[pve-devel] new bridge code doesn't work with redhat kernel

Stefan Priebe - Profihost AG s.priebe at profihost.ag
Tue Feb 12 09:35:34 CET 2013 

*arg* ignore me it still doesn't work... i accidently started the VM on
another host not using bonding... *sorry*

Stefan
Am 12.02.2013 09:34, schrieb Stefan Priebe - Profihost AG:
> Hi Dietmar,
> 
> thanks for pointing me to the idea the ethernet driver could be the problem.
> 
> I now updated to latest igb driver and it starts to work fine *GR*... i
> never imagined that this could be the problem.
> 
> Stefan
> Am 12.02.2013 09:15, schrieb Stefan Priebe - Profihost AG:
>> Hi,
>>
>> i got it working by enabling promisc mode on eth0 and eth1 - but could
>> this be correct? Is this really needed?
>>
>> Stefan
>> Am 12.02.2013 08:54, schrieb Dietmar Maurer:
>>> What kind of network card do you have? Maybe related to the new Broadcom driver?
>>>
>>>> -----Original Message-----
>>>> From: Stefan Priebe - Profihost AG [mailto:s.priebe at profihost.ag]
>>>> Sent: Dienstag, 12. Februar 2013 08:49
>>>> To: Alexandre DERUMIER
>>>> Cc: pve-devel at pve.proxmox.com; Dietmar Maurer
>>>> Subject: Re: [pve-devel] new bridge code doesn't work with redhat kernel
>>>>
>>>> Hi Alexandre,
>>>>
>>>> i've the SAME problem but even without a VLAN involved at all if i use bond
>>>> mode 802.3ad. Then i strangely see ALL traffic of all interfaces attached to
>>>> the bond on the TAP device...
>>>>
>>>> Stefan
>>>>
>>>> Am 12.02.2013 08:45, schrieb Alexandre DERUMIER:
>>>>>
>>>>> I have done some tshark traces,
>>>>>
>>>>> with dedicated bridge for the vms.
>>>>> (I have put my admin vlan on a separate nic).
>>>>> I can't get it work.
>>>>>
>>>>> config is
>>>>> ---------
>>>>> auto bond0
>>>>> iface bond0 inet manual
>>>>> slaves eth0 eth1
>>>>> bond_miimon 100
>>>>> bond_mode active-backup
>>>>> pre-up ifup eth0 eth1
>>>>> post-down ifdown eth0 eth1
>>>>>
>>>>> auto vmbr1
>>>>> iface vmbr1 inet manual
>>>>>         bridge_ports bond0
>>>>>         bridge_stp off
>>>>>         bridge_fd 0
>>>>>
>>>>>
>>>>> now I start a vm in vlan95 with vmbr1 (ip address: 10.3.95.241)
>>>>>
>>>>> root at kvmtest1:~# brctl show
>>>>> bridge name	bridge id		STP enabled	interfaces
>>>>> vmbr1		8000.001aa03c98c5	no
>>>>> vmbr1v95	8000.001aa03c98c5	no		tap115i0
>>>>> 							vmbr1.95
>>>>>
>>>>>
>>>>> I can't ping the vm from outside world,
>>>>>
>>>>> I see arp request from the vm on vmbr1v95 and vmbr1. (but not on
>>>>> bond0) But no response
>>>>>
>>>>>
>>>>> # tshark -i vmbr1
>>>>> Running as user "root" and group "root". This could be dangerous.
