From Fedora Project Wiki

< QA

No edit summary
 
(29 intermediate revisions by 2 users not shown)
Line 1: Line 1:
Testing IPv6 support and dualstack networking can be very tricky. The purpose of this document is to provide a live resource on testing situations arising from existance and usage of two network layer protocols.
Main purpose of the Networking QA project is to check and improve IPv6 support in Fedora and concurrent usage of IPv4 and IPv6 protocols. Maintaining and improving existing IPv4 support is one of the secondary goals.


[https://bugzilla.redhat.com/showdependencytree.cgi?id=883152 Tracker bug dependency tree.]
== Contacts ==


== Configuration ==
Coordinators:


=== IPv4 and IPv6 connectivity ===
* [[User:pavlix|Pavel Šimerda]]
* [[User:thozza|Tomáš Hozza]]


Applications may behave differently based on connectivity checks. Those can be performed using the following per protocol characteristics.
Contributors:


* Existence of any IP address (including <code>127.0.0.1</code> or <code>::1</code>
* [[User:nmav|Nikos Mavrogiannopoulos]] – iputils
* Existence of non-loopback IP address (including IPv6 link-local addresses)
* Existence of a global IP address
* Existence of a default route (or route for the target we want to reach)


Example: To test application behavior on a host connected via IPv6-only network you should make sure you only have the loopback IPv4 address and that you have a global IPv6 address and a default IPv6 gateway as that what you would normally call an IPv6-only setup. Similarly for IPv4-only setup you would make sure that there are only IPv6 loopback and link-local addresses and that there is a global IPv4 address and a default IPv4 gateway. But there are still many corner cases that may trigger unexpected issues.
Potential contributors:


=== Target DNS records ===
* [[User:Tobygoodwin|Toby Goodwin]]


You need to carefully choose a target hostname for dual-stack networking tests.
== Objectives ==


Examples of scenarios:
Note: We are trying to define objectives of the project. Unfortunately we cannot add everything someone considers good or important but we rather have focus on things that we can actually do. Contact us if you're willing to help with some topic that you're interested in or that you consider neglected.


* Hostname with a single A record or a single AAAA record
We would like to test, document and improve the following:
* Hostname with one A record and one AAAA record
* Hostname with multiple records per family, some of which are obsolete and inacceessible


Other DNS records typically point to names, not addresses and thus are protocol agnostic
* Automatic network configuration of a Fedora node
but it may still be useful to test e.g. SRV records so that the SRV code path is correct
* Proper dual-stack operation of client and server software in various environments
as well.
* Check Fedora infrastructure and installation for IPv6 only operation


=== IPv4 and IPv6 recursive DNS servers ===


This is entirely orthogonal to IPv4 and IPv6 DNS records and doesn't cause many issues.
== Overview ==


=== IPv4 and IPv6 authoritative DNS servers ===
Packages to test:


This is a rather special case important for domain operators. A bad configuration can make otherwise working IPv6 hosts inaccessible from IPv6-only networks with their own recursive servers.
* [[/Packages]]


== Name resolution (using libc functions) ==
How to prepare test environment:


Name resolution features are provided by the GNU C Library (glibc) which is not yet ready for proper IPv6 and dual-stack operation as you can see when performing your tests. The C library comes with its own testing tool <code>getent</code> that has a special database called <code>ahosts</code> that runs <code>getaddrinfo()</code>, the library function that translates names to objects with addressing information. For your testing it is best used together with tools like <code>strace</code>, <code>ltrace</code> or even <code>gdb</code> so that you know exactly what is happening behind the scenes.
* [[/Test environment]]


As the <code>getent</code> tool is very primitive, we created a tool called <code>getaddrinfo</code> just as the library function that handles a larger subset of the function's API.
How to test different types of packages:


=== Name resolution input ===
* [[/Configuration]]
* [[/Name resolution]]
* [[/Testing tools]]
* [[/Client software]]
* [[/Server software]]


When application requests addressing information for a hostname with an optional service name, the library returns a list of addressing information objects. The order of objects in the list is significant and depends on operating system configuration and connectivity.
Known issues:


==== From the application ====
* [https://bugzilla.redhat.com/showdependencytree.cgi?id=883152 Bugzilla tickets]


* nodename
== New packages ==
* servname
* protocol
* socktype
* flags
** <code>AI_CANONNAME</code>
** ...


