058fa7ff110e4cd675b7f664e8c2ba9673b","unresolved":false,"context_lines":[{"line_number":37,"context_line":"DHCP agent or L3 agent adds firewall rule, that redirects traffic directed for"},{"line_number":38,"context_line":"\"magic\" anycast IP to Metadata proxy port."},{"line_number":39,"context_line":""},{"line_number":40,"context_line":"VM uses address fe80::a9fe:a9fe (fe80::169.254.169.254) to access Metadata service."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"When Metadata proxy processes request, it gathers L2 addresses of a VM and source"},{"line_number":43,"context_line":"interface and passes it to Metadata service."}],"source_content_type":"text/x-rst","patch_set":1,"id":"dab17558_a2aa8883","line":40,"in_reply_to":"dab17558_27622ad9","updated":"2016-05-12 18:49:37.000000000","message":"Right, but embedding the v4 address is typically only done as some transition mechanism, and for viewing purposes (like in netstat).  This address, starting with fe80, would always be displayed as fe80::a9fe:a9fe in any utility because they don\u0027t know it has any \"special\" meaning.\n\nThe reason I keep harping on this is that without some reservation of the address it has no special meaning as a metadata address, and that\u0027s what we\u0027re trying to do here.  Because we then have to make sure anti-spoofing rules are in place so it can\u0027t be configured on a VM, etc.","commit_id":"db41839f54534042642e8ec4cc570332bc681453"},{"author":{"_account_id":19560,"name":"Dmitry Bilunov","email":"kmeaw@kmeaw.com","username":"dbilunov"},"change_message_id":"9861498f754fcb3179fdc410c65789a30c057988","unresolved":false,"context_lines":[{"line_number":37,"context_line":"DHCP agent or L3 agent adds firewall rule, that redirects traffic directed for"},{"line_number":38,"context_line":"\"magic\" anycast IP to Metadata proxy port."},{"line_number":39,"context_line":""},{"line_number":40,"context_line":"VM uses address fe80::a9fe:a9fe (fe80::169.254.169.254) to access Metadata service."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"When Metadata proxy processes request, it gathers L2 addresses of a VM and source"},{"line_number":43,"context_line":"interface and passes it to Metadata service."}],"source_content_type":"text/x-rst","patch_set":1,"id":"dab17558_ea5c307f","line":40,"in_reply_to":"dab17558_36fd0b3c","updated":"2016-05-13 17:08:49.000000000","message":"fe80::a9fe:a9fe is a good choice since it cannot be auto-assigned to the interface since it lacks \"ff:fe\" part (as in Modified EUI-64) in the middle of interface identifier.","commit_id":"db41839f54534042642e8ec4cc570332bc681453"},{"author":{"_account_id":10558,"name":"Dustin Lundquist","email":"dustin@null-ptr.net","username":"dlundquist"},"change_message_id":"275730881eba135de7d332b23e5be84d376d5291","unresolved":false,"context_lines":[{"line_number":37,"context_line":"DHCP agent or L3 agent adds firewall rule, that redirects traffic directed for"},{"line_number":38,"context_line":"\"magic\" anycast IP to Metadata proxy port."},{"line_number":39,"context_line":""},{"line_number":40,"context_line":"VM uses address fe80::a9fe:a9fe (fe80::169.254.169.254) to access Metadata service."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"When Metadata proxy processes request, it gathers L2 addresses of a VM and source"},{"line_number":43,"context_line":"interface and passes it to Metadata service."}],"source_content_type":"text/x-rst","patch_set":1,"id":"dab17558_27622ad9","line":40,"in_reply_to":"dab17558_414e3e97","updated":"2016-05-12 18:13:56.000000000","message":"@Brian: I think it\u0027s fine here, embedding an IPv4 address in an IPv6 address allowed, and this shows the intent for it to be an equivalent address.","commit_id":"db41839f54534042642e8ec4cc570332bc681453"},{"author":{"_account_id":11061,"name":"Alexey I. Froloff","email":"raorn@raorn.name","username":"raorn"},"change_message_id":"81347ebc3253c658fce9ffc2e3d360b6878e3ee3","unresolved":false,"context_lines":[{"line_number":37,"context_line":"DHCP agent or L3 agent adds firewall rule, that redirects traffic directed for"},{"line_number":38,"context_line":"\"magic\" anycast IP to Metadata proxy port."},{"line_number":39,"context_line":""},{"line_number":40,"context_line":"VM uses address fe80::a9fe:a9fe (fe80::169.254.169.254) to access Metadata service."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"When Metadata proxy processes request, it gathers L2 addresses of a VM and source"},{"line_number":43,"context_line":"interface and passes it to Metadata service."}],"source_content_type":"text/x-rst","patch_set":1,"id":"dab17558_0dfe2e05","line":40,"in_reply_to":"dab17558_57b3a90a","updated":"2016-05-12 15:39:53.000000000","message":"That\u0027s another way to represent fe80::a9fe:a9fe address.","commit_id":"db41839f54534042642e8ec4cc570332bc681453"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"26a5c5e1f1c6408471cde77d758f9ee56e5da8e0","unresolved":false,"context_lines":[{"line_number":37,"context_line":"DHCP agent or L3 agent adds firewall rule, that redirects traffic directed for"},{"line_number":38,"context_line":"\"magic\" anycast IP to Metadata proxy port."},{"line_number":39,"context_line":""},{"line_number":40,"context_line":"VM uses address fe80::a9fe:a9fe (fe80::169.254.169.254) to access Metadata service."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"When Metadata proxy processes request, it gathers L2 addresses of a VM and source"},{"line_number":43,"context_line":"interface and passes it to Metadata service."}],"source_content_type":"text/x-rst","patch_set":1,"id":"dab17558_36fd0b3c","line":40,"in_reply_to":"dab17558_5d3a8335","updated":"2016-05-13 15:56:01.000000000","message":"Alexey - maybe I was just reading fe80::169.254.169.254 too literally, and not seeing it as just why a9fe:a9fe was chosen, my apologies.\n\nBut it is possible for a VM to assign this address, one simple way is to create a port with the right MAC manually, then use it at boot time.  So if we go forward with this, we\u0027ll need to make sure that address is only ever allowed on \"infrastructure\" ports used for handling it.","commit_id":"db41839f54534042642e8ec4cc570332bc681453"},{"author":{"_account_id":11708,"name":"Atsuko Ito","email":"me@yottatsa.name","username":"yottatsa"},"change_message_id":"00b7f52eee9e637bb39ffb25c3ae156bffd62ac7","unresolved":false,"context_lines":[{"line_number":37,"context_line":"DHCP agent or L3 agent adds firewall rule, that redirects traffic directed for"},{"line_number":38,"context_line":"\"magic\" anycast IP to Metadata proxy port."},{"line_number":39,"context_line":""},{"line_number":40,"context_line":"VM uses address fe80::a9fe:a9fe (fe80::169.254.169.254) to access Metadata service."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"When Metadata proxy processes request, it gathers L2 addresses of a VM and source"},{"line_number":43,"context_line":"interface and passes it to Metadata service."}],"source_content_type":"text/x-rst","patch_set":1,"id":"dab17558_b2491ed3","line":40,"in_reply_to":"dab17558_a2aa8883","updated":"2016-05-13 09:21:41.000000000","message":"As far as I can see, embedding 169.254.169.254 to IPv6 link-local in IPv4-mapped IPv6 addresses manner is just \"number play\" to keep well-known number.\n\nSo any address may be chosen, but personally I like this one fe80::a9fe:a9fe. At least it as easy to say/remember/type it, as 169.254.169.254 was.\n\nAnd speaking about reservation, 169.254.169.254 is reserved de facto, not de jure. We shoud play same way.","commit_id":"db41839f54534042642e8ec4cc570332bc681453"},{"author":{"_account_id":11061,"name":"Alexey I. Froloff","email":"raorn@raorn.name","username":"raorn"},"change_message_id":"1bed7ba000763cec63294453358678374ca2196d","unresolved":false,"context_lines":[{"line_number":37,"context_line":"DHCP agent or L3 agent adds firewall rule, that redirects traffic directed for"},{"line_number":38,"context_line":"\"magic\" anycast IP to Metadata proxy port."},{"line_number":39,"context_line":""},{"line_number":40,"context_line":"VM uses address fe80::a9fe:a9fe (fe80::169.254.169.254) to access Metadata service."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"When Metadata proxy processes request, it gathers L2 addresses of a VM and source"},{"line_number":43,"context_line":"interface and passes it to Metadata service."}],"source_content_type":"text/x-rst","patch_set":1,"id":"dab17558_5d3a8335","line":40,"in_reply_to":"dab17558_a2aa8883","updated":"2016-05-13 09:47:35.000000000","message":"fe80::169.254.169.254 is just an explanation why fe80::a9fe:a9fe address was chosen.\n\nWith current anti-spoofing rules VM can\u0027t assign this address. DHCP agent will accept connection (because port security is off for network-owned ports) and client will receive reply if connection was established.","commit_id":"db41839f54534042642e8ec4cc570332bc681453"},{"author":{"_account_id":10558,"name":"Dustin Lundquist","email":"dustin@null-ptr.net","username":"dlundquist"},"change_message_id":"ade6dd46eb52b2c85ba56a7c32c2943ef8c06f3d","unresolved":false,"context_lines":[{"line_number":32,"context_line":"Metadata proxy listens on dual-stack socket (::)."},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Metadata proxy joins anycast group fe80::a9fe:a9fe  on all available interfaces"},{"line_number":35,"context_line":"(It is OK do do so because it\u0027s running inside namespace)."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"DHCP agent or L3 agent adds firewall rule, that redirects traffic directed for"},{"line_number":38,"context_line":"proposed anycast IP (fe80::a9fe:a9fe) to Metadata proxy port."}],"source_content_type":"text/x-rst","patch_set":2,"id":"9abb7d3a_0049d05f","line":35,"updated":"2016-05-27 19:52:31.000000000","message":"How is it okay to be listening on all interfaces in the L3 router case? With if the router gateway interface is connected to a provider network shared with another OpenStack installation?","commit_id":"6fe8d4b668d71be35331de2072f8bf0f8968a12e"},{"author":{"_account_id":10558,"name":"Dustin Lundquist","email":"dustin@null-ptr.net","username":"dlundquist"},"change_message_id":"5f49088d4558a8353ec535c81acd5c6d495675d2","unresolved":false,"context_lines":[{"line_number":32,"context_line":"Metadata proxy listens on dual-stack socket (::)."},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Metadata proxy joins anycast group fe80::a9fe:a9fe  on all available interfaces"},{"line_number":35,"context_line":"(It is OK do do so because it\u0027s running inside namespace)."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"DHCP agent or L3 agent adds firewall rule, that redirects traffic directed for"},{"line_number":38,"context_line":"proposed anycast IP (fe80::a9fe:a9fe) to Metadata proxy port."}],"source_content_type":"text/x-rst","patch_set":2,"id":"5a9d85d2_c89fe001","line":35,"in_reply_to":"9abb7d3a_0049d05f","updated":"2016-06-20 21:05:15.000000000","message":"To join any anycast going, an interface needs to be specified. This should be changed to: Metadata proxy joins anycast group fe80::a9fe:a9fe on each internal interface (i.e. not qg- interfaces in qrouter- namespaces).\n\nAdditionally, the Python socket module don\u0027t define constants for IPV6_JOIN_ANYCAST, but we could define this constant locally.","commit_id":"6fe8d4b668d71be35331de2072f8bf0f8968a12e"},{"author":{"_account_id":22584,"name":"Tomislav Sukser","email":"tomislav.sukser@telekom.de","username":"tsukser"},"change_message_id":"4616ea5d705478e5c49a361ca813982398aa098e","unresolved":false,"context_lines":[{"line_number":37,"context_line":"DHCP agent or L3 agent adds firewall rule, that redirects traffic directed for"},{"line_number":38,"context_line":"proposed anycast IP (fe80::a9fe:a9fe) to Metadata proxy port."},{"line_number":39,"context_line":""},{"line_number":40,"context_line":"VM uses address fe80::a9fe:a9fe to access Metadata service."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"When Metadata proxy processes request, it gathers L2 addresses of a VM and source"},{"line_number":43,"context_line":"interface and passes it to Metadata service."}],"source_content_type":"text/x-rst","patch_set":2,"id":"1aa78d24_40ba976f","line":40,"updated":"2016-07-05 05:37:22.000000000","message":"I see a small problem with this proposal. VM, at least a normal non-tweaked operating system IPv6 stack, will require IPv6 neighbor resolution for the address fe80::a9fe:a9fe, since this is pure L2 address and it is interface dependent. Otherwise IMHO just won\u0027t work. And no IP neighbor spoofing mechanism is mentioned here, although is needed.\nAccording to everything I can read here in this proposal, I believe you\u0027re trying to recreate the behavior from IPv4 where you can do NAT in between, for that non link-local addresses must be used... Potential candidate for that might be ULA, maybe something like fd00:a9fe:a9fe::1/64 which can be NAT-ed in between. And just for the record, doing NAT in IPv6 sounds really awful, but may serve the purpose.","commit_id":"6fe8d4b668d71be35331de2072f8bf0f8968a12e"},{"author":{"_account_id":22584,"name":"Tomislav Sukser","email":"tomislav.sukser@telekom.de","username":"tsukser"},"change_message_id":"d9110329ea2d1b6e241b954dc5f2f8738fb796b4","unresolved":false,"context_lines":[{"line_number":37,"context_line":"DHCP agent or L3 agent adds firewall rule, that redirects traffic directed for"},{"line_number":38,"context_line":"proposed anycast IP (fe80::a9fe:a9fe) to Metadata proxy port."},{"line_number":39,"context_line":""},{"line_number":40,"context_line":"VM uses address fe80::a9fe:a9fe to access Metadata service."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"When Metadata proxy processes request, it gathers L2 addresses of a VM and source"},{"line_number":43,"context_line":"interface and passes it to Metadata service."}],"source_content_type":"text/x-rst","patch_set":2,"id":"dada55a8_cf855108","line":40,"range":{"start_line":40,"start_character":41,"end_line":40,"end_character":42},"updated":"2016-07-22 07:46:21.000000000","message":"If I\u0027m getting this right, each interface for each VM on a compute host will reply with its own MAC address, so the packet flow will be:\nfrom VM: ICMP6, neighbor solicitation, who has fe80::a9fe:a9fe\nto the VM (from the specific interface with MAC address of that particular interface on the same L2/bridge as VM): ICMP6, neighbor advertisement, tgt is fe80::a9fe:a9fe\n\nIs there any chance that somebody has at least partial prototype of this working and tested? And if yes, are there any examples how packet/connection flow looks like?","commit_id":"6fe8d4b668d71be35331de2072f8bf0f8968a12e"},{"author":{"_account_id":11061,"name":"Alexey I. Froloff","email":"raorn@raorn.name","username":"raorn"},"change_message_id":"9b8e13595e771d69c8bb46cde0c9ad28fb5570ab","unresolved":false,"context_lines":[{"line_number":37,"context_line":"DHCP agent or L3 agent adds firewall rule, that redirects traffic directed for"},{"line_number":38,"context_line":"proposed anycast IP (fe80::a9fe:a9fe) to Metadata proxy port."},{"line_number":39,"context_line":""},{"line_number":40,"context_line":"VM uses address fe80::a9fe:a9fe to access Metadata service."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"When Metadata proxy processes request, it gathers L2 addresses of a VM and source"},{"line_number":43,"context_line":"interface and passes it to Metadata service."}],"source_content_type":"text/x-rst","patch_set":2,"id":"dada55a8_52dc0fe4","line":40,"in_reply_to":"1aa78d24_40ba976f","updated":"2016-07-19 14:08:23.000000000","message":"Metadata proxy joins anycast group on this address, there\u0027s no need for spoofing nor NAT.\nCan\u0027t use multicast address here because one does not simply open TCP connection to multicast address.  It may be used to resolve link-local address of one of the metadata services (if there\u0027s more than one DHCP agents available), but this process is more complex than just connecting to link-local anycast IP.","commit_id":"6fe8d4b668d71be35331de2072f8bf0f8968a12e"},{"author":{"_account_id":11061,"name":"Alexey I. Froloff","email":"raorn@raorn.name","username":"raorn"},"change_message_id":"858c5f9f939efcadde07c31d322fb452fc09dc36","unresolved":false,"context_lines":[{"line_number":37,"context_line":"DHCP agent or L3 agent adds firewall rule, that redirects traffic directed for"},{"line_number":38,"context_line":"proposed anycast IP (fe80::a9fe:a9fe) to Metadata proxy port."