From convo w/ @faidon, a better path forward to get rid of IPv6 autoconf confusion in the present/future without relying on the token method (which doesn't work on precise anyways, and is complicated):
- Copy the original interface::add_ip6_mapped functionality (translate ipv4 into lower 64 bits, take upper 64 from either an already autoconf-configured address or from rdisc6) down to d-i so that it configures the explicit mapped v6 address at install-time for new installs. This puts the new hosts' v6 on the same footing as v4 is today: configured at install, left alone for runtime puppet. All new hosts installed under this scheme should have IPv6 added alongside IPv4 in DNS as well.
- Remove the current interface::add_ip6_mapped functionality from puppet for the hosts it's applied to, without undoing its basic work. That leaves the affected hosts with their static /e/n/i definition, and thus they're in a similar situation to fresh installs with the new hosts above. There's an extra complication here in that we also want to salt over these hosts and undo the effects of the ip token stuff in /e/n/i and be sure they're all left in a stable state with their configured static address: needs some testing.
- Deploy code similar to https://gerrit.wikimedia.org/r/#/c/217317/1 in a base class to all hosts (needs updates for non-upstart), which kills autoconf at boot time for all interfaces before the network service ever starts and flushes any current ones, and ensure it gets run at least once on current running hosts as well. This kills all autoconf addresses, and thus hosts that didn't get one from 1/2 above (old add_ip6_mapped hosts, or new installs) won't have IPv6 at all and will communicate with other dual stack hosts over v4 only, rather than using an autoconf ipv6 address to connect. This is a regression of v6 deployment in general, but brings us into a clean, known-good baseline state where we no longer have to deal with traffic from autoconf-style v6 addresses in any access/firewall rules.
- Going forward, for hosts where we need to add IPv6 without reinstalling, we'll need a consistent manual method of applying the same work as d-i, such as a one-off script that can be run to write the translated address to /e/n/i and bring it up for the first time (and add v6 DNS records for that host at that time as well).
The only additional complication that's come to my mind is that this does not work out for the LVS hosts. I think they need an on-subnet IPv6 address (of any kind, doesn't matter if autoconf) on all of their per-vlan interfaces in order to route IPv6 traffic correctly, and they're currently relying on autoconf for that. We can fix this by defining explicit, manual addresses for them via interface::tagged and adding those to DNS as well.