[pve-devel] new bridge code doesn't work with redhat kernel

Alexandre DERUMIER aderumier at odiso.com
Tue Feb 12 08:45:23 CET 2013 

I have done some tshark traces,

with dedicated bridge for the vms.
(I have put my admin vlan on a separate nic).
I can't get it work.

config is
---------
auto bond0
iface bond0 inet manual
slaves eth0 eth1
bond_miimon 100
bond_mode active-backup
pre-up ifup eth0 eth1
post-down ifdown eth0 eth1

auto vmbr1
iface vmbr1 inet manual
        bridge_ports bond0
        bridge_stp off
        bridge_fd 0


now I start a vm in vlan95 with vmbr1 (ip address: 10.3.95.241)

root at kvmtest1:~# brctl show
bridge name	bridge id		STP enabled	interfaces
vmbr1		8000.001aa03c98c5	no		
vmbr1v95	8000.001aa03c98c5	no		tap115i0
							vmbr1.95


I can't ping the vm from outside world,

I see arp request from the vm on vmbr1v95 and vmbr1. (but not on bond0)
But no response


# tshark -i vmbr1
Running as user "root" and group "root". This could be dangerous.
Capturing on vmbr1
  0.000000 8e:3e:2c:fa:88:c8 -> Broadcast    ARP Who has 10.3.95.1?  Tell 10.3.95.241
  1.000577 8e:3e:2c:fa:88:c8 -> Broadcast    ARP Who has 10.3.95.1?  Tell 10.3.95.241
  1.924068 fe80::8c3e:2cff:fefa:88c8 -> ff02::2      ICMPv6 Router solicitation
  2.000673 8e:3e:2c:fa:88:c8 -> Broadcast    ARP Who has 10.3.95.1?  Tell 10.3.95.241
  5.005467 8e:3e:2c:fa:88:c8 -> Broadcast    ARP Who has 10.3.95.1?  Tell 10.3.95.241
  5.931900 fe80::8c3e:2cff:fefa:88c8 -> ff02::2      ICMPv6 Router solicitation
  6.003867 8e:3e:2c:fa:88:c8 -> Broadcast    ARP Who has 10.3.95.1?  Tell 10.3.95.241
  7.003908 8e:3e:2c:fa:88:c8 -> Broadcast    ARP Who has 10.3.95.1?  Tell 10.3.95.241
 10.010779 8e:3e:2c:fa:88:c8 -> Broadcast    ARP Who has 10.3.95.1?  Tell 10.3.95.241
 11.007851 8e:3e:2c:fa:88:c8 -> Broadcast    ARP Who has 10.3.95.1?  Tell 10.3.95.241
 12.007901 8e:3e:2c:fa:88:c8 -> Broadcast    ARP Who has 10.3.95.1?  Tell 10.3.95.241
 15.016168 8e:3e:2c:fa:88:c8 -> Broadcast    ARP Who has 10.3.95.1?  Tell 10.3.95.241
 16.015875 8e:3e:2c:fa:88:c8 -> Broadcast    ARP Who has 10.3.95.1?  Tell 10.3.95.241
 17.015859 8e:3e:2c:fa:88:c8 -> Broadcast    ARP Who has 10.3.95.1?  Tell 10.3.95.241
 18.085844 8e:3e:2c:fa:88:c8 -> Broadcast    ARP Who has 10.3.95.1?  Tell 10.3.95.241
 19.083953 8e:3e:2c:fa:88:c8 -> Broadcast    ARP Who has 10.3.95.1?  Tell 10.3.95.241
^C16 packets captured



on bond0, I can see arp request from cisco switchs, but no reponse from the vm

Running as user "root" and group "root". This could be dangerous.
Capturing on bond0
  4.746062 Cisco_bd:ae:40 -> Broadcast    ARP Who has 10.3.95.241?  Tell 10.3.95.1
  5.647504 Cisco_bd:ae:40 -> Broadcast    ARP Who has 10.3.95.241?  Tell 10.3.95.1
  6.745705 Cisco_bd:ae:40 -> Broadcast    ARP Who has 10.3.95.241?  Tell 10.3.95.1
  7.745565 Cisco_bd:ae:40 -> Broadcast    ARP Who has 10.3.95.241?  Tell 10.3.95.1
 11.744866 Cisco_bd:ae:40 -> Broadcast    ARP Who has 10.3.95.241?  Tell 10.3.95.1


So, something is wrong between bond0 and vmbr1.
(Maybe the vlans tags ? I don't know how to trace the vlan tag with tshark, any idea ?)

So maybe my firsts tests was working because of arp cache.




----- Mail original ----- 

De: "Stefan Priebe" <s.priebe at profihost.ag> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com, "Dietmar Maurer" <dietmar at proxmox.com> 
Envoyé: Lundi 11 Février 2013 20:44:28 
Objet: Re: [pve-devel] new bridge code doesn't work with redhat kernel 

HI, 

right now i'm talking about bridge on top of a bond NO VLAN involved. 
My commit / code change does not even touch that... 

Could you please check? As far as i know this is working for you - isn't it? 