},{"line_number":39,"context_line":""},{"line_number":40,"context_line":"VM uses address fe80::a9fe:a9fe to access Metadata service."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"When Metadata proxy processes request, it gathers L2 addresses of a VM and source"},{"line_number":43,"context_line":"interface and passes it to Metadata service."}],"source_content_type":"text/x-rst","patch_set":2,"id":"dada55a8_c6d6ca26","line":40,"range":{"start_line":40,"start_character":41,"end_line":40,"end_character":42},"in_reply_to":"dada55a8_cf855108","updated":"2016-07-22 13:32:30.000000000","message":"Yes, we have working installation, and yes, you are correct about packet flow.  tcpdump is too wide to quote it here, I\u0027ve posted in on github - https://gist.github.com/raorn/6af30b6d6289640a548612400ee3b758","commit_id":"6fe8d4b668d71be35331de2072f8bf0f8968a12e"}],"specs/ussuri/metadata-add-ipv6-support.rst":[{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"7da13dc11027d2f85b4bac0f40e752cf8e4b59c3","unresolved":false,"context_lines":[{"line_number":15,"context_line":"Problem Description"},{"line_number":16,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Metadata service uses well-known IP 169.254.169.254 as endpoint address.  This doesn\u0027t"},{"line_number":19,"context_line":"work in IPv6-only environment."},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"169.254.169.254 is not accessible from IPv6-only VM.  It is possible to add 169.254.0.0/16"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_396705ed","line":18,"range":{"start_line":18,"start_character":0,"end_line":18,"end_character":8},"updated":"2019-12-09 20:16:26.000000000","message":"s/The metadata","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"7da13dc11027d2f85b4bac0f40e752cf8e4b59c3","unresolved":false,"context_lines":[{"line_number":15,"context_line":"Problem Description"},{"line_number":16,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Metadata service uses well-known IP 169.254.169.254 as endpoint address.  This doesn\u0027t"},{"line_number":19,"context_line":"work in IPv6-only environment."},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"169.254.169.254 is not accessible from IPv6-only VM.  It is possible to add 169.254.0.0/16"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_f95c0d1b","line":18,"range":{"start_line":18,"start_character":52,"end_line":18,"end_character":54},"updated":"2019-12-09 20:16:26.000000000","message":"s/as its","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"7da13dc11027d2f85b4bac0f40e752cf8e4b59c3","unresolved":false,"context_lines":[{"line_number":15,"context_line":"Problem Description"},{"line_number":16,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Metadata service uses well-known IP 169.254.169.254 as endpoint address.  This doesn\u0027t"},{"line_number":19,"context_line":"work in IPv6-only environment."},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"169.254.169.254 is not accessible from IPv6-only VM.  It is possible to add 169.254.0.0/16"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_596441e5","line":18,"range":{"start_line":18,"start_character":17,"end_line":18,"end_character":21},"updated":"2019-12-09 20:16:26.000000000","message":"s/uses the","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"f5e0d220e4fb5f88ebfbf7fa4a88fdf0bd8ebe56","unresolved":false,"context_lines":[{"line_number":15,"context_line":"Problem Description"},{"line_number":16,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Metadata service uses well-known IP 169.254.169.254 as endpoint address.  This doesn\u0027t"},{"line_number":19,"context_line":"work in IPv6-only environment."},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"169.254.169.254 is not accessible from IPv6-only VM.  It is possible to add 169.254.0.0/16"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_f9f911c5","line":18,"range":{"start_line":18,"start_character":0,"end_line":18,"end_character":8},"in_reply_to":"3fa7e38b_396705ed","updated":"2019-12-16 12:16:00.000000000","message":"Done","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"f5e0d220e4fb5f88ebfbf7fa4a88fdf0bd8ebe56","unresolved":false,"context_lines":[{"line_number":15,"context_line":"Problem Description"},{"line_number":16,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Metadata service uses well-known IP 169.254.169.254 as endpoint address.  This doesn\u0027t"},{"line_number":19,"context_line":"work in IPv6-only environment."},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"169.254.169.254 is not accessible from IPv6-only VM.  It is possible to add 169.254.0.0/16"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_5922a556","line":18,"range":{"start_line":18,"start_character":17,"end_line":18,"end_character":21},"in_reply_to":"3fa7e38b_596441e5","updated":"2019-12-16 12:16:00.000000000","message":"Done","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"f5e0d220e4fb5f88ebfbf7fa4a88fdf0bd8ebe56","unresolved":false,"context_lines":[{"line_number":15,"context_line":"Problem Description"},{"line_number":16,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Metadata service uses well-known IP 169.254.169.254 as endpoint address.  This doesn\u0027t"},{"line_number":19,"context_line":"work in IPv6-only environment."},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"169.254.169.254 is not accessible from IPv6-only VM.  It is possible to add 169.254.0.0/16"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_3919e922","line":18,"range":{"start_line":18,"start_character":52,"end_line":18,"end_character":54},"in_reply_to":"3fa7e38b_f95c0d1b","updated":"2019-12-16 12:16:00.000000000","message":"Done","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"7da13dc11027d2f85b4bac0f40e752cf8e4b59c3","unresolved":false,"context_lines":[{"line_number":16,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Metadata service uses well-known IP 169.254.169.254 as endpoint address.  This doesn\u0027t"},{"line_number":19,"context_line":"work in IPv6-only environment."},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"169.254.169.254 is not accessible from IPv6-only VM.  It is possible to add 169.254.0.0/16"},{"line_number":22,"context_line":"to port\u0027s allowed_address_pairs list and use IPv4LL for interface configuration, but"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_d99d91bb","line":19,"range":{"start_line":19,"start_character":5,"end_line":19,"end_character":7},"updated":"2019-12-09 20:16:26.000000000","message":"s/in an","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"f5e0d220e4fb5f88ebfbf7fa4a88fdf0bd8ebe56","unresolved":false,"context_lines":[{"line_number":16,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Metadata service uses well-known IP 169.254.169.254 as endpoint address.  This doesn\u0027t"},{"line_number":19,"context_line":"work in IPv6-only environment."},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"169.254.169.254 is not accessible from IPv6-only VM.  It is possible to add 169.254.0.0/16"},{"line_number":22,"context_line":"to port\u0027s allowed_address_pairs list and use IPv4LL for interface configuration, but"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_d91535e8","line":19,"range":{"start_line":19,"start_character":5,"end_line":19,"end_character":7},"in_reply_to":"3fa7e38b_d99d91bb","updated":"2019-12-16 12:16:00.000000000","message":"Done","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"7da13dc11027d2f85b4bac0f40e752cf8e4b59c3","unresolved":false,"context_lines":[{"line_number":18,"context_line":"Metadata service uses well-known IP 169.254.169.254 as endpoint address.  This doesn\u0027t"},{"line_number":19,"context_line":"work in IPv6-only environment."},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"169.254.169.254 is not accessible from IPv6-only VM.  It is possible to add 169.254.0.0/16"},{"line_number":22,"context_line":"to port\u0027s allowed_address_pairs list and use IPv4LL for interface configuration, but"},{"line_number":23,"context_line":"metadata proxy doesn\u0027t even start if there are no DHCP-enabled IPv4 subnets, and"},{"line_number":24,"context_line":"IPv4LL addresses are unknown for Neutron and can\u0027t be used for instance identification."}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_799eddb7","line":21,"range":{"start_line":21,"start_character":34,"end_line":21,"end_character":38},"updated":"2019-12-09 20:16:26.000000000","message":"s/from an","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"f5e0d220e4fb5f88ebfbf7fa4a88fdf0bd8ebe56","unresolved":false,"context_lines":[{"line_number":18,"context_line":"Metadata service uses well-known IP 169.254.169.254 as endpoint address.  This doesn\u0027t"},{"line_number":19,"context_line":"work in IPv6-only environment."},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"169.254.169.254 is not accessible from IPv6-only VM.  It is possible to add 169.254.0.0/16"},{"line_number":22,"context_line":"to port\u0027s allowed_address_pairs list and use IPv4LL for interface configuration, but"},{"line_number":23,"context_line":"metadata proxy doesn\u0027t even start if there are no DHCP-enabled IPv4 subnets, and"},{"line_number":24,"context_line":"IPv4LL addresses are unknown for Neutron and can\u0027t be used for instance identification."}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_99cd7d94","line":21,"range":{"start_line":21,"start_character":34,"end_line":21,"end_character":38},"in_reply_to":"3fa7e38b_799eddb7","updated":"2019-12-16 12:16:00.000000000","message":"Done","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"7da13dc11027d2f85b4bac0f40e752cf8e4b59c3","unresolved":false,"context_lines":[{"line_number":19,"context_line":"work in IPv6-only environment."},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"169.254.169.254 is not accessible from IPv6-only VM.  It is possible to add 169.254.0.0/16"},{"line_number":22,"context_line":"to port\u0027s allowed_address_pairs list and use IPv4LL for interface configuration, but"},{"line_number":23,"context_line":"metadata proxy doesn\u0027t even start if there are no DHCP-enabled IPv4 subnets, and"},{"line_number":24,"context_line":"IPv4LL addresses are unknown for Neutron and can\u0027t be used for instance identification."},{"line_number":25,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_7977bd8f","line":22,"range":{"start_line":22,"start_character":45,"end_line":22,"end_character":51},"updated":"2019-12-09 20:16:26.000000000","message":"s/an IPv6 link-local address","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"7da13dc11027d2f85b4bac0f40e752cf8e4b59c3","unresolved":false,"context_lines":[{"line_number":19,"context_line":"work in IPv6-only environment."},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"169.254.169.254 is not accessible from IPv6-only VM.  It is possible to add 169.254.0.0/16"},{"line_number":22,"context_line":"to port\u0027s allowed_address_pairs list and use IPv4LL for interface configuration, but"},{"line_number":23,"context_line":"metadata proxy doesn\u0027t even start if there are no DHCP-enabled IPv4 subnets, and"},{"line_number":24,"context_line":"IPv4LL addresses are unknown for Neutron and can\u0027t be used for instance identification."},{"line_number":25,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_b981b54f","line":22,"range":{"start_line":22,"start_character":0,"end_line":22,"end_character":2},"updated":"2019-12-09 20:16:26.000000000","message":"s/to a","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"f5e0d220e4fb5f88ebfbf7fa4a88fdf0bd8ebe56","unresolved":false,"context_lines":[{"line_number":19,"context_line":"work in IPv6-only environment."},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"169.254.169.254 is not accessible from IPv6-only VM.  It is possible to add 169.254.0.0/16"},{"line_number":22,"context_line":"to port\u0027s allowed_address_pairs list and use IPv4LL for interface configuration, but"},{"line_number":23,"context_line":"metadata proxy doesn\u0027t even start if there are no DHCP-enabled IPv4 subnets, and"},{"line_number":24,"context_line":"IPv4LL addresses are unknown for Neutron and can\u0027t be used for instance identification."},{"line_number":25,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_59d70524","line":22,"range":{"start_line":22,"start_character":45,"end_line":22,"end_character":51},"in_reply_to":"3fa7e38b_7977bd8f","updated":"2019-12-16 12:16:00.000000000","message":"Done","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"f5e0d220e4fb5f88ebfbf7fa4a88fdf0bd8ebe56","unresolved":false,"context_lines":[{"line_number":19,"context_line":"work in IPv6-only environment."},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"169.254.169.254 is not accessible from IPv6-only VM.  It is possible to add 169.254.0.0/16"},{"line_number":22,"context_line":"to port\u0027s allowed_address_pairs list and use IPv4LL for interface configuration, but"},{"line_number":23,"context_line":"metadata proxy doesn\u0027t even start if there are no DHCP-enabled IPv4 subnets, and"},{"line_number":24,"context_line":"IPv4LL addresses are unknown for Neutron and can\u0027t be used for instance identification."},{"line_number":25,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_79dc4145","line":22,"range":{"start_line":22,"start_character":0,"end_line":22,"end_character":2},"in_reply_to":"3fa7e38b_b981b54f","updated":"2019-12-16 12:16:00.000000000","message":"Done","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"7da13dc11027d2f85b4bac0f40e752cf8e4b59c3","unresolved":false,"context_lines":[{"line_number":20,"context_line":""},{"line_number":21,"context_line":"169.254.169.254 is not accessible from IPv6-only VM.  It is possible to add 169.254.0.0/16"},{"line_number":22,"context_line":"to port\u0027s allowed_address_pairs list and use IPv4LL for interface configuration, but"},{"line_number":23,"context_line":"metadata proxy doesn\u0027t even start if there are no DHCP-enabled IPv4 subnets, and"},{"line_number":24,"context_line":"IPv4LL addresses are unknown for Neutron and can\u0027t be used for instance identification."},{"line_number":25,"context_line":""},{"line_number":26,"context_line":"Proposed Change"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_99a399ff","line":23,"range":{"start_line":23,"start_character":0,"end_line":23,"end_character":8},"updated":"2019-12-09 20:16:26.000000000","message":"s/the metadata","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"f5e0d220e4fb5f88ebfbf7fa4a88fdf0bd8ebe56","unresolved":false,"context_lines":[{"line_number":20,"context_line":""},{"line_number":21,"context_line":"169.254.169.254 is not accessible from IPv6-only VM.  It is possible to add 169.254.0.0/16"},{"line_number":22,"context_line":"to port\u0027s allowed_address_pairs list and use IPv4LL for interface configuration, but"},{"line_number":23,"context_line":"metadata proxy doesn\u0027t even start if there are no DHCP-enabled IPv4 subnets, and"},{"line_number":24,"context_line":"IPv4LL addresses are unknown for Neutron and can\u0027t be used for instance identification."},{"line_number":25,"context_line":""},{"line_number":26,"context_line":"Proposed Change"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_39dec93c","line":23,"range":{"start_line":23,"start_character":0,"end_line":23,"end_character":8},"in_reply_to":"3fa7e38b_99a399ff","updated":"2019-12-16 12:16:00.000000000","message":"Done","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"7da13dc11027d2f85b4bac0f40e752cf8e4b59c3","unresolved":false,"context_lines":[{"line_number":21,"context_line":"169.254.169.254 is not accessible from IPv6-only VM.  It is possible to add 169.254.0.0/16"},{"line_number":22,"context_line":"to port\u0027s allowed_address_pairs list and use IPv4LL for interface configuration, but"},{"line_number":23,"context_line":"metadata proxy doesn\u0027t even start if there are no DHCP-enabled IPv4 subnets, and"},{"line_number":24,"context_line":"IPv4LL addresses are unknown for Neutron and can\u0027t be used for instance identification."},{"line_number":25,"context_line":""},{"line_number":26,"context_line":"Proposed Change"},{"line_number":27,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_997cf971","line":24,"range":{"start_line":24,"start_character":0,"end_line":24,"end_character":6},"updated":"2019-12-09 20:16:26.000000000","message":"s/IPv4 link-local","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"f5e0d220e4fb5f88ebfbf7fa4a88fdf0bd8ebe56","unresolved":false,"context_lines":[{"line_number":21,"context_line":"169.254.169.254 is not accessible from IPv6-only VM.  