halogin command fails after disabling IPv6 on SLES 12 SP3

book

Article ID: 100042255

calendar_today

Updated On:

Description

Error Message

 

# /opt/VRTSvcs/bin/halogin admin
Enter Password:

VCS ERROR V-16-1-10600 Cannot connect to VCS engine
VCS ERROR V-16-1-11332 Invalid credentials, unable to create halogin session  

Cause

# grep ipv6 /etc/sysctl.conf | grep -v '#'
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.all.forwarding = 0

# ip a | grep inet
    inet 127.0.0.1/8 scope host lo
    inet 192.168.10.102/24 brd 192.168.10.255 scope global eth0
    inet 192.168.20.102/24 brd 192.168.20.255 scope global eth1
    inet 192.168.30.102/24 brd 192.168.30.255 scope global eth2

 

# strace -fiv  -o ./halogin-ipv6-deact2.out /opt/VRTSvcs/bin/halogin admin
Enter Password:

VCS ERROR V-16-1-10600 Cannot connect to VCS engine
VCS ERROR V-16-1-11332 Invalid credentials, unable to create halogin session  

# cat -n halogin-ipv6-deact2.out | egrep -e 'socket|connect'
   245  12871 [00007f6369b28c27] socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 5
   246  12871 [00007f6369b287d0] connect(5, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) = 0
   255  12871 [00007f6369b28c27] socket(PF_INET6, SOCK_STREAM, IPPROTO_IP) = 5
   259  12871 [00007f636a895f60] connect(5, {sa_family=AF_INET6, sin6_port=htons(14141), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EADDRNOTAVAIL (Cannot assign requested address)
   284  12871 [00007f6369b1b2d0] write(2, "Cannot connect to VCS engine", 28) = 28


==> socket(PF_INET6, SOCK_STREAM, IPPROTO_IP) was successful because :

the if_inet6 entry in /proc/net still exists :

# test -f  /proc/net/if_inet6 && echo "success!"
success!
     
This means that it is still possible to create an endpoint for communication by using socket(PF_INET6, SOCK_STREAM, IPPROTO_IP), but the connect on this socket will fail because the socket referred to by sockfd [ = socket(PF_INET6, SOCK_STREAM, IPPROTO_IP)] had not been bound to an address.


The reason why it is still possible to create an sockfd even if IPv6 was disabled via /etc/sysctl.conf is that the kernel the system booted with was originally supposed to be able to deal with IPv6. All the necessary entries in /proc/net are already created when later on, during the system boot process, the systemd-sysctl.service will source /etc/sysctl.conf and amend the configuration accordingly.

16812 open("/etc/sysctl.d/99-sysctl.conf", O_RDONLY|O_CLOEXEC) = 3
16812 read(3, "####\n#\n# /etc/sysctl.conf is mea"..., 4096) = 636

16812 open("/proc/sys/net/ipv6/conf/all/disable_ipv6", O_WRONLY|O_NOCTTY|O_CLOEXEC) = 3
16812 fcntl(3, F_GETFL)                 = 0x8001 (flags O_WRONLY|O_LARGEFILE)
16812 fstat(3, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
16812 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0d4e8f1000
16812 write(3, "1\n", 2)                = 2
16812 close(3)                          = 0


# cat /proc/sys/net/ipv6/conf/all/disable_ipv6
1

But the /proc/net/if_inet6 will stay and applications which are ipv6 aware and try to use it might run into trouble because of this -- as already shown above.

 

Resolution

1. Remove "net.ipv6.conf.all.disable_ipv6 = 1" from /etc/sysctl.conf in case this entry exists.

2. Disable IPv6 via GRUB command line

 

# vi /etc/default/grub

change

GRUB_CMDLINE_LINUX=""

to

GRUB_CMDLINE_LINUX="ipv6.disable=1"

 

 

3. After amending /etc/default/grub the file /boot/grub2/grub.cfg needs to be updated

 

# grub2-mkconfig -o /boot/grub2/grub.cfg

 

# systemctl reboot

 

 

After rebooting the system halogin command will work with IPv4

shl@server101:~> /opt/VRTSvcs/bin/halogin admin

Enter Password:

 

shl@server101:~>

 

# cat -n halogin-ipv6-deact1.out  | grep socket

   245  2677  [00007fbde8932c27] socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 5

   246  2677  [00007fbde89327d0] connect(5, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) = 0

   255  2677  [00007fbde8932c27] socket(PF_INET6, SOCK_STREAM, IPPROTO_IP) = -1 EAFNOSUPPORT (Address family not supported by protocol)

   260  2677  [00007fbde8932c27] socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 5

   279  2677  [00007fbde8932c27] socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 6

   280  2677  [00007fbde89327d0] connect(6, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) = 0

 

In line 255 socket(PF_INET6, SOCK_STREAM, IPPROTO_IP) will fail as expected because system does not support IPv6 anymore.

Issue/Introduction

# /opt/VRTSvcs/bin/halogin admin
Enter Password:

VCS ERROR V-16-1-10600 Cannot connect to VCS engine
VCS ERROR V-16-1-11332 Invalid credentials, unable to create halogin session
Powered by Wolken Software