>>>>> Capturing on vmbr1
>>>>>   0.000000 8e:3e:2c:fa:88:c8 -> Broadcast    ARP Who has 10.3.95.1?  Tell
>>>> 10.3.95.241
>>>>>   1.000577 8e:3e:2c:fa:88:c8 -> Broadcast    ARP Who has 10.3.95.1?  Tell
>>>> 10.3.95.241
>>>>>   1.924068 fe80::8c3e:2cff:fefa:88c8 -> ff02::2      ICMPv6 Router solicitation
>>>>>   2.000673 8e:3e:2c:fa:88:c8 -> Broadcast    ARP Who has 10.3.95.1?  Tell
>>>> 10.3.95.241
>>>>>   5.005467 8e:3e:2c:fa:88:c8 -> Broadcast    ARP Who has 10.3.95.1?  Tell
>>>> 10.3.95.241
>>>>>   5.931900 fe80::8c3e:2cff:fefa:88c8 -> ff02::2      ICMPv6 Router solicitation
>>>>>   6.003867 8e:3e:2c:fa:88:c8 -> Broadcast    ARP Who has 10.3.95.1?  Tell
>>>> 10.3.95.241
>>>>>   7.003908 8e:3e:2c:fa:88:c8 -> Broadcast    ARP Who has 10.3.95.1?  Tell
>>>> 10.3.95.241
>>>>>  10.010779 8e:3e:2c:fa:88:c8 -> Broadcast    ARP Who has 10.3.95.1?  Tell
>>>> 10.3.95.241
>>>>>  11.007851 8e:3e:2c:fa:88:c8 -> Broadcast    ARP Who has 10.3.95.1?  Tell
>>>> 10.3.95.241
>>>>>  12.007901 8e:3e:2c:fa:88:c8 -> Broadcast    ARP Who has 10.3.95.1?  Tell
>>>> 10.3.95.241
>>>>>  15.016168 8e:3e:2c:fa:88:c8 -> Broadcast    ARP Who has 10.3.95.1?  Tell
>>>> 10.3.95.241
>>>>>  16.015875 8e:3e:2c:fa:88:c8 -> Broadcast    ARP Who has 10.3.95.1?  Tell
>>>> 10.3.95.241
>>>>>  17.015859 8e:3e:2c:fa:88:c8 -> Broadcast    ARP Who has 10.3.95.1?  Tell
>>>> 10.3.95.241
>>>>>  18.085844 8e:3e:2c:fa:88:c8 -> Broadcast    ARP Who has 10.3.95.1?  Tell
>>>> 10.3.95.241
>>>>>  19.083953 8e:3e:2c:fa:88:c8 -> Broadcast    ARP Who has 10.3.95.1?  Tell
>>>> 10.3.95.241
>>>>> ^C16 packets captured
>>>>>
>>>>>
>>>>>
>>>>> on bond0, I can see arp request from cisco switchs, but no reponse
>>>>> from the vm
>>>>>
>>>>> Running as user "root" and group "root". This could be dangerous.
>>>>> Capturing on bond0
>>>>>   4.746062 Cisco_bd:ae:40 -> Broadcast    ARP Who has 10.3.95.241?  Tell
>>>> 10.3.95.1
>>>>>   5.647504 Cisco_bd:ae:40 -> Broadcast    ARP Who has 10.3.95.241?  Tell
>>>> 10.3.95.1
>>>>>   6.745705 Cisco_bd:ae:40 -> Broadcast    ARP Who has 10.3.95.241?  Tell
>>>> 10.3.95.1
>>>>>   7.745565 Cisco_bd:ae:40 -> Broadcast    ARP Who has 10.3.95.241?  Tell
>>>> 10.3.95.1
>>>>>  11.744866 Cisco_bd:ae:40 -> Broadcast    ARP Who has 10.3.95.241?  Tell
>>>> 10.3.95.1
>>>>>
>>>>>
>>>>> So, something is wrong between bond0 and vmbr1.
>>>>> (Maybe the vlans tags ? I don't know how to trace the vlan tag with
>>>>> tshark, any idea ?)
>>>>>
>>>>> So maybe my firsts tests was working because of arp cache.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> ----- Mail original -----
>>>>>
>>>>> De: "Stefan Priebe" <s.priebe at profihost.ag>
>>>>> À: "Alexandre DERUMIER" <aderumier at odiso.com>
>>>>> Cc: pve-devel at pve.proxmox.com, "Dietmar Maurer"
>>>> <dietmar at proxmox.com>
>>>>> Envoyé: Lundi 11 Février 2013 20:44:28
>>>>> Objet: Re: [pve-devel] new bridge code doesn't work with redhat kernel
>>>>>
>>>>> HI,
>>>>>
>>>>> right now i'm talking about bridge on top of a bond NO VLAN involved.
>>>>> My commit / code change does not even touch that...
>>>>>
>>>>> Could you please check? As far as i know this is working for you - isn't it?
>>>>>
>>>>> Stefan
>>>>>
>>>>> Am 11.02.2013 17:40, schrieb Alexandre DERUMIER:
>>>>>> Mmmm, this is strange, I have just retested after reboot my test
>>>>>> server,
>>>>>>
>>>>>> it doesn't work anymore too with new bridge code.
