Pivotal Knowledge Base

Follow

IPv6 disabled at kernel level on Stemcell 3363.20

Environment

 Product  Version
 Pivotal Cloud Foundry  1.10, 1.11
 Stemcell  3363.20

Overview

Stemcell 3363.20, which is now published on PivNet, disables IPv6 at the kernel level. There is a small chance that this change might impact your Applications or Services (Tiles) within your Pivotal Cloud Foundry (PCF) foundations. Refer to the Stemcell Release Notes for more information.

Description

Tiles provided by Pivotal or other vendors will be tested to verify that they are not negatively impacted by this change. Customers who are building their tiles should be aware of this change and test for compatibility accordingly before pushing to production environments. This Stemcell is available on PivNet today to test against. Customers enrolled in the Early Access Program can test this against the Alpha builds of Ops Manager for 1.11 which includes all the versions of the Stemcell which incorporates the IPv6 change. 

Impact

Some applications on the Elastic Runtime platform may also be impacted by this when deploying ERT with a Stemcell that enables IPv6. This is unlikely, but you might run into a known issue concerning Java Applications.

There are at least three ways that a network communication may occur between the VMs within a PCF foundation:

  1. Application instance (Running on ERT) to BOSH-deployed VMs
  2. Communication between BOSH-deployed VMs
  3. Communication between a BOSH-deployed VM and off-board resources

Note that IPv6 is currently not supported within the ERT, so any network connections that are made between the application instances and their bound services will be initiated over IPv4. The same stands true for communications between BOSH-deployed VMs. The third case is not necessarily constrained by ERT and is the tile’s responsibility.  

Additional Measures

As a matter of good security hygiene, and reducing the attack surface of a PCF foundation, it is important not to enable protocols or open ports that are not being used or needed. If a tile is binding to IPv6 interfaces unnecessarily, this must be disabled.  If you have an explicit requirement to support IPv6 in some way, please let Pivotal know.

Note for the Tile Authors

If your tile specifies Stemcell version(s) that include 3363.20, please verify that you can deploy and run tests against your tile with this Stemcell. Note that this change will also appear in whichever Stemcell version is shipped with Ops Manager 1.11, so you may have the Alpha or Beta tiles still in progress targeting the 1.11 timeframe. All Ops Manager Alphas for 1.11 include an Alpha Stemcell that has IPv6 disabled, including the ones that are already available. Please test your Alpha/Beta tiles against that as well. If there are any issues or you can not access these Alpha builds, please reach out to your Pivotal Partner Contact for help.

Comments

Powered by Zendesk