==== From local configuration and connectivity checks ====
There are new packages being added for networking and especially IPv6 testing and operations.


* Files in <code>/etc/</code> including nsswitch, hosts, services and more
* [https://bugzilla.redhat.com/show_bug.cgi?id=1265628 dhcpcd] – provides a basic network configuration daemon for testing and comparison
* To what extend is IPv4 and IPv6 available
* [https://bugzilla.redhat.com/show_bug.cgi?id=1090499 netresolve] – provides a library, testing tools and example implementations for some network software operations


==== From the outside world ====
== Packages ==
 
* DNS information
* Multicast DNS information
* LDAP information
 
=== Name resolution processing ===
 
==== What is requested ====
 
Not all information is requested at all times. Some information like canonical name must be explicitly requested by the application via <code>AI_CANONNAME</code> flag. It may be desirable to suppress other requests by local configuration or connectivity checks, a notable example being suppression of DNS AAAA queries on hosts without global connectivity.
 
==== What is passed to the application ====
 
Not all information that is learnt via requests is presented to the application. It is typically filtered according to input from the application. It is sometimes also filtered according to connectivity checks but that has caused more problems than improvements.
 
==== How it is sorted ====
 
There are rules for sorting addressing information returned by <code>getaddrinfo()</code>. One of the basic features is to return global IPv6 destinations before global IPv4 destinations. But when the library detects that IPv6 connectivity is not available, the reverse applies.
 
=== Example tests ===
 
==== Dual-stack host, destination with global IPv4 and IPv6 ====
 
On a host with IPv4 and IPv6 connectivity we request addressing information of another host that is announced as dual-stack in DNS.
 
<pre>
$ getent ahosts www.nix.cz
2a02:38::1001  STREAM info.nix.cz
2a02:38::1001  DGRAM 
2a02:38::1001  RAW   
195.47.235.3    STREAM
195.47.235.3    DGRAM 
195.47.235.3    RAW
</pre>
 
You can see that <code>getaddrinfo()</code> returned ''six'' items for ''two'' unique IP addresses with the IPv6 address sorted first. If you only expected only ''two'' items, one for each IP address, see [https://sourceware.org/bugzilla/show_bug.cgi?id=14990 upstream bug 14990].
 
==== IPv4-only host, destination with global IPv4 and IPv6 ====
 
We do the same on a host without IPv6 connectivity.
 
<pre>
$ getent ahosts www.nix.cz
195.47.235.3    STREAM info.nix.cz
195.47.235.3    DGRAM 
195.47.235.3    RAW   
2a02:38::1001  STREAM
2a02:38::1001  DGRAM 
2a02:38::1001  RAW   
</pre>
 
You can see that the result is the same as before except that IPv4 is sorted first.
 
== Name resolution (using netresolve) ==
 
There is an experimental package called netresolve (TODO: not yet in Fedora) that consists of a library somewhat similar to the glibc name resolution API implementation and a set of debugging tools. Any application using libc API and a couple of other APIs can be run using <code>wrapresolve</code> to use the netresolve implementation instead and benefit from some advanced features and more extensive debugging. When using the <code>libc</code> backend, netresolve can be also used to test the glibc implementation. With the <code>nss</code> backend it can be used to test glibc nsswitch backends directly.
 
<pre>
$ ./netresolve --node www.nix.cz
response netresolve 0.0.1
name info.nix.cz
ip 2a02:38::1001 any any 0 0 0 21599
ip 195.47.235.3 any any 0 0 0 12589
</pre>
 
You can see that <code>netresolve</code> behaves slightly different than <code>getent ahosts</code> and it by default returns one item per IP address. But you can easily tweak it to behave the same way.
 
