IPv4/IPv6 Dual-Stack Network

Dual-stack networking facilitates the simultaneous use of both IPv4 and IPv6 addresses, or continue to use each IP version independently. To accomplish this, platform networks can be associated with 1 or 2 address pools, one for each IP version (IPv4 or IPv6). The first pool is linked to the network upon creation and cannot be subsequently removed. The second pool can be added or removed to transition the system between dual-stack and single-stack modes.

The PXE boot network is an exception, as it currently only supports IPv4. Other platform networks can be configured as either single-stack or dual-stack based on specific requirements. For internal management communication among controllers, workers, and storage nodes, the primary address pool is used as encryption is currently only available for the primary pool on the management network.

Once created, a network’s primary address pool family cannot be modified. Reinstalling the system is necessary to change it. While it is possible to edit address pool addresses for management, OAM, and admin networks, all addresses within a pool must belong to the same address family.

API and Command Line Interface Considerations

The following system APIs handle the association between network and address pool:

  • network-addrpool-assign: creates the association between a network and address pool

  • network-addrpool-remove: removes the association between a network and address pool

  • network-addrpool-list: lists all associations

  • network-addrpool-show: shows a specific association

The first association is done internally when the network is created using the command format:

~(keystone_admin)]$ system network-add <network_name> <network type> <dynamic> <pool_uuid>

The addrpool-modify command allows to edit all its parameters with the CLI. Follows the command format:

~(keystone_admin)]$ system addrpool-modify [--name <name>] [--network <network address>] [--prefix <network prefix>] [--ranges <ranges>] [--order <sequential | random>] [--floating-address <floating address>] [--controller0-address <controller0 address>] [--controller1-address <controller1 address>] [--gateway-address <gateway address>] <address_pool uuid>

Install a System in Dual-Stack Mode

It is possible to install a system in dual-stack mode by adding the secondary subnets into the bootstrap variables with comma separated values as shown in the following example:

pxeboot_subnet: 198.51.100.0/24

management_subnet: fd01::/64,198.51.0.0/24
management_start_address: fd01::2,198.51.0.2
management_end_address: fd01::ffff,198.51.0.200
management_gateway_address: fd01::1,198.51.0.1

external_oam_subnet: fd00::/64,10.20.5.0/24
external_oam_gateway_address: fd00::1,10.20.5.1
external_oam_floating_address: fd00::3,10.20.5.3
external_oam_node_0_address: fd00::4,10.20.5.4
external_oam_node_1_address: fd00::5,10.20.5.5

cluster_host_subnet: aefd:100::/64,198.51.100.0/24
cluster_pod_subnet: aefd:206::/64,172.16.0.0/16
cluster_service_subnet: aefd:207::/112,10.96.0.0/12

The order in which networks are listed determines the primary and secondary address pools. It is important to note that all primary address pools must use the same address family. For example, if the primary address pool for one subnet is IPv6, all other subnet’s primary pools must also be IPv6 (as in the example above).

Configure DNS Server

It is optional to configure DNS servers with both IPv4 and IPv6 addresses. This can be achieved using the command format:

~(keystone_admin)]$ system dns-modify nameservers=<IPv6 DNS server>,<IPv4 DNS server>
or
~(keystone_admin)]$ system dns-modify nameservers=<IPv4 DNS server>,<IPv6 DNS server>

If the selected DNS servers support both A and AAAA records, specifying an address for each address family is unnecessary.

Distributed Cloud Operations

Subclouds can be installed in a dual-stack configuration, if its version supports the feature. All operational communication between the system controller and subclouds uses the primary address pool. While the system controller and subclouds can operate in different network modes (single-stack or dual-stack), they must share the same primary address family. Geo redundancy uses the primary address pools to communicate.

Public Endpoint Considerations

All available public OAM endpoints can be accessed through the secondary address using the same L4 port. HA Proxy is used to map these external requests to the corresponding internal endpoints.

Modify Network Addresses

Supported Networks

Only the OAM, Admin, and Management networks can be modified using the addrpool-modify command during runtime.

Other Networks

For other networks, reinstallation is required to make changes.

External API and Command Line Interface Considerations

Deprecated

The external-OAM API is marked as deprecated but can be used to modify the OAM network primary pool.

CLI

The corresponding CLIs are:

~(keystone_admin)]$ system oam-modify <path=value> [<path=value> ...]
~(keystone_admin)]$ system oam-show

Enable Kubernetes in Dual-stack

To enable dual-stack functionality in Kubernetes, the OAM, cluster-host, cluster-service, and cluster-pod networks must be configured to support it. Making these changes at runtime triggers a quick restart for the kube-API-server and kube-controller-manager pods.

If converted during runtime, newly created pods will automatically receive both primary and secondary addresses. Existing pods retain their current primary addresses but will not acquire a secondary address until they are restarted. The same happens from a dual-stack to single-stack configuration, previously existing pods will retain their secondary address until restart.