Stefan 

Am 11.02.2013 17:40, schrieb Alexandre DERUMIER: 
> Mmmm, this is strange, I have just retested after reboot my test server, 
> 
> it doesn't work anymore too with new bridge code. 
> 
> (maybe an arp problem ?) 
> 
> I'm a bit scaried.... 
> 
> 
> ----- Mail original ----- 
> 
> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
> À: "Alexandre DERUMIER" <aderumier at odiso.com> 
> Cc: pve-devel at pve.proxmox.com, "Dietmar Maurer" <dietmar at proxmox.com> 
> Envoyé: Lundi 11 Février 2013 17:28:34 
> Objet: Re: [pve-devel] new bridge code doesn't work with redhat kernel 
> 
> And how does you bridge look like? To me the tap devices attached to the bridge don't work at all. 
> 
> Stefan 
> 
> Am 11.02.2013 um 17:16 schrieb Alexandre DERUMIER <aderumier at odiso.com>: 
> 
>> Hi stefan, this is working for my with theses bond configs 
>> 
>> active-backup 
>> -------------- 
>> auto bond0 
>> iface bond0 inet manual 
>> slaves eth0 eth1 
>> bond_miimon 100 
>> bond_mode active-backup 
>> pre-up ifup eth0 eth1 
>> post-down ifdown eth0 eth1 
>> 
>> 
>> or lacp 
>> ------- 
>> auto bond1 
>> iface bond1 inet manual 
>> bond-mode 4 
>> bond-miimon 100 
>> bond-lacp_rate fast 
>> bond-xmit-hash-policy layer2+3 
>> slaves eth0 eth1 
>> 
>> 
>> ----- Mail original ----- 
>> 
>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
>> À: "Dietmar Maurer" <dietmar at proxmox.com> 
>> Cc: "Alexandre DERUMIER" <aderumier at odiso.com>, pve-devel at pve.proxmox.com 
>> Envoyé: Lundi 11 Février 2013 16:40:13 
>> Objet: Re: [pve-devel] new bridge code doesn't work with redhat kernel 
>> 
>> Hello, 
>> 
>> please wait a bit i'll contact Patrick in a few minutes as i wanted to 
>> switch to bonding today and it stops working again. 
>> 
>> Let's see how a real solution would look like. Right now i've the same 
>> problem as alexandre that the VM is not reachable at all when using bond. 
>> 
>> Alexandre maybe you can tell me how you got your bonding working? 
>> 
>> My interfaces: 
>> 
>> auto bond0 
>> iface bond0 inet manual 
>> slaves eth0 eth1 
>> bond_mode 802.3ad 
>> bond_miimon 100 
>> bond_updelay 200 
>> bond_downdelay 10 
>> 
>> auto vmbr0 
>> iface vmbr0 inet manual 
>> bridge_ports bond0 
>> bridge_stp off 
>> bridge_fd 0 
>> 
>> But this results in no IP communication for the VM - even without using 
>> any vlans. 
>> 
>> Stefan 
>> Am 11.02.2013 09:42, schrieb Dietmar Maurer: 
>>> 
>>> 
>>>> -----Original Message----- 
>>>> From: Alexandre DERUMIER [mailto:aderumier at odiso.com] 
>>>> Sent: Freitag, 08. Februar 2013 08:12 
>>>> To: Stefan Priebe; Dietmar Maurer 
>>>> Cc: pve-devel at pve.proxmox.com 
>>>> Subject: Re: [pve-devel] new bridge code doesn't work with redhat kernel 
>>>> 
>>>> Hi Stefan, Thanks it's working ! (I have not aware of vlan-raw-device syntax). 
>>>> 
>>>> Based of this, I have a better setup, putting ip addresse on vlan interface, 
>>>> and not on a bridge. 
>>>> So it's a small change. 
>>>> 
>>>> But I really think this change should not go in stable pve repo before a big 
>>>> release like proxmox 2.3. 
>>>> As It ll require reboot of the host to have clean bridges without mix of tagged 
>>>> interfaces and tagged bridges interfaces. 
>>> 
>>> 2.3 release is the next release planned end of February. There is a new kernel, and 
>>> a new kvm (1.4, including new backup code), so we need to recommend a reboot anyways. 
>>> 
>>> Here is a list of advantages and disadvantages: 
>>> 
>>> new code: 
>>> 
>>> + works with any number of physical interfaces 
>>> + works with gvrp 
>>> - only tested by a few people 
>>> - not fully compatible with existing vlan setup 
>>> 
>>> old code: 
>>> 
>>> + works well for many users 
>>> + also used by RHEV/libvirt 
>>> - needs exactly one physical interface (should also work with 0 physical interfaces) 
>>> - gvrp does not work (https://lkml.org/lkml/2013/2/7/107) 
>>> + can use vlan hardware support (better performance?) 
>>> 
>>> 
>>> Seems GVRP is a rarely used feature, because it is very dangerous security wise. 
>>> 
>>> So what is your opinion: 
>>> 
>>> A.) keep old VLAN code (revert change) 
>>> B.) use new VLAN code 
>>> 
>>> Please can we vote on that? Also include a short explanation why you prefer something. 
>>> 
>>> - Dietmar 
>>> 
>>>

More information about the pve-devel mailing list