Package: cloud.debian.org
Severity: important
User: cloud.debian....@packages.debian.org
Usertags: aws image
When AWS originally launched IPv6-only VPC subnets, the DHCPv4 server
handed out a link-local v4 address and a default route that was a
blackhole for most destinations. It did route traffic to the instance
metadata endpoint (169.254.169.254), the timesync endpoint
(169.254.169.123) and a couple of others. This provided compatibility
with existing software, but the blackhole default route lead to some
obvious problems for any software that would try to establish a
connection using IPv4 before IPv6.
AWS has recently started rolling out RFC 3442 routes to the specific
endpoints, and stopped distributing a default route. This is the
correct thing to do, and works well on sid and bookworm, but it's
causing problems on bullseye.
The expected behavior when launching in an IPv6 subnet is that an
instance has one or more IPv6 addresses and a functioning IPv6 default
route. It also should have an IPv4 address in the 169.254/16 range and
/32 routes to several endpoints, for example:
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP
group default qlen 1000
inet 169.254.245.205/32 scope global dynamic eth0
valid_lft 2789sec preferred_lft 2789sec
169.254.0.1 dev eth0 scope link
169.254.169.123 via 169.254.0.1 dev eth0 proto static
169.254.169.249 via 169.254.0.1 dev eth0 proto static
169.254.169.250/31 via 169.254.0.1 dev eth0 proto static
169.254.169.253 via 169.254.0.1 dev eth0 proto static
169.254.169.254 via 169.254.0.1 dev eth0 proto static
The actual behavior on the current bullseye AMIs is that IPv6 is
configured as expected, but the IPv4 routes are not configured:
admin@i-07e63055bb304147c:~$ ip -4 addr show dev ens5
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP
group default qlen 1000
altname enp0s5
inet 169.254.109.198/32 scope global ens5
valid_lft forever preferred_lft forever
admin@i-07e63055bb304147c:~$ ip -4 ro
admin@i-07e63055bb304147c:~$
Because cloud-init in bullseye does not know about the IPv6 instance
metadata endpoint and is unable to reach the IPv4 endpoint, it is unable
to complete the instance provisioning process.
Logs indicate the following:
Aug 18 00:07:10 debian systemd[1]: Started ifup for ens5.
Aug 18 00:07:10 debian dhclient[388]: Internet Systems Consortium DHCP Client
4.4.1
Aug 18 00:07:10 debian sh[388]: Internet Systems Consortium DHCP Client 4.4.1
Aug 18 00:07:10 debian dhclient[388]: Copyright 2004-2018 Internet Systems
Consortium.
Aug 18 00:07:10 debian sh[388]: Copyright 2004-2018 Internet Systems Consortium.
Aug 18 00:07:10 debian dhclient[388]: All rights reserved.
Aug 18 00:07:10 debian sh[388]: All rights reserved.
Aug 18 00:07:10 debian dhclient[388]: For info, please visit
https://www.isc.org/software/dhcp/
Aug 18 00:07:10 debian sh[388]: For info, please visit
https://www.isc.org/software/dhcp/
Aug 18 00:07:10 debian dhclient[388]:
Aug 18 00:07:10 debian dhclient[388]: Listening on LPF/ens5/06:6c:90:77:5b:a1
Aug 18 00:07:10 debian sh[388]: Listening on LPF/ens5/06:6c:90:77:5b:a1
Aug 18 00:07:10 debian sh[388]: Sending on LPF/ens5/06:6c:90:77:5b:a1
Aug 18 00:07:10 debian sh[388]: Sending on Socket/fallback
Aug 18 00:07:10 debian sh[388]: DHCPDISCOVER on ens5 to 255.255.255.255 port 67
interval 4
Aug 18 00:07:10 debian dhclient[388]: Sending on LPF/ens5/06:6c:90:77:5b:a1
Aug 18 00:07:10 debian dhclient[388]: Sending on Socket/fallback
Aug 18 00:07:10 debian dhclient[388]: DHCPDISCOVER on ens5 to 255.255.255.255
port 67 interval 4
Aug 18 00:07:10 debian dhclient[388]: DHCPOFFER of 169.254.109.198 from
169.254.0.1
Aug 18 00:07:10 debian sh[388]: DHCPOFFER of 169.254.109.198 from 169.254.0.1
Aug 18 00:07:10 debian sh[388]: DHCPREQUEST for 169.254.109.198 on ens5 to
255.255.255.255 port 67
Aug 18 00:07:10 debian sh[388]: DHCPACK of 169.254.109.198 from 169.254.0.1
Aug 18 00:07:10 debian dhclient[388]: DHCPREQUEST for 169.254.109.198 on ens5
to 255.255.255.255 port 67
Aug 18 00:07:10 debian dhclient[388]: DHCPACK of 169.254.109.198 from
169.254.0.1
Aug 18 00:07:10 debian sh[399]: RTNETLINK answers: File exists
Aug 18 00:07:10 debian root[415]:
/etc/dhcp/dhclient-exit-hooks.d/rfc3442-classless-routes returned non-zero exit
status 2
Aug 18 00:07:10 debian dhclient[388]: bound to 169.254.109.198 -- renewal in
1498 seconds.