It is possible to add 169.254.0.0/16"},{"line_number":22,"context_line":"to port\u0027s allowed_address_pairs list and use IPv4LL for interface configuration, but"},{"line_number":23,"context_line":"metadata proxy doesn\u0027t even start if there are no DHCP-enabled IPv4 subnets, and"},{"line_number":24,"context_line":"IPv4LL addresses are unknown for Neutron and can\u0027t be used for instance identification."},{"line_number":25,"context_line":""},{"line_number":26,"context_line":"Proposed Change"},{"line_number":27,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_b9bb99e2","line":24,"range":{"start_line":24,"start_character":0,"end_line":24,"end_character":6},"in_reply_to":"3fa7e38b_997cf971","updated":"2019-12-16 12:16:00.000000000","message":"Done","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"7da13dc11027d2f85b4bac0f40e752cf8e4b59c3","unresolved":false,"context_lines":[{"line_number":26,"context_line":"Proposed Change"},{"line_number":27,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"Metadata proxy starts unconditionally when network is assigned to DHCP agent or L3"},{"line_number":30,"context_line":"router."},{"line_number":31,"context_line":""},{"line_number":32,"context_line":"Metadata proxy listens on dual-stack socket (::)."}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_3995c588","line":29,"range":{"start_line":29,"start_character":0,"end_line":29,"end_character":8},"updated":"2019-12-09 20:16:26.000000000","message":"s/The metadata","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"7da13dc11027d2f85b4bac0f40e752cf8e4b59c3","unresolved":false,"context_lines":[{"line_number":26,"context_line":"Proposed Change"},{"line_number":27,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"Metadata proxy starts unconditionally when network is assigned to DHCP agent or L3"},{"line_number":30,"context_line":"router."},{"line_number":31,"context_line":""},{"line_number":32,"context_line":"Metadata proxy listens on dual-stack socket (::)."}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_599201a1","line":29,"range":{"start_line":29,"start_character":38,"end_line":29,"end_character":42},"updated":"2019-12-09 20:16:26.000000000","message":"s/when a","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"f5e0d220e4fb5f88ebfbf7fa4a88fdf0bd8ebe56","unresolved":false,"context_lines":[{"line_number":26,"context_line":"Proposed Change"},{"line_number":27,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"Metadata proxy starts unconditionally when network is assigned to DHCP agent or L3"},{"line_number":30,"context_line":"router."},{"line_number":31,"context_line":""},{"line_number":32,"context_line":"Metadata proxy listens on dual-stack socket (::)."}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_59b065fe","line":29,"range":{"start_line":29,"start_character":0,"end_line":29,"end_character":8},"in_reply_to":"3fa7e38b_3995c588","updated":"2019-12-16 12:16:00.000000000","message":"Done","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"f5e0d220e4fb5f88ebfbf7fa4a88fdf0bd8ebe56","unresolved":false,"context_lines":[{"line_number":26,"context_line":"Proposed Change"},{"line_number":27,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"Metadata proxy starts unconditionally when network is assigned to DHCP agent or L3"},{"line_number":30,"context_line":"router."},{"line_number":31,"context_line":""},{"line_number":32,"context_line":"Metadata proxy listens on dual-stack socket (::)."}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_79b521ed","line":29,"range":{"start_line":29,"start_character":38,"end_line":29,"end_character":42},"in_reply_to":"3fa7e38b_599201a1","updated":"2019-12-16 12:16:00.000000000","message":"Done","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"7da13dc11027d2f85b4bac0f40e752cf8e4b59c3","unresolved":false,"context_lines":[{"line_number":26,"context_line":"Proposed Change"},{"line_number":27,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"Metadata proxy starts unconditionally when network is assigned to DHCP agent or L3"},{"line_number":30,"context_line":"router."},{"line_number":31,"context_line":""},{"line_number":32,"context_line":"Metadata proxy listens on dual-stack socket (::)."},{"line_number":33,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_f98acd62","line":30,"range":{"start_line":29,"start_character":66,"end_line":30,"end_character":6},"updated":"2019-12-09 20:16:26.000000000","message":"s/a DHCP or L3 agent.\n\nAt least I think that gets the point across","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"f5e0d220e4fb5f88ebfbf7fa4a88fdf0bd8ebe56","unresolved":false,"context_lines":[{"line_number":26,"context_line":"Proposed Change"},{"line_number":27,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"Metadata proxy starts unconditionally when network is assigned to DHCP agent or L3"},{"line_number":30,"context_line":"router."},{"line_number":31,"context_line":""},{"line_number":32,"context_line":"Metadata proxy listens on dual-stack socket (::)."},{"line_number":33,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_19caed6e","line":30,"range":{"start_line":29,"start_character":66,"end_line":30,"end_character":6},"in_reply_to":"3fa7e38b_f98acd62","updated":"2019-12-16 12:16:00.000000000","message":"Done","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"7da13dc11027d2f85b4bac0f40e752cf8e4b59c3","unresolved":false,"context_lines":[{"line_number":29,"context_line":"Metadata proxy starts unconditionally when network is assigned to DHCP agent or L3"},{"line_number":30,"context_line":"router."},{"line_number":31,"context_line":""},{"line_number":32,"context_line":"Metadata proxy listens on dual-stack socket (::)."},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Metadata proxy joins anycast group fe80::a9fe:a9fe  on all available interfaces"},{"line_number":35,"context_line":"(It is OK do do so because it\u0027s running inside namespace)."}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_19880969","line":32,"range":{"start_line":32,"start_character":0,"end_line":32,"end_character":8},"updated":"2019-12-09 20:16:26.000000000","message":"s/The metadata","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"7da13dc11027d2f85b4bac0f40e752cf8e4b59c3","unresolved":false,"context_lines":[{"line_number":29,"context_line":"Metadata proxy starts unconditionally when network is assigned to DHCP agent or L3"},{"line_number":30,"context_line":"router."},{"line_number":31,"context_line":""},{"line_number":32,"context_line":"Metadata proxy listens on dual-stack socket (::)."},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Metadata proxy joins anycast group fe80::a9fe:a9fe  on all available interfaces"},{"line_number":35,"context_line":"(It is OK do do so because it\u0027s running inside namespace)."}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_b9e69549","line":32,"range":{"start_line":32,"start_character":23,"end_line":32,"end_character":25},"updated":"2019-12-09 20:16:26.000000000","message":"s/on a","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"f5e0d220e4fb5f88ebfbf7fa4a88fdf0bd8ebe56","unresolved":false,"context_lines":[{"line_number":29,"context_line":"Metadata proxy starts unconditionally when network is assigned to DHCP agent or L3"},{"line_number":30,"context_line":"router."},{"line_number":31,"context_line":""},{"line_number":32,"context_line":"Metadata proxy listens on dual-stack socket (::)."},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Metadata proxy joins anycast group fe80::a9fe:a9fe  on all available interfaces"},{"line_number":35,"context_line":"(It is OK do do so because it\u0027s running inside namespace)."}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_d9c3f557","line":32,"range":{"start_line":32,"start_character":0,"end_line":32,"end_character":8},"in_reply_to":"3fa7e38b_19880969","updated":"2019-12-16 12:16:00.000000000","message":"Done","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"f5e0d220e4fb5f88ebfbf7fa4a88fdf0bd8ebe56","unresolved":false,"context_lines":[{"line_number":29,"context_line":"Metadata proxy starts unconditionally when network is assigned to DHCP agent or L3"},{"line_number":30,"context_line":"router."},{"line_number":31,"context_line":""},{"line_number":32,"context_line":"Metadata proxy listens on dual-stack socket (::)."},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Metadata proxy joins anycast group fe80::a9fe:a9fe  on all available interfaces"},{"line_number":35,"context_line":"(It is OK do do so because it\u0027s running inside namespace)."}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_f9c0314d","line":32,"range":{"start_line":32,"start_character":23,"end_line":32,"end_character":25},"in_reply_to":"3fa7e38b_b9e69549","updated":"2019-12-16 12:16:00.000000000","message":"Done","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"7da13dc11027d2f85b4bac0f40e752cf8e4b59c3","unresolved":false,"context_lines":[{"line_number":31,"context_line":""},{"line_number":32,"context_line":"Metadata proxy listens on dual-stack socket (::)."},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Metadata proxy joins anycast group fe80::a9fe:a9fe  on all available interfaces"},{"line_number":35,"context_line":"(It is OK do do so because it\u0027s running inside namespace)."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"DHCP agent or L3 agent adds firewall rule, that redirects traffic directed for"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_79ec9d27","line":34,"range":{"start_line":34,"start_character":15,"end_line":34,"end_character":20},"updated":"2019-12-09 20:16:26.000000000","message":"/joins the","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"7da13dc11027d2f85b4bac0f40e752cf8e4b59c3","unresolved":false,"context_lines":[{"line_number":31,"context_line":""},{"line_number":32,"context_line":"Metadata proxy listens on dual-stack socket (::)."},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Metadata proxy joins anycast group fe80::a9fe:a9fe  on all available interfaces"},{"line_number":35,"context_line":"(It is OK do do so because it\u0027s running inside namespace)."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"DHCP agent or L3 agent adds firewall rule, that redirects traffic directed for"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_f9df2d64","line":34,"range":{"start_line":34,"start_character":35,"end_line":34,"end_character":50},"updated":"2019-12-09 20:16:26.000000000","message":"We should explain why we chose this address - it is the IPv6 link-local equivalent of fe80:\"169.254.269.254\" - there\u0027s probably a more RFC-like way to say that.","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":6854,"name":"YAMAMOTO Takashi","email":"yamamoto@midokura.com","username":"yamamoto"},"change_message_id":"58ccdec67d2c4f897e1de504897412f0d38f9b07","unresolved":false,"context_lines":[{"line_number":31,"context_line":""},{"line_number":32,"context_line":"Metadata proxy listens on dual-stack socket (::)."},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Metadata proxy joins anycast group fe80::a9fe:a9fe  on all available interfaces"},{"line_number":35,"context_line":"(It is OK do do so because it\u0027s running inside namespace)."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"DHCP agent or L3 agent adds firewall rule, that redirects traffic directed for"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_6066f657","line":34,"range":{"start_line":34,"start_character":35,"end_line":34,"end_character":50},"updated":"2019-12-12 06:29:21.000000000","message":"please explain why this address is safe to use.","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"7da13dc11027d2f85b4bac0f40e752cf8e4b59c3","unresolved":false,"context_lines":[{"line_number":31,"context_line":""},{"line_number":32,"context_line":"Metadata proxy listens on dual-stack socket (::)."},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Metadata proxy joins anycast group fe80::a9fe:a9fe  on all available interfaces"},{"line_number":35,"context_line":"(It is OK do do so because it\u0027s running inside namespace)."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"DHCP agent or L3 agent adds firewall rule, that redirects traffic directed for"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_d9eb510f","line":34,"range":{"start_line":34,"start_character":0,"end_line":34,"end_character":8},"updated":"2019-12-09 20:16:26.000000000","message":"s/The metadata","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":13995,"name":"Nate Johnston","email":"nate.johnston@redhat.com","username":"natejohnston"},"change_message_id":"d05c0ce88621acfa7d178248e51103a564931711","unresolved":false,"context_lines":[{"line_number":31,"context_line":""},{"line_number":32,"context_line":"Metadata proxy listens on dual-stack socket (::)."},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Metadata proxy joins anycast group fe80::a9fe:a9fe  on all available interfaces"},{"line_number":35,"context_line":"(It is OK do do so because it\u0027s running inside namespace)."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"DHCP agent or L3 agent adds firewall rule, that redirects traffic directed for"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_af401608","line":34,"range":{"start_line":34,"start_character":15,"end_line":34,"end_character":20},"in_reply_to":"3fa7e38b_05835eac","updated":"2019-12-17 15:52:51.000000000","message":"I\u0027m not sure we can make the assumption that DNS is available and/or usable for this purpose in all deployments.  If it\u0027s possible to go with a reserved address that solves a number of issues.  For example, if an operator was hypothetically concerned about DNS spoofing then using the IP would be a must; I have worked in environments where that was the case.","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"eff9b3fb898862c7e292273d23026c1ba726bf3c","unresolved":false,"context_lines":[{"line_number":31,"context_line":""},{"line_number":32,"context_line":"Metadata proxy listens on dual-stack socket (::)."},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Metadata proxy joins anycast group fe80::a9fe:a9fe  on all available interfaces"},{"line_number":35,"context_line":"(It is OK do do so because it\u0027s running inside namespace)."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"DHCP agent or L3 agent adds firewall rule, that redirects traffic directed for"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_aff25604","line":34,"range":{"start_line":34,"start_character":15,"end_line":34,"end_character":20},"in_reply_to":"3fa7e38b_05835eac","updated":"2019-12-17 15:51:46.000000000","message":"Sure, we can ask about it but I\u0027m now looking at https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml and comparing it to https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml and on this ipv4 special registy page there is only 169.254/16 mentioned as link-local class. It\u0027s the same for ipv6 already.\nSo I don\u0027t think we will need anything else here.","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"8266a6ac621b2cebc718cce21b93d41a3a07fada","unresolved":false,"context_lines":[{"line_number":31,"context_line":""},{"line_number":32,"context_line":"Metadata proxy listens on dual-stack socket (::)."},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Metadata proxy joins anycast group fe80::a9fe:a9fe  on all available interfaces"},{"line_number":35,"context_line":"(It is OK do do so because it\u0027s running inside namespace)."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"DHCP agent or L3 agent adds firewall rule, that redirects traffic directed for"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_7ad45dbb","line":34,"range":{"start_line":34,"start_character":35,"end_line":34,"end_character":50},"in_reply_to":"3fa7e38b_6066f657","updated":"2019-12-12 14:01:09.000000000","message":"Yamamoto - yes, it gets back to a comment I made years ago when we were looking at this.  We would need to go to the IETF and request it be reserved for this purpose","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"f5e0d220e4fb5f88ebfbf7fa4a88fdf0bd8ebe56","unresolved":false,"context_lines":[{"line_number":31,"context_line":""},{"line_number":32,"context_line":"Metadata proxy listens on dual-stack socket (::)."},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Metadata proxy joins anycast group fe80::a9fe:a9fe  on all available interfaces"},{"line_number":35,"context_line":"(It is OK do do so because it\u0027s running inside namespace)."