Package: cloud.debian.org Severity: important User: cloud.debian....@packages.debian.org Usertags: aws image
When AWS originally launched IPv6-only VPC subnets, the DHCPv4 server handed out a link-local v4 address and a default route that was a blackhole for most destinations. It did route traffic to the instance metadata endpoint (169.254.169.254), the timesync endpoint (169.254.169.123) and a couple of others. This provided compatibility with existing software, but the blackhole default route lead to some obvious problems for any software that would try to establish a connection using IPv4 before IPv6. AWS has recently started rolling out RFC 3442 routes to the specific endpoints, and stopped distributing a default route. This is the correct thing to do, and works well on sid and bookworm, but it's causing problems on bullseye. The expected behavior when launching in an IPv6 subnet is that an instance has one or more IPv6 addresses and a functioning IPv6 default route. It also should have an IPv4 address in the 169.254/16 range and /32 routes to several endpoints, for example: 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000 inet 169.254.245.205/32 scope global dynamic eth0 valid_lft 2789sec preferred_lft 2789sec 169.254.0.1 dev eth0 scope link 169.254.169.123 via 169.254.0.1 dev eth0 proto static 169.254.169.249 via 169.254.0.1 dev eth0 proto static 169.254.169.250/31 via 169.254.0.1 dev eth0 proto static 169.254.169.253 via 169.254.0.1 dev eth0 proto static 169.254.169.254 via 169.254.0.1 dev eth0 proto static The actual behavior on the current bullseye AMIs is that IPv6 is configured as expected, but the IPv4 routes are not configured: admin@i-07e63055bb304147c:~$ ip -4 addr show dev ens5 2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000 altname enp0s5 inet 169.254.109.198/32 scope global ens5 valid_lft forever preferred_lft forever admin@i-07e63055bb304147c:~$ ip -4 ro admin@i-07e63055bb304147c:~$ Because cloud-init in bullseye does not know about the IPv6 instance metadata endpoint and is unable to reach the IPv4 endpoint, it is unable to complete the instance provisioning process. Logs indicate the following: Aug 18 00:07:10 debian systemd[1]: Started ifup for ens5. Aug 18 00:07:10 debian dhclient[388]: Internet Systems Consortium DHCP Client 4.4.1 Aug 18 00:07:10 debian sh[388]: Internet Systems Consortium DHCP Client 4.4.1 Aug 18 00:07:10 debian dhclient[388]: Copyright 2004-2018 Internet Systems Consortium. Aug 18 00:07:10 debian sh[388]: Copyright 2004-2018 Internet Systems Consortium. Aug 18 00:07:10 debian dhclient[388]: All rights reserved. Aug 18 00:07:10 debian sh[388]: All rights reserved. Aug 18 00:07:10 debian dhclient[388]: For info, please visit https://www.isc.org/software/dhcp/ Aug 18 00:07:10 debian sh[388]: For info, please visit https://www.isc.org/software/dhcp/ Aug 18 00:07:10 debian dhclient[388]: Aug 18 00:07:10 debian dhclient[388]: Listening on LPF/ens5/06:6c:90:77:5b:a1 Aug 18 00:07:10 debian sh[388]: Listening on LPF/ens5/06:6c:90:77:5b:a1 Aug 18 00:07:10 debian sh[388]: Sending on LPF/ens5/06:6c:90:77:5b:a1 Aug 18 00:07:10 debian sh[388]: Sending on Socket/fallback Aug 18 00:07:10 debian sh[388]: DHCPDISCOVER on ens5 to 255.255.255.255 port 67 interval 4 Aug 18 00:07:10 debian dhclient[388]: Sending on LPF/ens5/06:6c:90:77:5b:a1 Aug 18 00:07:10 debian dhclient[388]: Sending on Socket/fallback Aug 18 00:07:10 debian dhclient[388]: DHCPDISCOVER on ens5 to 255.255.255.255 port 67 interval 4 Aug 18 00:07:10 debian dhclient[388]: DHCPOFFER of 169.254.109.198 from 169.254.0.1 Aug 18 00:07:10 debian sh[388]: DHCPOFFER of 169.254.109.198 from 169.254.0.1 Aug 18 00:07:10 debian sh[388]: DHCPREQUEST for 169.254.109.198 on ens5 to 255.255.255.255 port 67 Aug 18 00:07:10 debian sh[388]: DHCPACK of 169.254.109.198 from 169.254.0.1 Aug 18 00:07:10 debian dhclient[388]: DHCPREQUEST for 169.254.109.198 on ens5 to 255.255.255.255 port 67 Aug 18 00:07:10 debian dhclient[388]: DHCPACK of 169.254.109.198 from 169.254.0.1 Aug 18 00:07:10 debian sh[399]: RTNETLINK answers: File exists Aug 18 00:07:10 debian root[415]: /etc/dhcp/dhclient-exit-hooks.d/rfc3442-classless-routes returned non-zero exit status 2 Aug 18 00:07:10 debian dhclient[388]: bound to 169.254.109.198 -- renewal in 1498 seconds.