<pre>
$ ./netresolve --node www.nix.cz --service ''
response netresolve 0.0.1
name info.nix.cz
ip 2a02:38::1001 stream tcp 0 0 0 21021
ip 2a02:38::1001 dgram udp 0 0 0 21021
ip 2a02:38::1001 raw any 0 0 0 21021
ip 195.47.235.3 stream tcp 0 0 0 12592
ip 195.47.235.3 dgram udp 0 0 0 12592
ip 195.47.235.3 raw any 0 0 0 12592
</pre>
 
Note that <code>netresolve</code> is both the name of the command and the name of the library. The above tests are done using the command but the same results would be given to an application using the library. Unless you explicitly request, netresolve uses its internal name resolution modules and not the libc functions.
 
== Tools ==
 
Tools with issues:
 
* [https://bugzilla.redhat.com/show_bug.cgi?id=617934 ping: lack of IPv6 support]
* [https://bugzilla.redhat.com/show_bug.cgi?id=1221496 fping: lack of IPv6 support]
* [https://bugzilla.redhat.com/show_bug.cgi?id=1220700 tracepath: lack of IPv6 support]
* [https://bugzilla.redhat.com/show_bug.cgi?id=1220825 nslookup: bad default behavior]
 
== Testing client applications ==
 
=== Client application checklist ===
 
A client application should:
 
* avoid using obsolete functions:
** <code>gethostbyname()</code>, <code>gethostbyname2()</code>
** <code>gethostbyaddr()</code>
** ...
* use system wide name resolution configuration
** avoid implementing name resolution code in the application
** avoid calling DNS libraries directly (there are other name resolution sources than DNS)
**
* reduce timeouts when a fallback is available
** reduce excessive DNS timeouts, possibly using a decent system wide name resolution library
** reduce excessive TCP timeouts, possibly using a decent socket library
* attempt all provided addresses until one succeeds or all fail
** possibly using a decent socket library
 
== Testing server applications ==


Server applications should be capable of accepting IPv4 and IPv6 clients and logging their addresses. Some server applications make use of addresses extensively, some just need to translate them to a meaningful name. Many server applications initiate connections to other hosts and thus the section about client applications applies to them as well.
Note: This section is informative only. It only includes assessment of packages based on experience and is ''not'' a result of extensive testing.


== Packages ==
=== Packages working more or less well in IPv6 and dual-stack environments ===


=== Packages that play well with IPv6 ===
Following packages play more or less well with IPv6. You can still expect minor issues including delays when configuration of one of the protocols doesn't work as expected. Those packages are still to be tested.
 
Following packages play more or less well with IPv6. You can still expect minor issues including delays when configuration of one of the protocols doesn't work as expected.


Network configuration:
Network configuration:
Line 191: Line 71:
* dnssec-trigger – NetworkManager plugin to update/reconfigure DNSSEC resolving
* dnssec-trigger – NetworkManager plugin to update/reconfigure DNSSEC resolving


Server software:
Services:


* bind – The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
* bind – The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
Line 197: Line 77:
* httpd – Apache HTTP Server
* httpd – Apache HTTP Server
* openssh – An open source implementation of SSH protocol versions 1 and 2
* openssh – An open source implementation of SSH protocol versions 1 and 2
* postfix – Postfix Mail Transport Agent
Development:
* git


Other:
Other:
Line 207: Line 92:
* iptables – Tools for managing Linux kernel packet filtering capabilities
* iptables – Tools for managing Linux kernel packet filtering capabilities


=== Packages with broken or incomplete IPv6 support ===
=== Packages with severe issues in IPv6 and dual-stack environments ===


Core system:
Core system:
Line 218: Line 103:
** [https://sourceware.org/bugzilla/buglist.cgi?quicksearch=getaddrinfo upstream getaddrinfo issues]
** [https://sourceware.org/bugzilla/buglist.cgi?quicksearch=getaddrinfo upstream getaddrinfo issues]


Development:
Core tools:
 
* subversion - A Modern Concurrent Version Control System
** [https://bugzilla.redhat.com/show_bug.cgi?id=1130328 no fallback to IPv4 when IPv6 default route fails]
 
=== Packages that need porting to IPv6 ===
 
Following packages contain tools or libraries that are IPv4-only but should be extended towards dual-stack networking.