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"DHCP agent or L3 agent adds firewall rule, that redirects traffic directed for"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_99c1fd00","line":34,"range":{"start_line":34,"start_character":35,"end_line":34,"end_character":50},"in_reply_to":"3fa7e38b_75bf8efb","updated":"2019-12-16 12:16:00.000000000","message":"@Brian: do we really need to ask them for reservation of this IP?\nAccording to https://tools.ietf.org/html/rfc3927 169.254/16 is IPv4 link-local subnet. Proposed here fe80::a9fe:a9fe is it\u0027s equivalent in IPv6 link-local subnet (FE80::/10 according to https://tools.ietf.org/html/rfc4291) so I think we should be fine to use it for that purpose, no?","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"f5e0d220e4fb5f88ebfbf7fa4a88fdf0bd8ebe56","unresolved":false,"context_lines":[{"line_number":31,"context_line":""},{"line_number":32,"context_line":"Metadata proxy listens on dual-stack socket (::)."},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Metadata proxy joins anycast group fe80::a9fe:a9fe  on all available interfaces"},{"line_number":35,"context_line":"(It is OK do do so because it\u0027s running inside namespace)."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"DHCP agent or L3 agent adds firewall rule, that redirects traffic directed for"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_b9a079a6","line":34,"range":{"start_line":34,"start_character":15,"end_line":34,"end_character":20},"in_reply_to":"3fa7e38b_79ec9d27","updated":"2019-12-16 12:16:00.000000000","message":"Done","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"dab48f134a502613540faa5f1a80f490194bac74","unresolved":false,"context_lines":[{"line_number":31,"context_line":""},{"line_number":32,"context_line":"Metadata proxy listens on dual-stack socket (::)."},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Metadata proxy joins anycast group fe80::a9fe:a9fe  on all available interfaces"},{"line_number":35,"context_line":"(It is OK do do so because it\u0027s running inside namespace)."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"DHCP agent or L3 agent adds firewall rule, that redirects traffic directed for"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_75bf8efb","line":34,"range":{"start_line":34,"start_character":35,"end_line":34,"end_character":50},"in_reply_to":"3fa7e38b_7ad45dbb","updated":"2019-12-12 14:32:55.000000000","message":"How about using address like:  0:0:0:0:0:ffff:a9fe:a9fe  according to https://tools.ietf.org/html/rfc4291#section-2.5.5 ? Or did I misunderstood something there?","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"9557392871d4fdec399c7aebbcb690a1f8631d6f","unresolved":false,"context_lines":[{"line_number":31,"context_line":""},{"line_number":32,"context_line":"Metadata proxy listens on dual-stack socket (::)."},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Metadata proxy joins anycast group fe80::a9fe:a9fe  on all available interfaces"},{"line_number":35,"context_line":"(It is OK do do so because it\u0027s running inside namespace)."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"DHCP agent or L3 agent adds firewall rule, that redirects traffic directed for"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_05835eac","line":34,"range":{"start_line":34,"start_character":15,"end_line":34,"end_character":20},"in_reply_to":"3fa7e38b_b9a079a6","updated":"2019-12-16 15:44:35.000000000","message":"Slawek - I don\u0027t know if it\u0027s required, but it\u0027s good practice, https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml\n\nI guess for IPv4 we just use something in the 169.254.0.0./16 space, which is registered as reserved, so maybe I\u0027m over-thinking it.\n\nWe could just as easily add \u0027metadata\u0027 (or metadata.$domain) in DNS and have the instance resolve it, which we\u0027ve talked about in other discussions. We have to move forward with something though...","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"f5e0d220e4fb5f88ebfbf7fa4a88fdf0bd8ebe56","unresolved":false,"context_lines":[{"line_number":31,"context_line":""},{"line_number":32,"context_line":"Metadata proxy listens on dual-stack socket (::)."},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Metadata proxy joins anycast group fe80::a9fe:a9fe  on all available interfaces"},{"line_number":35,"context_line":"(It is OK do do so because it\u0027s running inside namespace)."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"DHCP agent or L3 agent adds firewall rule, that redirects traffic directed for"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_59a5c5b3","line":34,"range":{"start_line":34,"start_character":0,"end_line":34,"end_character":8},"in_reply_to":"3fa7e38b_d9eb510f","updated":"2019-12-16 12:16:00.000000000","message":"Done","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"7da13dc11027d2f85b4bac0f40e752cf8e4b59c3","unresolved":false,"context_lines":[{"line_number":32,"context_line":"Metadata proxy listens on dual-stack socket (::)."},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Metadata proxy joins anycast group fe80::a9fe:a9fe  on all available interfaces"},{"line_number":35,"context_line":"(It is OK do do so because it\u0027s running inside namespace)."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"DHCP agent or L3 agent adds firewall rule, that redirects traffic directed for"},{"line_number":38,"context_line":"proposed anycast IP (fe80::a9fe:a9fe) to Metadata proxy port."}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_19dd696c","line":35,"range":{"start_line":35,"start_character":40,"end_line":35,"end_character":46},"updated":"2019-12-09 20:16:26.000000000","message":"s/inside a","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"f5e0d220e4fb5f88ebfbf7fa4a88fdf0bd8ebe56","unresolved":false,"context_lines":[{"line_number":32,"context_line":"Metadata proxy listens on dual-stack socket (::)."},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Metadata proxy joins anycast group fe80::a9fe:a9fe  on all available interfaces"},{"line_number":35,"context_line":"(It is OK do do so because it\u0027s running inside namespace)."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"DHCP agent or L3 agent adds firewall rule, that redirects traffic directed for"},{"line_number":38,"context_line":"proposed anycast IP (fe80::a9fe:a9fe) to Metadata proxy port."}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_f995913e","line":35,"range":{"start_line":35,"start_character":40,"end_line":35,"end_character":46},"in_reply_to":"3fa7e38b_19dd696c","updated":"2019-12-16 12:16:00.000000000","message":"Done","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"7da13dc11027d2f85b4bac0f40e752cf8e4b59c3","unresolved":false,"context_lines":[{"line_number":34,"context_line":"Metadata proxy joins anycast group fe80::a9fe:a9fe  on all available interfaces"},{"line_number":35,"context_line":"(It is OK do do so because it\u0027s running inside namespace)."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"DHCP agent or L3 agent adds firewall rule, that redirects traffic directed for"},{"line_number":38,"context_line":"proposed anycast IP (fe80::a9fe:a9fe) to Metadata proxy port."},{"line_number":39,"context_line":""},{"line_number":40,"context_line":"VM uses address fe80::a9fe:a9fe to access Metadata service."}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_b9cf75b1","line":37,"range":{"start_line":37,"start_character":0,"end_line":37,"end_character":4},"updated":"2019-12-09 20:16:26.000000000","message":"s/The DHCP","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"7da13dc11027d2f85b4bac0f40e752cf8e4b59c3","unresolved":false,"context_lines":[{"line_number":34,"context_line":"Metadata proxy joins anycast group fe80::a9fe:a9fe  on all available interfaces"},{"line_number":35,"context_line":"(It is OK do do so because it\u0027s running inside namespace)."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"DHCP agent or L3 agent adds firewall rule, that redirects traffic directed for"},{"line_number":38,"context_line":"proposed anycast IP (fe80::a9fe:a9fe) to Metadata proxy port."},{"line_number":39,"context_line":""},{"line_number":40,"context_line":"VM uses address fe80::a9fe:a9fe to access Metadata service."}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_79c57d8f","line":37,"range":{"start_line":37,"start_character":23,"end_line":37,"end_character":27},"updated":"2019-12-09 20:16:26.000000000","message":"s/adds a","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"f5e0d220e4fb5f88ebfbf7fa4a88fdf0bd8ebe56","unresolved":false,"context_lines":[{"line_number":34,"context_line":"Metadata proxy joins anycast group fe80::a9fe:a9fe  on all available interfaces"},{"line_number":35,"context_line":"(It is OK do do so because it\u0027s running inside namespace)."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"DHCP agent or L3 agent adds firewall rule, that redirects traffic directed for"},{"line_number":38,"context_line":"proposed anycast IP (fe80::a9fe:a9fe) to Metadata proxy port."},{"line_number":39,"context_line":""},{"line_number":40,"context_line":"VM uses address fe80::a9fe:a9fe to access Metadata service."}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_99849d10","line":37,"range":{"start_line":37,"start_character":23,"end_line":37,"end_character":27},"in_reply_to":"3fa7e38b_79c57d8f","updated":"2019-12-16 12:16:00.000000000","message":"Done","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"f5e0d220e4fb5f88ebfbf7fa4a88fdf0bd8ebe56","unresolved":false,"context_lines":[{"line_number":34,"context_line":"Metadata proxy joins anycast group fe80::a9fe:a9fe  on all available interfaces"},{"line_number":35,"context_line":"(It is OK do do so because it\u0027s running inside namespace)."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"DHCP agent or L3 agent adds firewall rule, that redirects traffic directed for"},{"line_number":38,"context_line":"proposed anycast IP (fe80::a9fe:a9fe) to Metadata proxy port."},{"line_number":39,"context_line":""},{"line_number":40,"context_line":"VM uses address fe80::a9fe:a9fe to access Metadata service."}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_b9895926","line":37,"range":{"start_line":37,"start_character":0,"end_line":37,"end_character":4},"in_reply_to":"3fa7e38b_b9cf75b1","updated":"2019-12-16 12:16:00.000000000","message":"Done","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"7da13dc11027d2f85b4bac0f40e752cf8e4b59c3","unresolved":false,"context_lines":[{"line_number":35,"context_line":"(It is OK do do so because it\u0027s running inside namespace)."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"DHCP agent or L3 agent adds firewall rule, that redirects traffic directed for"},{"line_number":38,"context_line":"proposed anycast IP (fe80::a9fe:a9fe) to Metadata proxy port."},{"line_number":39,"context_line":""},{"line_number":40,"context_line":"VM uses address fe80::a9fe:a9fe to access Metadata service."},{"line_number":41,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_39c3858c","line":38,"range":{"start_line":38,"start_character":38,"end_line":38,"end_character":41},"updated":"2019-12-09 20:16:26.000000000","message":"s/to the","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"f5e0d220e4fb5f88ebfbf7fa4a88fdf0bd8ebe56","unresolved":false,"context_lines":[{"line_number":35,"context_line":"(It is OK do do so because it\u0027s running inside namespace)."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"DHCP agent or L3 agent adds firewall rule, that redirects traffic directed for"},{"line_number":38,"context_line":"proposed anycast IP (fe80::a9fe:a9fe) to Metadata proxy port."},{"line_number":39,"context_line":""},{"line_number":40,"context_line":"VM uses address fe80::a9fe:a9fe to access Metadata service."},{"line_number":41,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_597e251c","line":38,"range":{"start_line":38,"start_character":38,"end_line":38,"end_character":41},"in_reply_to":"3fa7e38b_39c3858c","updated":"2019-12-16 12:16:00.000000000","message":"Done","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"7da13dc11027d2f85b4bac0f40e752cf8e4b59c3","unresolved":false,"context_lines":[{"line_number":37,"context_line":"DHCP agent or L3 agent adds firewall rule, that redirects traffic directed for"},{"line_number":38,"context_line":"proposed anycast IP (fe80::a9fe:a9fe) to Metadata proxy port."},{"line_number":39,"context_line":""},{"line_number":40,"context_line":"VM uses address fe80::a9fe:a9fe to access Metadata service."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"When Metadata proxy processes request, it gathers L2 addresses of a VM and source"},{"line_number":43,"context_line":"interface and passes it to Metadata service."}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_793a5d97","line":40,"range":{"start_line":40,"start_character":0,"end_line":40,"end_character":2},"updated":"2019-12-09 20:16:26.000000000","message":"s/The VM\n\nWe should mention this address needs to be configured in cloud-init in (new) images that get created.","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"f5e0d220e4fb5f88ebfbf7fa4a88fdf0bd8ebe56","unresolved":false,"context_lines":[{"line_number":37,"context_line":"DHCP agent or L3 agent adds firewall rule, that redirects traffic directed for"},{"line_number":38,"context_line":"proposed anycast IP (fe80::a9fe:a9fe) to Metadata proxy port."},{"line_number":39,"context_line":""},{"line_number":40,"context_line":"VM uses address fe80::a9fe:a9fe to access Metadata service."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"When Metadata proxy processes request, it gathers L2 addresses of a VM and source"},{"line_number":43,"context_line":"interface and passes it to Metadata service."}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_199d0d58","line":40,"range":{"start_line":40,"start_character":0,"end_line":40,"end_character":2},"in_reply_to":"3fa7e38b_793a5d97","updated":"2019-12-16 12:16:00.000000000","message":"Done","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"7da13dc11027d2f85b4bac0f40e752cf8e4b59c3","unresolved":false,"context_lines":[{"line_number":39,"context_line":""},{"line_number":40,"context_line":"VM uses address fe80::a9fe:a9fe to access Metadata service."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"When Metadata proxy processes request, it gathers L2 addresses of a VM and source"},{"line_number":43,"context_line":"interface and passes it to Metadata service."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"Metadata service, instead of using VM IP, uses \"VM MAC\" and \"Gateway MAC\" to identify"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_59452114","line":42,"range":{"start_line":42,"start_character":30,"end_line":42,"end_character":37},"updated":"2019-12-09 20:16:26.000000000","message":"s/a request","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"7da13dc11027d2f85b4bac0f40e752cf8e4b59c3","unresolved":false,"context_lines":[{"line_number":39,"context_line":""},{"line_number":40,"context_line":"VM uses address fe80::a9fe:a9fe to access Metadata service."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"When Metadata proxy processes request, it gathers L2 addresses of a VM and source"},{"line_number":43,"context_line":"interface and passes it to Metadata service."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"Metadata service, instead of using VM IP, uses \"VM MAC\" and \"Gateway MAC\" to identify"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_f94ded3b","line":42,"range":{"start_line":42,"start_character":50,"end_line":42,"end_character":52},"updated":"2019-12-09 20:16:26.000000000","message":"s/the L2","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"7da13dc11027d2f85b4bac0f40e752cf8e4b59c3","unresolved":false,"context_lines":[{"line_number":39,"context_line":""},{"line_number":40,"context_line":"VM uses address fe80::a9fe:a9fe to access Metadata service."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"When Metadata proxy processes request, it gathers L2 addresses of a VM and source"},{"line_number":43,"context_line":"interface and passes it to Metadata service."