Runtime Configuration

To add dual-stack in a running system the following sequence is suggested (in the example below the system was installed as IPv6). The network’s primary family can be seen with:

~(keystone_admin)]$ system network-list
+----+-----...--+-----------------+-----------------+---------+--------------------------------------+---------------------+
| id | uuid...  | name            | type            | dynamic | pool_uuid                            | primary_pool_family |
+----+-----...--+-----------------+-----------------+---------+--------------------------------------+---------------------+
| 4  | 196d...3 | multicast       | multicast       | False   | 7c445f38-067c-4b3c-a511-d8e00da5791c | IPv6                |
| 5  | 43fe...3 | cluster-host    | cluster-host    | True    | 6250edb8-15f5-4204-80f1-8e54b9e28a5a | IPv6                |
| 3  | 9996...9 | oam             | oam             | False   | b46512d7-5404-4daa-a64d-fc510e0c5864 | IPv6                |
| 6  | a374...7 | cluster-pod     | cluster-pod     | False   | f4c9560c-47e5-46bd-aff5-18642831b1da | IPv6                |
| 7  | afc1...d | cluster-service | cluster-service | False   | a6366aab-b3c1-4947-97e5-f5171e0e2f3e | IPv6                |
| 1  | b565...9 | mgmt            | mgmt            | True    | 412aebff-9a86-40b1-a379-752f00a0c3a0 | IPv6                |
| 2  | bbb1...2 | pxeboot         | pxeboot         | True    | 05fde56d-f26a-4ea4-8b32-1ebf868743e2 | IPv4                |
+----+-----...--+-----------------+-----------------+---------+--------------------------------------+---------------------+

Configure OAM Network

Add an address pool for OAM:

~(keystone_admin)]$ system addrpool-add oam-ipv4 171.168.204.0 24 --order random --ranges 171.168.204.1-171.168.204.254 --floating-address 171.168.204.1 --controller0-address 171.168.204.2 --controller1-address 171.168.204.3

Then assign the newly created pool to the OAM network:

~(keystone_admin)]$ system network-addrpool-assign oam oam-ipv4

If the system is AIO-SX, the new configuration is applied immediately, otherwise it is necessary to lock/unlock both controllers.

Configure Cluster (pod/service/host) Network

The cluster networks in dual-stack converts kubernetes to dual-stack operation, in this case, first make sure the OAM network is already configured in dual-stack and then start by adding the correspondent pools:

~(keystone_admin)]$ system addrpool-add cluster-pod-subnet-ipv4 172.16.0.0 16 --order random --ranges 172.16.0.1-172.16.254.254
~(keystone_admin)]$ system addrpool-add cluster-service-subnet-ipv4 10.96.0.0 12 --order random --ranges 10.96.0.1-10.96.254.254
~(keystone_admin)]$ system addrpool-add cluster-host-subnet-ipv4 192.168.204.0 24 --order random --ranges 192.168.204.1-192.168.204.254 --floating-address 192.168.204.1 --controller0-address 192.168.204.2 --controller1-address 192.168.204.3

Then associate the new pools to each network (there is no preferred order among the three networks):

~(keystone_admin)]$ system network-addrpool-assign cluster-service cluster-service-subnet-ipv4
~(keystone_admin)]$ system network-addrpool-assign cluster-pod cluster-pod-subnet-ipv4
~(keystone_admin)]$ system network-addrpool-assign cluster-host cluster-host-subnet-ipv4

After the third cluster network receives dual-stack kubernetes and calico will be reconfigured with the kube-apiserver-controller and kube-controller-manager-controller restarts. The entire operation will be performed without the need of a node lock/unlock cycle.

Configure Management Network

As stated, the internal communication is done through the primary pool, but it is possible to add dual-stack configuration by first adding the new pool:

~(keystone_admin)]$ system addrpool-add management-ipv4 20.20.20.0 24 --order random --ranges 20.20.20.1-20.20.20.254 --floating-address 20.20.20.1 --controller0-address 20.20.20.2 --controller1-address 20.20.20.3

Then create the association:

~(keystone_admin)]$ system network-addrpool-assign management management-ipv4

A Configuration Out-Of-Date alarm is raised for the affected nodes and a node lock/unlock cycle will clean the alarm.

Configure Admin Network

This network is used by subclouds to communicate with its system-controller and that is done through the primary pool. To add a dual-stack configuration start with a new pool:

~(keystone_admin)]$ system addrpool-add admin-ipv4 30.30.30.0 24 --order random --ranges 30.30.30.1-30.30.30.254 --floating-address 30.30.30.1 --controller0-address 30.30.30.2 --controller1-address 30.30.30.3

Then create the association:

~(keystone_admin)]$ system network-addrpool-assign admin admin-ipv4

This is done in runtime on the affected controllers, no lock/unlock cycle is required.

Revert to Single-stack

By removing the network association with the address pool the single-stack configuration operates in a similar fashion that was done to configure dual-stack. If the configuration was done at runtime, or if a node lock/unlock cycle was required to configure dual-stack, the same happens when configuring single-stack.

To remove a address pool association with a network use network-addrpool-remove, for example:

~(keystone_admin)]$ ADDR_POOL_NAME=”cluster-pod-ipv6"
~(keystone_admin)]$ DEL=$(system network-addrpool-list | awk '$6 == $ADDR_POOL_NAME { print $2 }') && system network-addrpool-remove $DEL