* iputils – Network monitoring tools including ping
* iputils – Network monitoring tools including ping
Line 231: Line 109:
** tracepath
** tracepath
** ...
** ...
* quota – File system quota management
* quota – File system quota management
** [https://bugzilla.redhat.com/show_bug.cgi?id=704219 rpc.rquotad and other program should be ported from glibc's Sun RPC to tirpc's RPC]
** [https://bugzilla.redhat.com/show_bug.cgi?id=704219 rpc.rquotad and other program should be ported from glibc's Sun RPC to tirpc's RPC]
*** [[User:Pavlix]]: Why and how is it related to IPv6?
* [https://bugzilla.redhat.com/show_bug.cgi?id=1221496 fping: lack of IPv6 support]
* [https://bugzilla.redhat.com/show_bug.cgi?id=1220825 nslookup: bad default behavior]
Development:


=== Packages that are intended for IPv4-only operation ===
* subversion - A Modern Concurrent Version Control System
** [https://bugzilla.redhat.com/show_bug.cgi?id=1130328 no fallback to IPv4 when IPv6 default route fails]
 
=== IPv4 only packages ===


Following packages do not need any IPv6 testing as they contain IPv4 specific tools.
Following packages do not need any IPv6 testing as they contain IPv4 specific tools.
Line 241: Line 127:
* arpwatch
* arpwatch


=== Notable packages to be tested for IPv6 support ===
=== Unqualified packages ===


Following packages weren't categorized yet but are considered important enough to be checked for IPv6 support. Please extend the list with other high visibility packages.
Following packages weren't categorized yet but are considered important enough to be checked for IPv6 support. Please extend the list with other high visibility packages. You can add more important packages here.


Core system:
Core system:
Line 251: Line 137:
* apr – Apache Portable Runtime library
* apr – Apache Portable Runtime library
* busybox – Statically linked binary providing simplified versions of system commands
* busybox – Statically linked binary providing simplified versions of system commands
** It would be useful to check network related commands
* docker – Automates deployment of containerized applications
* docker – Automates deployment of containerized applications
** IPv6 in /etc/resolv.conf
** IPv6 in /etc/resolv.conf
Line 267: Line 154:
* dovecot – Secure imap and pop3 server
* dovecot – Secure imap and pop3 server
* openswan/libreswan/strongswan – IPSEC implementation with IKEv1 and IKEv2 keying protocols
* openswan/libreswan/strongswan – IPSEC implementation with IKEv1 and IKEv2 keying protocols
* postfix – Postfix Mail Transport Agent
 
* quagga – Routing daemon
* quagga – Routing daemon
* sendmail – A widely used Mail Transport Agent (MTA)
* sendmail – A widely used Mail Transport Agent (MTA)
Line 295: Line 182:
* postgresql – PostgreSQL client programs
* postgresql – PostgreSQL client programs
* rsync – A program for synchronizing files over a network
* rsync – A program for synchronizing files over a network
* squid – The Squid proxy caching serverb
* squid – The Squid proxy caching server
* sssd – System Security Services Daemon
* sssd – System Security Services Daemon
* syslinux – Simple kernel loader which boots from a FAT filesystem
* syslinux – Simple kernel loader which boots from a FAT filesystem

Latest revision as of 10:50, 14 December 2015

Main purpose of the Networking QA project is to check and improve IPv6 support in Fedora and concurrent usage of IPv4 and IPv6 protocols. Maintaining and improving existing IPv4 support is one of the secondary goals.

Contacts

Coordinators:

Contributors:

Potential contributors:

Objectives

Note: We are trying to define objectives of the project. Unfortunately we cannot add everything someone considers good or important but we rather have focus on things that we can actually do. Contact us if you're willing to help with some topic that you're interested in or that you consider neglected.

We would like to test, document and improve the following:

  • Automatic network configuration of a Fedora node
  • Proper dual-stack operation of client and server software in various environments
  • Check Fedora infrastructure and installation for IPv6 only operation


Overview

Packages to test:

How to prepare test environment:

How to test different types of packages:

Known issues:

New packages

There are new packages being added for networking and especially IPv6 testing and operations.

  • dhcpcd – provides a basic network configuration daemon for testing and comparison
  • netresolve – provides a library, testing tools and example implementations for some network software operations

Packages

Note: This section is informative only. It only includes assessment of packages based on experience and is not a result of extensive testing.