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"Metadata service, instead of using VM IP, uses \"VM MAC\" and \"Gateway MAC\" to identify"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_993f1985","line":42,"range":{"start_line":42,"start_character":5,"end_line":42,"end_character":13},"updated":"2019-12-09 20:16:26.000000000","message":"s/the metdata","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"f5e0d220e4fb5f88ebfbf7fa4a88fdf0bd8ebe56","unresolved":false,"context_lines":[{"line_number":39,"context_line":""},{"line_number":40,"context_line":"VM uses address fe80::a9fe:a9fe to access Metadata service."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"When Metadata proxy processes request, it gathers L2 addresses of a VM and source"},{"line_number":43,"context_line":"interface and passes it to Metadata service."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"Metadata service, instead of using VM IP, uses \"VM MAC\" and \"Gateway MAC\" to identify"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_399a4960","line":42,"range":{"start_line":42,"start_character":30,"end_line":42,"end_character":37},"in_reply_to":"3fa7e38b_59452114","updated":"2019-12-16 12:16:00.000000000","message":"Done","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"f5e0d220e4fb5f88ebfbf7fa4a88fdf0bd8ebe56","unresolved":false,"context_lines":[{"line_number":39,"context_line":""},{"line_number":40,"context_line":"VM uses address fe80::a9fe:a9fe to access Metadata service."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"When Metadata proxy processes request, it gathers L2 addresses of a VM and source"},{"line_number":43,"context_line":"interface and passes it to Metadata service."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"Metadata service, instead of using VM IP, uses \"VM MAC\" and \"Gateway MAC\" to identify"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_f9a3519a","line":42,"range":{"start_line":42,"start_character":5,"end_line":42,"end_character":13},"in_reply_to":"3fa7e38b_993f1985","updated":"2019-12-16 12:16:00.000000000","message":"Done","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"f5e0d220e4fb5f88ebfbf7fa4a88fdf0bd8ebe56","unresolved":false,"context_lines":[{"line_number":39,"context_line":""},{"line_number":40,"context_line":"VM uses address fe80::a9fe:a9fe to access Metadata service."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"When Metadata proxy processes request, it gathers L2 addresses of a VM and source"},{"line_number":43,"context_line":"interface and passes it to Metadata service."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"Metadata service, instead of using VM IP, uses \"VM MAC\" and \"Gateway MAC\" to identify"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_b9b719d8","line":42,"range":{"start_line":42,"start_character":50,"end_line":42,"end_character":52},"in_reply_to":"3fa7e38b_f94ded3b","updated":"2019-12-16 12:16:00.000000000","message":"Done","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"7da13dc11027d2f85b4bac0f40e752cf8e4b59c3","unresolved":false,"context_lines":[{"line_number":39,"context_line":""},{"line_number":40,"context_line":"VM uses address fe80::a9fe:a9fe to access Metadata service."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"When Metadata proxy processes request, it gathers L2 addresses of a VM and source"},{"line_number":43,"context_line":"interface and passes it to Metadata service."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"Metadata service, instead of using VM IP, uses \"VM MAC\" and \"Gateway MAC\" to identify"},{"line_number":46,"context_line":"instance."}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_79533ddf","line":43,"range":{"start_line":42,"start_character":75,"end_line":43,"end_character":9},"updated":"2019-12-09 20:16:26.000000000","message":"I don\u0027t understand what \"source interface\" means.  It seems to be implying it\u0027s from the perspective of the instance?","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"7da13dc11027d2f85b4bac0f40e752cf8e4b59c3","unresolved":false,"context_lines":[{"line_number":40,"context_line":"VM uses address fe80::a9fe:a9fe to access Metadata service."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"When Metadata proxy processes request, it gathers L2 addresses of a VM and source"},{"line_number":43,"context_line":"interface and passes it to Metadata service."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"Metadata service, instead of using VM IP, uses \"VM MAC\" and \"Gateway MAC\" to identify"},{"line_number":46,"context_line":"instance."}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_194b2928","line":43,"range":{"start_line":43,"start_character":24,"end_line":43,"end_character":25},"updated":"2019-12-09 20:16:26.000000000","message":"s/to the","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":841,"name":"Akihiro Motoki","email":"amotoki@gmail.com","username":"amotoki"},"change_message_id":"907223a693fb368c2304a05aa21e8e0cdb047f64","unresolved":false,"context_lines":[{"line_number":39,"context_line":""},{"line_number":40,"context_line":"VM uses address fe80::a9fe:a9fe to access Metadata service."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"When Metadata proxy processes request, it gathers L2 addresses of a VM and source"},{"line_number":43,"context_line":"interface and passes it to Metadata service."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"Metadata service, instead of using VM IP, uses \"VM MAC\" and \"Gateway MAC\" to identify"},{"line_number":46,"context_line":"instance."}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_dfa3dc9a","line":43,"range":{"start_line":42,"start_character":75,"end_line":43,"end_character":9},"in_reply_to":"3fa7e38b_18cf6757","updated":"2019-12-16 06:41:29.000000000","message":"(copying Dmitry Bilunov\u0027 comment in the cover comment to make it easier to track the discussion)\n\nif you enable IPv6 on an interface, it would get two IPv6 addresses; one for link-local connectivity (auto-generated from MAC using EUI-64) and another router address for everything else (which is usually referred as \"VM IP\"). That another address is usually configured using either autoconf (by kernel processing the RA from the router), or by DHCPv6 client. If you attempt to make a connection to a link-local address (such as the proposed address of the metadata service, fe80::a9fe:a9fe%eth0), it would originate from the link-local address of the interface. So the metadata service would get a packet with VM\u0027s MAC in L2 and EUI-64\u0027ed VM\u0027s MAC in L3, never seeing a normal \"VM IP\" in L3.","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"f5e0d220e4fb5f88ebfbf7fa4a88fdf0bd8ebe56","unresolved":false,"context_lines":[{"line_number":40,"context_line":"VM uses address fe80::a9fe:a9fe to access Metadata service."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"When Metadata proxy processes request, it gathers L2 addresses of a VM and source"},{"line_number":43,"context_line":"interface and passes it to Metadata service."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"Metadata service, instead of using VM IP, uses \"VM MAC\" and \"Gateway MAC\" to identify"},{"line_number":46,"context_line":"instance."}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_19c66d4c","line":43,"range":{"start_line":43,"start_character":24,"end_line":43,"end_character":25},"in_reply_to":"3fa7e38b_194b2928","updated":"2019-12-16 12:16:00.000000000","message":"Done","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":841,"name":"Akihiro Motoki","email":"amotoki@gmail.com","username":"amotoki"},"change_message_id":"8b2084b2a251901c68c19dbe8c0ebbd77e057cfd","unresolved":false,"context_lines":[{"line_number":39,"context_line":""},{"line_number":40,"context_line":"VM uses address fe80::a9fe:a9fe to access Metadata service."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"When Metadata proxy processes request, it gathers L2 addresses of a VM and source"},{"line_number":43,"context_line":"interface and passes it to Metadata service."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"Metadata service, instead of using VM IP, uses \"VM MAC\" and \"Gateway MAC\" to identify"},{"line_number":46,"context_line":"instance."}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_18cf6757","line":43,"range":{"start_line":42,"start_character":75,"end_line":43,"end_character":9},"in_reply_to":"3fa7e38b_79533ddf","updated":"2019-12-13 03:07:05.000000000","message":"Why do we need to use an L2 address of a VM? Could you explain more detail on why the proposed logic is needed?\n\nAs of now, in case of IPv4, the metadata agent resolves an instance ID and its tenant ID based on (remote address of VM, network ID, router ID). I would like to know how the current logic does not work in case of IPv6.","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"7da13dc11027d2f85b4bac0f40e752cf8e4b59c3","unresolved":false,"context_lines":[{"line_number":42,"context_line":"When Metadata proxy processes request, it gathers L2 addresses of a VM and source"},{"line_number":43,"context_line":"interface and passes it to Metadata service."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"Metadata service, instead of using VM IP, uses \"VM MAC\" and \"Gateway MAC\" to identify"},{"line_number":46,"context_line":"instance."},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"References"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_995879f9","line":45,"range":{"start_line":45,"start_character":0,"end_line":45,"end_character":8},"updated":"2019-12-09 20:16:26.000000000","message":"s/The metadata","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"7da13dc11027d2f85b4bac0f40e752cf8e4b59c3","unresolved":false,"context_lines":[{"line_number":42,"context_line":"When Metadata proxy processes request, it gathers L2 addresses of a VM and source"},{"line_number":43,"context_line":"interface and passes it to Metadata service."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"Metadata service, instead of using VM IP, uses \"VM MAC\" and \"Gateway MAC\" to identify"},{"line_number":46,"context_line":"instance."},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"References"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_596e8196","line":45,"range":{"start_line":45,"start_character":35,"end_line":45,"end_character":37},"updated":"2019-12-09 20:16:26.000000000","message":"s/the VM","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"f5e0d220e4fb5f88ebfbf7fa4a88fdf0bd8ebe56","unresolved":false,"context_lines":[{"line_number":42,"context_line":"When Metadata proxy processes request, it gathers L2 addresses of a VM and source"},{"line_number":43,"context_line":"interface and passes it to Metadata service."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"Metadata service, instead of using VM IP, uses \"VM MAC\" and \"Gateway MAC\" to identify"},{"line_number":46,"context_line":"instance."},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"References"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_f9ea719e","line":45,"range":{"start_line":45,"start_character":35,"end_line":45,"end_character":37},"in_reply_to":"3fa7e38b_596e8196","updated":"2019-12-16 12:16:00.000000000","message":"Done","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"f5e0d220e4fb5f88ebfbf7fa4a88fdf0bd8ebe56","unresolved":false,"context_lines":[{"line_number":42,"context_line":"When Metadata proxy processes request, it gathers L2 addresses of a VM and source"},{"line_number":43,"context_line":"interface and passes it to Metadata service."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"Metadata service, instead of using VM IP, uses \"VM MAC\" and \"Gateway MAC\" to identify"},{"line_number":46,"context_line":"instance."},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"References"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_19674d55","line":45,"range":{"start_line":45,"start_character":0,"end_line":45,"end_character":8},"in_reply_to":"3fa7e38b_995879f9","updated":"2019-12-16 12:16:00.000000000","message":"Done","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"7da13dc11027d2f85b4bac0f40e752cf8e4b59c3","unresolved":false,"context_lines":[{"line_number":43,"context_line":"interface and passes it to Metadata service."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"Metadata service, instead of using VM IP, uses \"VM MAC\" and \"Gateway MAC\" to identify"},{"line_number":46,"context_line":"instance."},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"References"},{"line_number":49,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_19f9e9c3","line":46,"updated":"2019-12-09 20:16:26.000000000","message":"So we would use the gateway MAC from the dhcp or router namespace?  Why can\u0027t we use the VM link-local IPv6 address?\n\nAlso, any changes to what we send to the Nova metadata  service has implications for that as well, so we would need to work with them on this, to make sure we pass enough information to identify the correct instance.","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"f5e0d220e4fb5f88ebfbf7fa4a88fdf0bd8ebe56","unresolved":false,"context_lines":[{"line_number":43,"context_line":"interface and passes it to Metadata service."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"Metadata service, instead of using VM IP, uses \"VM MAC\" and \"Gateway MAC\" to identify"},{"line_number":46,"context_line":"instance."},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"References"},{"line_number":49,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_99257d19","line":46,"in_reply_to":"3fa7e38b_19f9e9c3","updated":"2019-12-16 12:16:00.000000000","message":"As long as we will be able to determine vm id (device_id in port\u0027s attributes) and we can send it to nova, I don\u0027t think any changes on nova\u0027s side would be required.","commit_id":"23eaead1200733f6393f737f1a192171d754abcd"},{"author":{"_account_id":24791,"name":"Maciej Jozefczyk","email":"jeicam.pl@gmail.com","username":"maciej.jozefczyk"},"change_message_id":"78e7c7d774ccc7443b4fa8cd487e6acb42fe2e82","unresolved":false,"context_lines":[{"line_number":33,"context_line":"The metadata proxy listens on a dual-stack socket (::)."},{"line_number":34,"context_line":""},{"line_number":35,"context_line":"In case of IPv4 the metadata proxy uses IP address 169.254.169.254 which belongs"},{"line_number":36,"context_line":"to the IPv4 link-local subnet (169.254/16 according to [1])"},{"line_number":37,"context_line":"So in case of IPv6 the metadata proxy joins the anycast group fe80::a9fe:a9fe on"},{"line_number":38,"context_line":"all available interfaces."},{"line_number":39,"context_line":"The fe80::a9fe:a9fe IP address is equivalent of 169.254.169.254 in IPv6"}],"source_content_type":"text/x-rst","patch_set":7,"id":"1fa4df85_6769731f","line":36,"range":{"start_line":36,"start_character":31,"end_line":36,"end_character":41},"updated":"2020-03-04 12:12:22.000000000","message":"169.254.0.0/16","commit_id":"5d9aaeabb4ad9060f4d054f5918637083f2659f5"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"5479a1fef3c3d2ac0bf259bc0512c5439bac7248","unresolved":false,"context_lines":[{"line_number":33,"context_line":"The metadata proxy listens on a dual-stack socket (::)."},{"line_number":34,"context_line":""},{"line_number":35,"context_line":"In case of IPv4 the metadata proxy uses IP address 169.254.169.254 which belongs"},{"line_number":36,"context_line":"to the IPv4 link-local subnet (169.254/16 according to [1])"},{"line_number":37,"context_line":"So in case of IPv6 the metadata proxy joins the anycast group fe80::a9fe:a9fe on"},{"line_number":38,"context_line":"all available interfaces."},{"line_number":39,"context_line":"The fe80::a9fe:a9fe IP address is equivalent of 169.254.169.254 in IPv6"}],"source_content_type":"text/x-rst","patch_set":7,"id":"1fa4df85_262b1831","line":36,"range":{"start_line":36,"start_character":31,"end_line":36,"end_character":41},"in_reply_to":"1fa4df85_6769731f","updated":"2020-03-11 09:44:57.000000000","message":"Done","commit_id":"5d9aaeabb4ad9060f4d054f5918637083f2659f5"},{"author":{"_account_id":8313,"name":"Lajos Katona","display_name":"lajoskatona","email":"katonalala@gmail.com","username":"elajkat","status":"Ericsson Software Technology"},"change_message_id":"fc5256558cebf6a6732d4368a6e7e2388f3e4115","unresolved":false,"context_lines":[{"line_number":37,"context_line":"So in case of IPv6 the metadata proxy joins the anycast group fe80::a9fe:a9fe on"},{"line_number":38,"context_line":"all available interfaces."},{"line_number":39,"context_line":"The fe80::a9fe:a9fe IP address is equivalent of 169.254.169.254 in IPv6"},{"line_number":40,"context_line":"link-local subnet which is fe80::/10 according to [1]."},{"line_number":41,"context_line":"It is fine to do so because it\u0027s running inside the router or dhcp namespace."},{"line_number":42,"context_line":""},{"line_number":43,"context_line":"The DHCP agent or L3 agent adds a firewall rule, that redirects traffic directed"}],"source_content_type":"text/x-rst","patch_set":7,"id":"1fa4df85_896a6fea","line":40,"range":{"start_line":40,"start_character":50,"end_line":40,"end_character":53},"updated":"2020-03-05 11:15:58.000000000","message":"[2] I suppose","commit_id":"5d9aaeabb4ad9060f4d054f5918637083f2659f5"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"5479a1fef3c3d2ac0bf259bc0512c5439bac7248","unresolved":false,"context_lines":[{"line_number":37,"context_line":"So in case of IPv6 the metadata proxy joins the anycast group fe80::a9fe:a9fe on"},{"line_number":38,"context_line":"all available interfaces."},{"line_number":39,"context_line":"The fe80::a9fe:a9fe IP address is equivalent of 169.254.169.254 in IPv6"},{"line_number":40,"context_line":"link-local subnet which is fe80::/10 according to [1]."},{"line_number":41,"context_line":"It is fine to do so because it\u0027s running inside the router or dhcp namespace."},{"line_number":42,"context_line":""},{"line_number":43,"context_line":"The DHCP agent or L3 agent adds a firewall rule, that redirects traffic directed"}],"source_content_type":"text/x-rst","patch_set":7,"id":"1fa4df85_c61fa407","line":40,"range":{"start_line":40,"start_character":50,"end_line":40,"end_character":53},"in_reply_to":"1fa4df85_896a6fea","updated":"2020-03-11 09:44:57.000000000","message":"Done","commit_id":"5d9aaeabb4ad9060f4d054f5918637083f2659f5"},{"author":{"_account_id":24791,"name":"Maciej Jozefczyk","email":"jeicam.pl@gmail.com","username":"maciej.jozefczyk"},"change_message_id":"78e7c7d774ccc7443b4fa8cd487e6acb42fe2e82","unresolved":false,"context_lines":[{"line_number":50,"context_line":"When the metadata proxy processes a request, it gathers the L2 addresses of a VM"},{"line_number":51,"context_line":"and source interface and passes it to the metadata service."},{"line_number":52,"context_line":""},{"line_number":53,"context_line":"The metadata service, instead of using the VM IP, uses \"VM MAC\" and \"Gateway"},{"line_number":54,"context_line":"MAC\" to identify instance."},{"line_number":55,"context_line":""},{"line_number":56,"context_line":"References"}],"source_content_type":"text/x-rst","patch_set":7,"id":"1fa4df85_678093c1","line":53,"range":{"start_line":53,"start_character":4,"end_line":53,"end_character":12},"updated":"2020-03-04 12:12:22.000000000","message":"Metadata","commit_id":"5d9aaeabb4ad9060f4d054f5918637083f2659f5"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"5479a1fef3c3d2ac0bf259bc0512c5439bac7248","unresolved":false,"context_lines":[{"line_number":50,"context_line":"When the metadata proxy processes a request, it gathers the L2 addresses of a VM"},{"line_number":51,"context_line":"and source interface and passes it to the metadata service."},{"line_number":52,"context_line":""},{"line_number":53,"context_line":"The metadata service, instead of using the VM IP, uses \"VM MAC\" and \"Gateway"},{"line_number":54,"context_line":"MAC\" to identify instance."},{"line_number":55,"context_line":""},{"line_number":56,"context_line":"References"}],"source_content_type":"text/x-rst","patch_set":7,"id":"1fa4df85_e61c2015","line":53,"range":{"start_line":53,"start_character":4,"end_line":53,"end_character":12},"in_reply_to":"1fa4df85_678093c1","updated":"2020-03-11 09:44:57.000000000","message":"Done","commit_id":"5d9aaeabb4ad9060f4d054f5918637083f2659f5"},{"author":{"_account_id":8313,"name":"Lajos Katona","display_name":"lajoskatona","email":"katonalala@gmail.com","username":"elajkat","status":"Ericsson Software Technology"},"change_message_id":"fc5256558cebf6a6732d4368a6e7e2388f3e4115","unresolved":false,"context_lines":[{"line_number":57,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":58,"context_line":""},{"line_number":59,"context_line":"[1] https://tools.ietf.org/html/rfc3927"},{"line_number":60,"context_line":"[1] https://tools.ietf.org/html/rfc4291"}],"source_content_type":"text/x-rst","patch_set":7,"id":"1fa4df85_c964e724","line":60,"range":{"start_line":60,"start_character":0,"end_line":60,"end_character":3},"updated":"2020-03-05 11:15:58.000000000","message":"[2]","commit_id":"5d9aaeabb4ad9060f4d054f5918637083f2659f5"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"5479a1fef3c3d2ac0bf259bc0512c5439bac7248","unresolved":false,"context_lines":[{"line_number":57,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":58,"context_line":""},{"line_number":59,"context_line":"[1] https://tools.ietf.org/html/rfc3927"},{"line_number":60,"context_line":"[1] https://tools.ietf.org/html/rfc4291"}],"source_content_type":"text/x-rst","patch_set":7,"id":"1fa4df85_8619ac23","line":60,"range":{"start_line":60,"start_character":0,"end_line":60,"end_character":3},"in_reply_to":"1fa4df85_c964e724","updated":"2020-03-11 09:44:57.000000000","message":"Done","commit_id":"5d9aaeabb4ad9060f4d054f5918637083f2659f5"},{"author":{"_account_id":15554,"name":"Bence Romsics","email":"bence.romsics@gmail.com","username":"ebenrom","status":"working for Ericsson, UTC+1 (+DST)"},"change_message_id":"f708ae96c636c84b53c52cbfcab61d8c2d60b0a0","unresolved":false,"context_lines":[{"line_number":25,"context_line":"unknown for Neutron and can\u0027t be used for instance identification."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"Proposed Change"},{"line_number":28,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"The metadata proxy starts unconditionally when a network is assigned to a DHCP"},{"line_number":31,"context_line":"agent or L3 router."}],"source_content_type":"text/x-rst","patch_set":9,"id":"1fa4df85_c4e64ee9","line":28,"updated":"2020-03-18 16:01:07.000000000","message":"Before starting to work with the implementation, I wanted to test a metadata-like request manually in my devstack. Here\u0027s an etherpad showing that test in a dhcp namespace:\n\nhttps://etherpad.openstack.org/p/metadata-ipv6-model\n\nThe test worked. Please comment here or there, if you\u0027d do anything differently.\n\nI also want to reproduce the same in a router namespace, but I don\u0027t have that yet.","commit_id":"3bbc32df3d8fec511ce57d658b8e1a5fc73c8f1c"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"78cf8ae2af0c1fb5befe30e41f8216ce04143a46","unresolved":false,"context_lines":[{"line_number":25,"context_line":"unknown for Neutron and can\u0027t be used for instance identification."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"Proposed Change"},{"line_number":28,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"The metadata proxy starts unconditionally when a network is assigned to a DHCP"},{"line_number":31,"context_line":"agent or L3 router."}],"source_content_type":"text/x-rst","patch_set":9,"id":"1fa4df85_86fa7f72","line":28,"in_reply_to":"1fa4df85_c4e64ee9","updated":"2020-03-19 21:16:06.000000000","message":"thx for this PoC :)","commit_id":"3bbc32df3d8fec511ce57d658b8e1a5fc73c8f1c"},{"author":{"_account_id":15554,"name":"Bence Romsics","email":"bence.romsics@gmail.com","username":"ebenrom","status":"working for Ericsson, UTC+1 (+DST)"},"change_message_id":"f708ae96c636c84b53c52cbfcab61d8c2d60b0a0","unresolved":false,"context_lines":[{"line_number":34,"context_line":""},{"line_number":35,"context_line":"In case of IPv4 the metadata proxy uses IP address 169.254.169.254 which belongs"},{"line_number":36,"context_line":"to the IPv4 link-local subnet (169.254.0.0/16 according to [1])"},{"line_number":37,"context_line":"So in case of IPv6 the metadata proxy joins the anycast group fe80::a9fe:a9fe on"},{"line_number":38,"context_line":"all available interfaces."},{"line_number":39,"context_line":"The fe80::a9fe:a9fe IP address is equivalent of 169.254.169.254 in IPv6"},{"line_number":40,"context_line":"link-local subnet which is fe80::/10 according to [2]."}],"source_content_type":"text/x-rst","patch_set":9,"id":"1fa4df85_e4026a6f","line":37,"range":{"start_line":37,"start_character":48,"end_line":37,"end_character":61},"updated":"2020-03-18 16:01:07.000000000","message":"I think I get what we mean by \u0027anycast group\u0027 here, but since a link-local address is never really routed, I\u0027m not sure if this is technically anycast.","commit_id":"3bbc32df3d8fec511ce57d658b8e1a5fc73c8f1c"},{"author":{"_account_id":15554,"name":"Bence Romsics","email":"bence.romsics@gmail.com","username":"ebenrom","status":"working for Ericsson, UTC+1 (+DST)"},"change_message_id":"f708ae96c636c84b53c52cbfcab61d8c2d60b0a0","unresolved":false,"context_lines":[{"line_number":40,"context_line":"link-local subnet which is fe80::/10 according to [2]."},{"line_number":41,"context_line":"It is fine to do so because it\u0027s running inside the router or dhcp namespace."},{"line_number":42,"context_line":""},{"line_number":43,"context_line":"The DHCP agent or L3 agent adds a firewall rule, that redirects traffic directed"},{"line_number":44,"context_line":"for proposed anycast IP (fe80::a9fe:a9fe) to the metadata proxy port."},{"line_number":45,"context_line":""},{"line_number":46,"context_line":"The VM uses address fe80::a9fe:a9fe to access Metadata service. Software like"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1fa4df85_c4340e4d","line":43,"range":{"start_line":43,"start_character":34,"end_line":43,"end_character":71},"updated":"2020-03-18 16:01:07.000000000","message":"Why do we need to redirect anything (I guess redirect means a DNAT rule)? In the etherpad linked above I needed nothing like that.","commit_id":"3bbc32df3d8fec511ce57d658b8e1a5fc73c8f1c"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"78cf8ae2af0c1fb5befe30e41f8216ce04143a46","unresolved":false,"context_lines":[{"line_number":40,"context_line":"link-local subnet which is fe80::/10 according to [2]."},{"line_number":41,"context_line":"It is fine to do so because it\u0027s running inside the router or dhcp namespace."},{"line_number":42,"context_line":""},{"line_number":43,"context_line":"The DHCP agent or L3 agent adds a firewall rule, that redirects traffic directed"},{"line_number":44,"context_line":"for proposed anycast IP (fe80::a9fe:a9fe) to the metadata proxy port."},{"line_number":45,"context_line":""},{"line_number":46,"context_line":"The VM uses address fe80::a9fe:a9fe to access Metadata service. Software like"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1fa4df85_261aabcb","line":43,"range":{"start_line":43,"start_character":34,"end_line":43,"end_character":71},"in_reply_to":"1fa4df85_c4340e4d","updated":"2020-03-19 21:16:06.000000000","message":"For DHCP agent it is indeed simply configured on tapXXX interface but in case of L3 agent this metadata IP is configured as REDIRECT in iptables:\n\n-A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -i qr-+ -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697\n\nI updated this part.","commit_id":"3bbc32df3d8fec511ce57d658b8e1a5fc73c8f1c"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"71de283a2e1ccebb7f92589410c4069653cd3ea2","unresolved":false,"context_lines":[{"line_number":57,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":58,"context_line":""},{"line_number":59,"context_line":"As this new IPv6 address proposed for metadata service isn\u0027t currently used by"},{"line_number":60,"context_line":"any other cloud provider, we need to updated our documentation to make it very"},{"line_number":61,"context_line":"clear what IPv6 address is used by metadata service and how to configure it in"},{"line_number":62,"context_line":"at least most popular metadata consumer which is ``cloud-init``."},{"line_number":63,"context_line":"In case of ``cloud-init`` this new IP address can be set using ``metadata_urls``"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1fa4df85_d86e3d95","line":60,"range":{"start_line":60,"start_character":37,"end_line":60,"end_character":44},"updated":"2020-03-17 19:01:46.000000000","message":"s/update","commit_id":"3bbc32df3d8fec511ce57d658b8e1a5fc73c8f1c"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"78cf8ae2af0c1fb5befe30e41f8216ce04143a46","unresolved":false,"context_lines":[{"line_number":57,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":58,"context_line":""},{"line_number":59,"context_line":"As this new IPv6 address proposed for metadata service isn\u0027t currently used by"},{"line_number":60,"context_line":"any other cloud provider, we need to updated our documentation to make it very"},{"line_number":61,"context_line":"clear what IPv6 address is used by metadata service and how to configure it in"},{"line_number":62,"context_line":"at least most popular metadata consumer which is ``cloud-init``."},{"line_number":63,"context_line":"In case of ``cloud-init`` this new IP address can be set using ``metadata_urls``"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1fa4df85_e60fb385","line":60,"range":{"start_line":60,"start_character":37,"end_line":60,"end_character":44},"in_reply_to":"1fa4df85_d86e3d95","updated":"2020-03-19 21:16:06.000000000","message":"Done","commit_id":"3bbc32df3d8fec511ce57d658b8e1a5fc73c8f1c"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"71de283a2e1ccebb7f92589410c4069653cd3ea2","unresolved":false,"context_lines":[{"line_number":59,"context_line":"As this new IPv6 address proposed for metadata service isn\u0027t currently used by"},{"line_number":60,"context_line":"any other cloud provider, we need to updated our documentation to make it very"},{"line_number":61,"context_line":"clear what IPv6 address is used by metadata service and how to configure it in"},{"line_number":62,"context_line":"at least most popular metadata consumer which is ``cloud-init``."},{"line_number":63,"context_line":"In case of ``cloud-init`` this new IP address can be set using ``metadata_urls``"},{"line_number":64,"context_line":"config option [3]."},{"line_number":65,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"1fa4df85_786dc996","line":62,"range":{"start_line":62,"start_character":9,"end_line":62,"end_character":13},"updated":"2020-03-17 19:01:46.000000000","message":"a/the most","commit_id":"3bbc32df3d8fec511ce57d658b8e1a5fc73c8f1c"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"78cf8ae2af0c1fb5befe30e41f8216ce04143a46","unresolved":false,"context_lines":[{"line_number":59,"context_line":"As this new IPv6 address proposed for metadata service isn\u0027t currently used by"},{"line_number":60,"context_line":"any other cloud provider, we need to updated our documentation to make it very"},{"line_number":61,"context_line":"clear what IPv6 address is used by metadata service and how to configure it in"},{"line_number":62,"context_line":"at least most popular metadata consumer which is ``cloud-init``."},{"line_number":63,"context_line":"In case of ``cloud-init`` this new IP address can be set using ``metadata_urls``"},{"line_number":64,"context_line":"config option [3]."},{"line_number":65,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"1fa4df85_267f0be1","line":62,"range":{"start_line":62,"start_character":9,"end_line":62,"end_character":13},"in_reply_to":"1fa4df85_786dc996","updated":"2020-03-19 21:16:06.000000000","message":"Done","commit_id":"3bbc32df3d8fec511ce57d658b8e1a5fc73c8f1c"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"71de283a2e1ccebb7f92589410c4069653cd3ea2","unresolved":false,"context_lines":[{"line_number":60,"context_line":"any other cloud provider, we need to updated our documentation to make it very"},{"line_number":61,"context_line":"clear what IPv6 address is used by metadata service and how to configure it in"},{"line_number":62,"context_line":"at least most popular metadata consumer which is ``cloud-init``."},{"line_number":63,"context_line":"In case of ``cloud-init`` this new IP address can be set using ``metadata_urls``"},{"line_number":64,"context_line":"config option [3]."},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"In the future we can update cloud-init\u0027s code to make this IPv6 address to be"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1fa4df85_58080dd8","line":63,"range":{"start_line":63,"start_character":3,"end_line":63,"end_character":7},"updated":"2020-03-17 19:01:46.000000000","message":"s/the case","commit_id":"3bbc32df3d8fec511ce57d658b8e1a5fc73c8f1c"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"78cf8ae2af0c1fb5befe30e41f8216ce04143a46","unresolved":false,"context_lines":[{"line_number":60,"context_line":"any other cloud provider, we need to updated our documentation to make it very"},{"line_number":61,"context_line":"clear what IPv6 address is used by metadata service and how to configure it in"},{"line_number":62,"context_line":"at least most popular metadata consumer which is ``cloud-init``."