Packages working more or less well in IPv6 and dual-stack environments

Following packages play more or less well with IPv6. You can still expect minor issues including delays when configuration of one of the protocols doesn't work as expected. Those packages are still to be tested.

Network configuration:

  • dhcp – Dynamic host configuration protocol software
  • iproute – Advanced IP routing and network device configuration tools
  • NetworkManager – Network connection manager and user applications
  • dnssec-trigger – NetworkManager plugin to update/reconfigure DNSSEC resolving

Services:

  • bind – The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
  • dnsmasq – A lightweight DHCP/caching DNS server
  • httpd – Apache HTTP Server
  • openssh – An open source implementation of SSH protocol versions 1 and 2
  • postfix – Postfix Mail Transport Agent

Development:

  • git

Other:

  • curl – A utility for getting files from remote servers (FTP, HTTP, and others)
  • cyrus-imapd – A high-performance mail server with IMAP, POP3, NNTP and SIEVE support
  • c-ares – A library that performs asynchronous DNS operations
  • firefox – Mozilla Firefox Web browser
  • libssh2 – A library implementing the SSH2 protocol
  • iptables – Tools for managing Linux kernel packet filtering capabilities

Packages with severe issues in IPv6 and dual-stack environments

Core system:

  • avahi – Local network service discovery
    • IPv6 turned off by default
    • nss-mdns doesn't do IPv6LL due to glibc limitations
  • glibc – The GNU libc libraries

Core tools:

Development:

IPv4 only packages

Following packages do not need any IPv6 testing as they contain IPv4 specific tools.

  • arptables
  • arpwatch

Unqualified packages

Following packages weren't categorized yet but are considered important enough to be checked for IPv6 support. Please extend the list with other high visibility packages. You can add more important packages here.

Core system:

  • abrt – Automatic bug detection and reporting tool
  • anaconda – Graphical system installer
  • apr – Apache Portable Runtime library
  • busybox – Statically linked binary providing simplified versions of system commands
    • It would be useful to check network related commands
  • docker – Automates deployment of containerized applications
    • IPv6 in /etc/resolv.conf
    • IPv6 on bridged networks
  • dracut – Initramfs generator using udev
  • firewalld – A firewall daemon with D-BUS interface providing a dynamic firewall
  • glib2/glib-networking – Networking support for GLib
  • grub2 – Bootloader with support for Linux, Multiboot and more
  • systemd – A System and Service Manager
  • yum – RPM package installer/updater/manager

Services:

  • bird – routing daemon
  • cups – Common Unix Printing System
  • dovecot – Secure imap and pop3 server
  • openswan/libreswan/strongswan – IPSEC implementation with IKEv1 and IKEv2 keying protocols
  • quagga – Routing daemon
  • sendmail – A widely used Mail Transport Agent (MTA)

Development:

  • bzr – Friendly distributed version control system
  • cvs – Concurrent Versions System
  • gdb – A GNU source-level debugger for C, C++, Fortran and other languages
  • mercurial – Mercurial – a distributed SCM

Other:

  • apr-util – Apache Portable Runtime Utility library
    • various networking tools including ping
  • gvfs – Backends for the gio framework in GLib
  • ipxe – A network boot loader
  • iptstate – A top-like display of IP Tables state table entries
  • ldns – Low–level DNS(SEC) library with API
  • lftp – A sophisticated file transfer program
  • libevent
  • libvirt – Library providing a simple virtualization API
  • net-tools – Basic networking tools
  • nmap – Network exploration tool and security scanner
  • nss-myhostname – glibc plugin for local system host name resolution
  • nss – Network Security Services
  • postgresql – PostgreSQL client programs
  • rsync – A program for synchronizing files over a network
  • squid – The Squid proxy caching server
  • sssd – System Security Services Daemon
  • syslinux – Simple kernel loader which boots from a FAT filesystem
  • tcpdump – A network traffic monitoring tool
  • telnet – The client program for the Telnet remote login protocol
  • traceroute – Traces the route taken by packets over an IPv4/IPv6 network
  • vinagre – VNC client for GNOME
  • vino – A remote desktop system for GNOME
  • virt-manager – Virtual Machine Manager
  • virt-viewer – Virtual Machine Viewer
  • wireshark – Network traffic analyzer