},{"line_number":63,"context_line":"In case of ``cloud-init`` this new IP address can be set using ``metadata_urls``"},{"line_number":64,"context_line":"config option [3]."},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"In the future we can update cloud-init\u0027s code to make this IPv6 address to be"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1fa4df85_c658778b","line":63,"range":{"start_line":63,"start_character":3,"end_line":63,"end_character":7},"in_reply_to":"1fa4df85_58080dd8","updated":"2020-03-19 21:16:06.000000000","message":"Done","commit_id":"3bbc32df3d8fec511ce57d658b8e1a5fc73c8f1c"},{"author":{"_account_id":22584,"name":"Tomislav Sukser","email":"tomislav.sukser@telekom.de","username":"tsukser"},"change_message_id":"3e6f97c9cbe95310db34d7af3f63867650bab371","unresolved":false,"context_lines":[{"line_number":61,"context_line":"clear what IPv6 address is used by metadata service and how to configure it in"},{"line_number":62,"context_line":"at least most popular metadata consumer which is ``cloud-init``."},{"line_number":63,"context_line":"In case of ``cloud-init`` this new IP address can be set using ``metadata_urls``"},{"line_number":64,"context_line":"config option [3]."},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"In the future we can update cloud-init\u0027s code to make this IPv6 address to be"},{"line_number":67,"context_line":"one of the default IPs used by cloud-init\u0027s OpenStack DS."}],"source_content_type":"text/x-rst","patch_set":9,"id":"1fa4df85_329bfc66","line":64,"updated":"2020-03-17 09:58:15.000000000","message":"How would one specify generic interface name in metadata_urls for fe80:: address? Address http://fe80::a9fe:a9fe/ needs to look like: http://fe80::a9fe:a9fe%interface_name/. And interface name might not be always eth0.","commit_id":"3bbc32df3d8fec511ce57d658b8e1a5fc73c8f1c"},{"author":{"_account_id":19560,"name":"Dmitry Bilunov","email":"kmeaw@kmeaw.com","username":"dbilunov"},"change_message_id":"ac56ba0d55da303c1fa672a9230b790d74712f65","unresolved":false,"context_lines":[{"line_number":61,"context_line":"clear what IPv6 address is used by metadata service and how to configure it in"},{"line_number":62,"context_line":"at least most popular metadata consumer which is ``cloud-init``."},{"line_number":63,"context_line":"In case of ``cloud-init`` this new IP address can be set using ``metadata_urls``"},{"line_number":64,"context_line":"config option [3]."},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"In the future we can update cloud-init\u0027s code to make this IPv6 address to be"},{"line_number":67,"context_line":"one of the default IPs used by cloud-init\u0027s OpenStack DS."}],"source_content_type":"text/x-rst","patch_set":9,"id":"1fa4df85_b2284c97","line":64,"in_reply_to":"1fa4df85_329bfc66","updated":"2020-03-17 10:15:34.000000000","message":"http://[fe80::a9fe:a9fe%25eth0]/ see rfc6874 for more details","commit_id":"3bbc32df3d8fec511ce57d658b8e1a5fc73c8f1c"},{"author":{"_account_id":22584,"name":"Tomislav Sukser","email":"tomislav.sukser@telekom.de","username":"tsukser"},"change_message_id":"b72cab0503f5c118e1d5938efe40f19c20478cf7","unresolved":false,"context_lines":[{"line_number":61,"context_line":"clear what IPv6 address is used by metadata service and how to configure it in"},{"line_number":62,"context_line":"at least most popular metadata consumer which is ``cloud-init``."},{"line_number":63,"context_line":"In case of ``cloud-init`` this new IP address can be set using ``metadata_urls``"},{"line_number":64,"context_line":"config option [3]."},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"In the future we can update cloud-init\u0027s code to make this IPv6 address to be"},{"line_number":67,"context_line":"one of the default IPs used by cloud-init\u0027s OpenStack DS."}],"source_content_type":"text/x-rst","patch_set":9,"id":"1fa4df85_14d31062","line":64,"in_reply_to":"1fa4df85_86db5feb","updated":"2020-03-20 08:36:51.000000000","message":"I don\u0027t see a problem in iterating through available interfaces on the system and using link-local address, which can be done in cloud-init code, but this wouldn\u0027t work for described workaround / interim period, if I understood the intention correctly.","commit_id":"3bbc32df3d8fec511ce57d658b8e1a5fc73c8f1c"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"78cf8ae2af0c1fb5befe30e41f8216ce04143a46","unresolved":false,"context_lines":[{"line_number":61,"context_line":"clear what IPv6 address is used by metadata service and how to configure it in"},{"line_number":62,"context_line":"at least most popular metadata consumer which is ``cloud-init``."},{"line_number":63,"context_line":"In case of ``cloud-init`` this new IP address can be set using ``metadata_urls``"},{"line_number":64,"context_line":"config option [3]."},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"In the future we can update cloud-init\u0027s code to make this IPv6 address to be"},{"line_number":67,"context_line":"one of the default IPs used by cloud-init\u0027s OpenStack DS."}],"source_content_type":"text/x-rst","patch_set":9,"id":"1fa4df85_86db5feb","line":64,"in_reply_to":"1fa4df85_a450f25f","updated":"2020-03-19 21:16:06.000000000","message":"In most cases it will be the first interface which is plugged to the VM, so this discovery shouldn\u0027t be hard IMO. But later we can maybe propose, as Bence suggested, new datasource for cloud-init and add some kind of discovery of the interface in it.","commit_id":"3bbc32df3d8fec511ce57d658b8e1a5fc73c8f1c"},{"author":{"_account_id":13252,"name":"Dr. Jens Harbott","display_name":"Jens Harbott (frickler)","email":"frickler@offenerstapel.de","username":"jrosenboom"},"change_message_id":"ae4e4ecf8e0a8fd2fd42acb948b48b8b73d86a30","unresolved":false,"context_lines":[{"line_number":61,"context_line":"clear what IPv6 address is used by metadata service and how to configure it in"},{"line_number":62,"context_line":"at least most popular metadata consumer which is ``cloud-init``."},{"line_number":63,"context_line":"In case of ``cloud-init`` this new IP address can be set using ``metadata_urls``"},{"line_number":64,"context_line":"config option [3]."},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"In the future we can update cloud-init\u0027s code to make this IPv6 address to be"},{"line_number":67,"context_line":"one of the default IPs used by cloud-init\u0027s OpenStack DS."}],"source_content_type":"text/x-rst","patch_set":9,"id":"1fa4df85_2338863b","line":64,"in_reply_to":"1fa4df85_b2284c97","updated":"2020-03-17 20:17:32.000000000","message":"So that might indeed be an argument against using a link-local address, as it would force consumers like cloud-init to handle interface specifics instead of being able to just pull data from some generic source.","commit_id":"3bbc32df3d8fec511ce57d658b8e1a5fc73c8f1c"},{"author":{"_account_id":15554,"name":"Bence Romsics","email":"bence.romsics@gmail.com","username":"ebenrom","status":"working for Ericsson, UTC+1 (+DST)"},"change_message_id":"f708ae96c636c84b53c52cbfcab61d8c2d60b0a0","unresolved":false,"context_lines":[{"line_number":61,"context_line":"clear what IPv6 address is used by metadata service and how to configure it in"},{"line_number":62,"context_line":"at least most popular metadata consumer which is ``cloud-init``."},{"line_number":63,"context_line":"In case of ``cloud-init`` this new IP address can be set using ``metadata_urls``"},{"line_number":64,"context_line":"config option [3]."},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"In the future we can update cloud-init\u0027s code to make this IPv6 address to be"},{"line_number":67,"context_line":"one of the default IPs used by cloud-init\u0027s OpenStack DS."}],"source_content_type":"text/x-rst","patch_set":9,"id":"1fa4df85_a450f25f","line":64,"in_reply_to":"1fa4df85_b2284c97","updated":"2020-03-18 16:01:07.000000000","message":"Syntactically yes, this is right. But this also means we\u0027d have to predict guest-internal interface names when configuring cloud-init. That sounds impossible to do in a generic way.\n\nI guess one way to overcome the need for prediction would be to pass an incomplete address like http://[fe80::a9fe:a9fe], let cloud-init detect this and do some guest-internal discovery which interface should be appended.","commit_id":"3bbc32df3d8fec511ce57d658b8e1a5fc73c8f1c"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"71de283a2e1ccebb7f92589410c4069653cd3ea2","unresolved":false,"context_lines":[{"line_number":63,"context_line":"In case of ``cloud-init`` this new IP address can be set using ``metadata_urls``"},{"line_number":64,"context_line":"config option [3]."},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"In the future we can update cloud-init\u0027s code to make this IPv6 address to be"},{"line_number":67,"context_line":"one of the default IPs used by cloud-init\u0027s OpenStack DS."},{"line_number":68,"context_line":""},{"line_number":69,"context_line":"References"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1fa4df85_d8f39de6","line":66,"range":{"start_line":66,"start_character":72,"end_line":66,"end_character":74},"updated":"2020-03-17 19:01:46.000000000","message":"d/to - just \u0027be\u0027","commit_id":"3bbc32df3d8fec511ce57d658b8e1a5fc73c8f1c"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"71de283a2e1ccebb7f92589410c4069653cd3ea2","unresolved":false,"context_lines":[{"line_number":64,"context_line":"config option [3]."},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"In the future we can update cloud-init\u0027s code to make this IPv6 address to be"},{"line_number":67,"context_line":"one of the default IPs used by cloud-init\u0027s OpenStack DS."},{"line_number":68,"context_line":""},{"line_number":69,"context_line":"References"},{"line_number":70,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1fa4df85_382e7143","line":67,"range":{"start_line":67,"start_character":54,"end_line":67,"end_character":56},"updated":"2020-03-17 19:01:46.000000000","message":"what is DS?","commit_id":"3bbc32df3d8fec511ce57d658b8e1a5fc73c8f1c"},{"author":{"_account_id":13252,"name":"Dr. Jens Harbott","display_name":"Jens Harbott (frickler)","email":"frickler@offenerstapel.de","username":"jrosenboom"},"change_message_id":"ae4e4ecf8e0a8fd2fd42acb948b48b8b73d86a30","unresolved":false,"context_lines":[{"line_number":64,"context_line":"config option [3]."},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"In the future we can update cloud-init\u0027s code to make this IPv6 address to be"},{"line_number":67,"context_line":"one of the default IPs used by cloud-init\u0027s OpenStack DS."},{"line_number":68,"context_line":""},{"line_number":69,"context_line":"References"},{"line_number":70,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1fa4df85_e3f4ae89","line":67,"range":{"start_line":67,"start_character":54,"end_line":67,"end_character":56},"in_reply_to":"1fa4df85_382e7143","updated":"2020-03-17 20:17:32.000000000","message":"data-source I\u0027d say","commit_id":"3bbc32df3d8fec511ce57d658b8e1a5fc73c8f1c"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"78cf8ae2af0c1fb5befe30e41f8216ce04143a46","unresolved":false,"context_lines":[{"line_number":64,"context_line":"config option [3]."},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"In the future we can update cloud-init\u0027s code to make this IPv6 address to be"},{"line_number":67,"context_line":"one of the default IPs used by cloud-init\u0027s OpenStack DS."},{"line_number":68,"context_line":""},{"line_number":69,"context_line":"References"},{"line_number":70,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1fa4df85_06968ff1","line":67,"range":{"start_line":67,"start_character":54,"end_line":67,"end_character":56},"in_reply_to":"1fa4df85_e3f4ae89","updated":"2020-03-19 21:16:06.000000000","message":"yes, exactly. I just updated it :)","commit_id":"3bbc32df3d8fec511ce57d658b8e1a5fc73c8f1c"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"843ac057027cd7aea27919ce5597268ca358bc3e","unresolved":false,"context_lines":[{"line_number":41,"context_line":"It is fine to do so because it\u0027s running inside the router or dhcp namespace."},{"line_number":42,"context_line":""},{"line_number":43,"context_line":"The L3 agent adds a firewall rule, that redirects traffic directed"},{"line_number":44,"context_line":"for proposed anycast IP (fe80::a9fe:a9fe) to the metadata proxy port."},{"line_number":45,"context_line":"In the case of the DHCP agent new IP address (fe80::a9fe:a9fe) will be"},{"line_number":46,"context_line":"configured the tap port which belongs to DHCP port, in same way like it is"},{"line_number":47,"context_line":"currenctly done for IPv4 address (169.254.169.254)."}],"source_content_type":"text/x-rst","patch_set":10,"id":"1fa4df85_61a5ed46","line":44,"range":{"start_line":44,"start_character":0,"end_line":44,"end_character":3},"updated":"2020-03-19 22:25:51.000000000","message":"s/for the","commit_id":"ad32cb8a574e896b0d84a16c35a21fd7b1dd5acb"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"843ac057027cd7aea27919ce5597268ca358bc3e","unresolved":false,"context_lines":[{"line_number":42,"context_line":""},{"line_number":43,"context_line":"The L3 agent adds a firewall rule, that redirects traffic directed"},{"line_number":44,"context_line":"for proposed anycast IP (fe80::a9fe:a9fe) to the metadata proxy port."},{"line_number":45,"context_line":"In the case of the DHCP agent new IP address (fe80::a9fe:a9fe) will be"},{"line_number":46,"context_line":"configured the tap port which belongs to DHCP port, in same way like it is"},{"line_number":47,"context_line":"currenctly done for IPv4 address (169.254.169.254)."},{"line_number":48,"context_line":""}],"source_content_type":"text/x-rst","patch_set":10,"id":"1fa4df85_216935f8","line":45,"range":{"start_line":45,"start_character":30,"end_line":45,"end_character":33},"updated":"2020-03-19 22:25:51.000000000","message":"s/a new","commit_id":"ad32cb8a574e896b0d84a16c35a21fd7b1dd5acb"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"843ac057027cd7aea27919ce5597268ca358bc3e","unresolved":false,"context_lines":[{"line_number":43,"context_line":"The L3 agent adds a firewall rule, that redirects traffic directed"},{"line_number":44,"context_line":"for proposed anycast IP (fe80::a9fe:a9fe) to the metadata proxy port."},{"line_number":45,"context_line":"In the case of the DHCP agent new IP address (fe80::a9fe:a9fe) will be"},{"line_number":46,"context_line":"configured the tap port which belongs to DHCP port, in same way like it is"},{"line_number":47,"context_line":"currenctly done for IPv4 address (169.254.169.254)."},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"The VM uses address fe80::a9fe:a9fe to access Metadata service. Software like"}],"source_content_type":"text/x-rst","patch_set":10,"id":"1fa4df85_e1479d76","line":46,"range":{"start_line":46,"start_character":64,"end_line":46,"end_character":68},"updated":"2020-03-19 22:25:51.000000000","message":"d/like","commit_id":"ad32cb8a574e896b0d84a16c35a21fd7b1dd5acb"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"843ac057027cd7aea27919ce5597268ca358bc3e","unresolved":false,"context_lines":[{"line_number":43,"context_line":"The L3 agent adds a firewall rule, that redirects traffic directed"},{"line_number":44,"context_line":"for proposed anycast IP (fe80::a9fe:a9fe) to the metadata proxy port."},{"line_number":45,"context_line":"In the case of the DHCP agent new IP address (fe80::a9fe:a9fe) will be"},{"line_number":46,"context_line":"configured the tap port which belongs to DHCP port, in same way like it is"},{"line_number":47,"context_line":"currenctly done for IPv4 address (169.254.169.254)."},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"The VM uses address fe80::a9fe:a9fe to access Metadata service. Software like"}],"source_content_type":"text/x-rst","patch_set":10,"id":"1fa4df85_c142a168","line":46,"range":{"start_line":46,"start_character":52,"end_line":46,"end_character":54},"updated":"2020-03-19 22:25:51.000000000","message":"s/in the","commit_id":"ad32cb8a574e896b0d84a16c35a21fd7b1dd5acb"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"843ac057027cd7aea27919ce5597268ca358bc3e","unresolved":false,"context_lines":[{"line_number":43,"context_line":"The L3 agent adds a firewall rule, that redirects traffic directed"},{"line_number":44,"context_line":"for proposed anycast IP (fe80::a9fe:a9fe) to the metadata proxy port."},{"line_number":45,"context_line":"In the case of the DHCP agent new IP address (fe80::a9fe:a9fe) will be"},{"line_number":46,"context_line":"configured the tap port which belongs to DHCP port, in same way like it is"},{"line_number":47,"context_line":"currenctly done for IPv4 address (169.254.169.254)."},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"The VM uses address fe80::a9fe:a9fe to access Metadata service. Software like"}],"source_content_type":"text/x-rst","patch_set":10,"id":"1fa4df85_c16941f8","line":46,"range":{"start_line":46,"start_character":11,"end_line":46,"end_character":14},"updated":"2020-03-19 22:25:51.000000000","message":"s/on the","commit_id":"ad32cb8a574e896b0d84a16c35a21fd7b1dd5acb"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"843ac057027cd7aea27919ce5597268ca358bc3e","unresolved":false,"context_lines":[{"line_number":43,"context_line":"The L3 agent adds a firewall rule, that redirects traffic directed"},{"line_number":44,"context_line":"for proposed anycast IP (fe80::a9fe:a9fe) to the metadata proxy port."},{"line_number":45,"context_line":"In the case of the DHCP agent new IP address (fe80::a9fe:a9fe) will be"},{"line_number":46,"context_line":"configured the tap port which belongs to DHCP port, in same way like it is"},{"line_number":47,"context_line":"currenctly done for IPv4 address (169.254.169.254)."},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"The VM uses address fe80::a9fe:a9fe to access Metadata service. Software like"}],"source_content_type":"text/x-rst","patch_set":10,"id":"1fa4df85_a17445d0","line":46,"range":{"start_line":46,"start_character":38,"end_line":46,"end_character":40},"updated":"2020-03-19 22:25:51.000000000","message":"s/to the","commit_id":"ad32cb8a574e896b0d84a16c35a21fd7b1dd5acb"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"843ac057027cd7aea27919ce5597268ca358bc3e","unresolved":false,"context_lines":[{"line_number":44,"context_line":"for proposed anycast IP (fe80::a9fe:a9fe) to the metadata proxy port."},{"line_number":45,"context_line":"In the case of the DHCP agent new IP address (fe80::a9fe:a9fe) will be"},{"line_number":46,"context_line":"configured the tap port which belongs to DHCP port, in same way like it is"},{"line_number":47,"context_line":"currenctly done for IPv4 address (169.254.169.254)."},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"The VM uses address fe80::a9fe:a9fe to access Metadata service. Software like"},{"line_number":50,"context_line":"cloud-init used inside VMs have to be aware of this new IPv6 address. So images"}],"source_content_type":"text/x-rst","patch_set":10,"id":"1fa4df85_a15d2548","line":47,"range":{"start_line":47,"start_character":0,"end_line":47,"end_character":10},"updated":"2020-03-19 22:25:51.000000000","message":"s/currently","commit_id":"ad32cb8a574e896b0d84a16c35a21fd7b1dd5acb"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"843ac057027cd7aea27919ce5597268ca358bc3e","unresolved":false,"context_lines":[{"line_number":44,"context_line":"for proposed anycast IP (fe80::a9fe:a9fe) to the metadata proxy port."},{"line_number":45,"context_line":"In the case of the DHCP agent new IP address (fe80::a9fe:a9fe) will be"},{"line_number":46,"context_line":"configured the tap port which belongs to DHCP port, in same way like it is"},{"line_number":47,"context_line":"currenctly done for IPv4 address (169.254.169.254)."},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"The VM uses address fe80::a9fe:a9fe to access Metadata service. Software like"},{"line_number":50,"context_line":"cloud-init used inside VMs have to be aware of this new IPv6 address. So images"}],"source_content_type":"text/x-rst","patch_set":10,"id":"1fa4df85_6153ad3a","line":47,"range":{"start_line":47,"start_character":16,"end_line":47,"end_character":19},"updated":"2020-03-19 22:25:51.000000000","message":"s/for the","commit_id":"ad32cb8a574e896b0d84a16c35a21fd7b1dd5acb"},{"author":{"_account_id":15554,"name":"Bence Romsics","email":"bence.romsics@gmail.com","username":"ebenrom","status":"working for Ericsson, UTC+1 (+DST)"},"change_message_id":"57467a96da48d173d9a1c757258bf55b7d0efee3","unresolved":false,"context_lines":[{"line_number":41,"context_line":"link-local subnet which is fe80::/10 according to [2]."},{"line_number":42,"context_line":"It is valid to do this because it is running inside a router or dhcp namespace."},{"line_number":43,"context_line":""},{"line_number":44,"context_line":"The L3 agent will add a firewall rule that redirects traffic sent to"},{"line_number":45,"context_line":"the proposed anycast IP (fe80::a9fe:a9fe) to the metadata proxy port."},{"line_number":46,"context_line":"In the case of the DHCP agent, a new IP address (fe80::a9fe:a9fe) will be"},{"line_number":47,"context_line":"configured on the tap port which belongs to the DHCP agent, the same way it is"},{"line_number":48,"context_line":"currently done for the IPv4 address (169.254.169.254)."}],"source_content_type":"text/x-rst","patch_set":11,"id":"df33271e_df18d282","line":45,"range":{"start_line":44,"start_character":0,"end_line":45,"end_character":69},"updated":"2020-03-24 13:50:05.000000000","message":"I was trying to do the PoC for the router namespace and I may have found a problem with that.\n\nFor IPv4, 169.254.169.254 is not configured in the router namespace. Instead we push a route into the guest routing table for example:\n\n169.254.169.254 via 10.0.0.1 dev ens2 proto dhcp metric 100\n\nDespite 169.254 being link-local the kernel happily obeys this route and sends packets to 169.254.169.254 to the ethernet address of 10.0.0.1. That is nobody has to answer arp who-has 169.254.169.254 in the router namespace. (Later we catch this traffic via a REDIRECT to where haproxy listens but that does not matter here.)\n\nIt seems to me the linux kernel (here 4.15.0) behaves differently for ipv6. After the link-local configuration of the primary guest interface we already have routes like:\n\nfe80::/64 dev ens2 proto kernel metric 256 pref medium\ndefault via fe80::f816:3eff:fe90:2c07 dev ens2 proto ra metric 100 mtu 1450 pref medium\n\nThen I add routes like (as if they were pushed by dhcp):\n\nfe80::a9:fe:a9:fe via fe80::f816:3eff:fe90:2c07 dev ens2 metric 255 pref medium\nfe80::a9:fe:a9:fe via fe80::f816:3eff:fe90:2c07 dev ens2 metric 257 pref medium\n\n(Did not look up if 255 or 257 is stronger than 256 instead added both.)\n\nThe \u0027ip -6 route add\u0027 command succeeds, the entries can be seen in the routing table.\n\nOn the other hand the kernel seems to ignore them as it can be verified by tcpdump it still sends neighbor solicitation who-has fe80::a9:fe:a9:fe.\n\nWhich of course nobody answers in the router namespace. So the kernel gives up and does not send it to the router.\n\n(This actually looks more logical than the ipv4 behavior since why would the kernel ever send link-local traffic to a router.)\n\nWe clearly cannot configure the same address in both the dhcp and the router namespaces because the second will fail at duplicate address detection.\n\nI\u0027m thinking what to do, just first wanted to share the problem I seem to have found.","commit_id":"20088d8d65d53ba1f13b554326478531ce14e941"},{"author":{"_account_id":15554,"name":"Bence Romsics","email":"bence.romsics@gmail.com","username":"ebenrom","status":"working for Ericsson, UTC+1 (+DST)"},"change_message_id":"532116a80aa614662d1a71565c4a479b284a51c7","unresolved":false,"context_lines":[{"line_number":41,"context_line":"link-local subnet which is fe80::/10 according to [2]."},{"line_number":42,"context_line":"It is valid to do this because it is running inside a router or dhcp namespace."},{"line_number":43,"context_line":""},{"line_number":44,"context_line":"The L3 agent will add a firewall rule that redirects traffic sent to"},{"line_number":45,"context_line":"the proposed anycast IP (fe80::a9fe:a9fe) to the metadata proxy port."},{"line_number":46,"context_line":"In the case of the DHCP agent, a new IP address (fe80::a9fe:a9fe) will be"},{"line_number":47,"context_line":"configured on the tap port which belongs to the DHCP agent, the same way it is"},{"line_number":48,"context_line":"currently done for the IPv4 address (169.254.169.254)."}],"source_content_type":"text/x-rst","patch_set":11,"id":"df33271e_231397b7","line":45,"range":{"start_line":44,"start_character":0,"end_line":45,"end_character":69},"in_reply_to":"df33271e_142df894","updated":"2020-03-25 08:12:33.000000000","message":"The mismatch in the address is totally accidental. On the other hand I am going to re-check today if I used the same address consistently in my tests otherwise it may have caused a difference.","commit_id":"20088d8d65d53ba1f13b554326478531ce14e941"},{"author":{"_account_id":15554,"name":"Bence Romsics","email":"bence.romsics@gmail.com","username":"ebenrom","status":"working for Ericsson, UTC+1 (+DST)"},"change_message_id":"2320ff1e0a34fc6dddb72417a75a80be9cbd59d9","unresolved":false,"context_lines":[{"line_number":41,"context_line":"link-local subnet which is fe80::/10 according to [2]."},{"line_number":42,"context_line":"It is valid to do this because it is running inside a router or dhcp namespace."},{"line_number":43,"context_line":""},{"line_number":44,"context_line":"The L3 agent will add a firewall rule that redirects traffic sent to"},{"line_number":45,"context_line":"the proposed anycast IP (fe80::a9fe:a9fe) to the metadata proxy port."},{"line_number":46,"context_line":"In the case of the DHCP agent, a new IP address (fe80::a9fe:a9fe) will be"},{"line_number":47,"context_line":"configured on the tap port which belongs to the DHCP agent, the same way it is"},{"line_number":48,"context_line":"currently done for the IPv4 address (169.254.169.254)."}],"source_content_type":"text/x-rst","patch_set":11,"id":"df33271e_3eabae89","line":45,"range":{"start_line":44,"start_character":0,"end_line":45,"end_character":69},"in_reply_to":"df33271e_231397b7","updated":"2020-03-25 09:02:58.000000000","message":"Sorry guys, my comment from yesterday was a false alarm. I did mix up the addresses and that\u0027s why I thought the kernel is ignoring the routes I installed. But actually it\u0027s not ignoring them.\n\nAs long as the route we install for fe80::a9fe:a9fe is more specific than the fe80::/64 entry present by default even the routing metric does not matter. So its presence is not a problem.","commit_id":"20088d8d65d53ba1f13b554326478531ce14e941"},{"author":{"_account_id":15554,"name":"Bence Romsics","email":"bence.romsics@gmail.com","username":"ebenrom","status":"working for Ericsson, UTC+1 (+DST)"},"change_message_id":"81b2722fc878ed975250f669aa257fdd9b667154","unresolved":false,"context_lines":[{"line_number":41,"context_line":"link-local subnet which is fe80::/10 according to [2]."},{"line_number":42,"context_line":"It is valid to do this because it is running inside a router or dhcp namespace."},{"line_number":43,"context_line":""},{"line_number":44,"context_line":"The L3 agent will add a firewall rule that redirects traffic sent to"},{"line_number":45,"context_line":"the proposed anycast IP (fe80::a9fe:a9fe) to the metadata proxy port."},{"line_number":46,"context_line":"In the case of the DHCP agent, a new IP address (fe80::a9fe:a9fe) will be"},{"line_number":47,"context_line":"configured on the tap port which belongs to the DHCP agent, the same way it is"},{"line_number":48,"context_line":"currently done for the IPv4 address (169.254.169.254)."}],"source_content_type":"text/x-rst","patch_set":11,"id":"df33271e_bcf3450a","line":45,"range":{"start_line":44,"start_character":0,"end_line":45,"end_character":69},"in_reply_to":"df33271e_3eabae89","updated":"2020-03-25 11:51:55.000000000","message":"Thank you Tomislav for catching my silliness.\n\nAdded the PoC of the router namespace to the etherpad:\n\nhttps://etherpad.openstack.org/p/metadata-ipv6-model","commit_id":"20088d8d65d53ba1f13b554326478531ce14e941"},{"author":{"_account_id":16688,"name":"Rodolfo Alonso","email":"ralonsoh@redhat.com","username":"rodolfo-alonso-hernandez"},"change_message_id":"6e6f37302ca107e06e6be3efc98b42307e7ea88f","unresolved":false,"context_lines":[{"line_number":41,"context_line":"link-local subnet which is fe80::/10 according to [2]."},{"line_number":42,"context_line":"It is valid to do this because it is running inside a router or dhcp namespace."},{"line_number":43,"context_line":""},{"line_number":44,"context_line":"The L3 agent will add a firewall rule that redirects traffic sent to"},{"line_number":45,"context_line":"the proposed anycast IP (fe80::a9fe:a9fe) to the metadata proxy port."},{"line_number":46,"context_line":"In the case of the DHCP agent, a new IP address (fe80::a9fe:a9fe) will be"},{"line_number":47,"context_line":"configured on the tap port which belongs to the DHCP agent, the same way it is"},{"line_number":48,"context_line":"currently done for the IPv4 address (169.254.169.254)."}],"source_content_type":"text/x-rst","patch_set":11,"id":"df33271e_c683bda8","line":45,"range":{"start_line":44,"start_character":0,"end_line":45,"end_character":69},"in_reply_to":"df33271e_662e3144","updated":"2020-03-26 15:15:03.000000000","message":"Thanks both for checking this possible issue.","commit_id":"20088d8d65d53ba1f13b554326478531ce14e941"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"9979cad1fe6bd1e66a3e2b63699c58d7b5df81bc","unresolved":false,"context_lines":[{"line_number":41,"context_line":"link-local subnet which is fe80::/10 according to [2]."},{"line_number":42,"context_line":"It is valid to do this because it is running inside a router or dhcp namespace."},{"line_number":43,"context_line":""},{"line_number":44,"context_line":"The L3 agent will add a firewall rule that redirects traffic sent to"},{"line_number":45,"context_line":"the proposed anycast IP (fe80::a9fe:a9fe) to the metadata proxy port."},{"line_number":46,"context_line":"In the case of the DHCP agent, a new IP address (fe80::a9fe:a9fe) will be"},{"line_number":47,"context_line":"configured on the tap port which belongs to the DHCP agent, the same way it is"},{"line_number":48,"context_line":"currently done for the IPv4 address (169.254.169.254)."}],"source_content_type":"text/x-rst","patch_set":11,"id":"df33271e_662e3144","line":45,"range":{"start_line":44,"start_character":0,"end_line":45,"end_character":69},"in_reply_to":"df33271e_bcf3450a","updated":"2020-03-26 14:58:18.000000000","message":"Thx Bence and Tomislav for checking that. So it seems that this concept is still valid and we can go this way with implementation :)","commit_id":"20088d8d65d53ba1f13b554326478531ce14e941"},{"author":{"_account_id":22584,"name":"Tomislav Sukser","email":"tomislav.sukser@telekom.de","username":"tsukser"},"change_message_id":"6539345d4de4c3889a5789d34aaf602478f7e13b","unresolved":false,"context_lines":[{"line_number":41,"context_line":"link-local subnet which is fe80::/10 according to [2]."},{"line_number":42,"context_line":"It is valid to do this because it is running inside a router or dhcp namespace."},{"line_number":43,"context_line":""},{"line_number":44,"context_line":"The L3 agent will add a firewall rule that redirects traffic sent to"},{"line_number":45,"context_line":"the proposed anycast IP (fe80::a9fe:a9fe) to the metadata proxy port."},{"line_number":46,"context_line":"In the case of the DHCP agent, a new IP address (fe80::a9fe:a9fe) will be"},{"line_number":47,"context_line":"configured on the tap port which belongs to the DHCP agent, the same way it is"},{"line_number":48,"context_line":"currently done for the IPv4 address (169.254.169.254)."}],"source_content_type":"text/x-rst","patch_set":11,"id":"df33271e_142df894","line":45,"range":{"start_line":44,"start_character":0,"end_line":45,"end_character":69},"in_reply_to":"df33271e_df18d282","updated":"2020-03-24 18:23:29.000000000","message":"The behavior looks correct. IPv6 does not use ARP, instead it uses Neighbor Discovery Protocol (by using ICMPv6). All link local IPv6 addresses must be bound to a specific interface if I understand implementation (and theory) correctly, and there should be no way to define it in routing table.\n\nAddress used in your example (fe80::a9:fe:a9:fe) is different compared to proposal from this document (fe80::a9fe:a9fe), not sure if that was accidental or intentional, although it would not have different outcome.","commit_id":"20088d8d65d53ba1f13b554326478531ce14e941"}]}