>>>>>>
>>>>>> (maybe an arp problem ?)
>>>>>>
>>>>>> I'm a bit scaried....
>>>>>>
>>>>>>
>>>>>> ----- Mail original -----
>>>>>>
>>>>>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
>>>>>> À: "Alexandre DERUMIER" <aderumier at odiso.com>
>>>>>> Cc: pve-devel at pve.proxmox.com, "Dietmar Maurer"
>>>> <dietmar at proxmox.com>
>>>>>> Envoyé: Lundi 11 Février 2013 17:28:34
>>>>>> Objet: Re: [pve-devel] new bridge code doesn't work with redhat
>>>>>> kernel
>>>>>>
>>>>>> And how does you bridge look like? To me the tap devices attached to the
>>>> bridge don't work at all.
>>>>>>
>>>>>> Stefan
>>>>>>
>>>>>> Am 11.02.2013 um 17:16 schrieb Alexandre DERUMIER
>>>> <aderumier at odiso.com>:
>>>>>>
>>>>>>> Hi stefan, this is working for my with theses bond configs
>>>>>>>
>>>>>>> active-backup
>>>>>>> --------------
>>>>>>> auto bond0
>>>>>>> iface bond0 inet manual
>>>>>>> slaves eth0 eth1
>>>>>>> bond_miimon 100
>>>>>>> bond_mode active-backup
>>>>>>> pre-up ifup eth0 eth1
>>>>>>> post-down ifdown eth0 eth1
>>>>>>>
>>>>>>>
>>>>>>> or lacp
>>>>>>> -------
>>>>>>> auto bond1
>>>>>>> iface bond1 inet manual
>>>>>>> bond-mode 4
>>>>>>> bond-miimon 100
>>>>>>> bond-lacp_rate fast
>>>>>>> bond-xmit-hash-policy layer2+3
>>>>>>> slaves eth0 eth1
>>>>>>>
>>>>>>>
>>>>>>> ----- Mail original -----
>>>>>>>
>>>>>>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
>>>>>>> À: "Dietmar Maurer" <dietmar at proxmox.com>
>>>>>>> Cc: "Alexandre DERUMIER" <aderumier at odiso.com>,
>>>>>>> pve-devel at pve.proxmox.com
>>>>>>> Envoyé: Lundi 11 Février 2013 16:40:13
>>>>>>> Objet: Re: [pve-devel] new bridge code doesn't work with redhat
>>>>>>> kernel
>>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> please wait a bit i'll contact Patrick in a few minutes as i wanted
>>>>>>> to switch to bonding today and it stops working again.
>>>>>>>
>>>>>>> Let's see how a real solution would look like. Right now i've the
>>>>>>> same problem as alexandre that the VM is not reachable at all when
>>>> using bond.
>>>>>>>
>>>>>>> Alexandre maybe you can tell me how you got your bonding working?
>>>>>>>
>>>>>>> My interfaces:
>>>>>>>
>>>>>>> auto bond0
>>>>>>> iface bond0 inet manual
>>>>>>> slaves eth0 eth1
>>>>>>> bond_mode 802.3ad
>>>>>>> bond_miimon 100
>>>>>>> bond_updelay 200
>>>>>>> bond_downdelay 10
>>>>>>>
>>>>>>> auto vmbr0
>>>>>>> iface vmbr0 inet manual
>>>>>>> bridge_ports bond0
>>>>>>> bridge_stp off
>>>>>>> bridge_fd 0
>>>>>>>
>>>>>>> But this results in no IP communication for the VM - even without
>>>>>>> using any vlans.
>>>>>>>
>>>>>>> Stefan
>>>>>>> Am 11.02.2013 09:42, schrieb Dietmar Maurer:
>>>>>>>>
>>>>>>>>
>>>>>>>>> -----Original Message-----
>>>>>>>>> From: Alexandre DERUMIER [mailto:aderumier at odiso.com]
>>>>>>>>> Sent: Freitag, 08. Februar 2013 08:12
>>>>>>>>> To: Stefan Priebe; Dietmar Maurer
>>>>>>>>> Cc: pve-devel at pve.proxmox.com
>>>>>>>>> Subject: Re: [pve-devel] new bridge code doesn't work with redhat
>>>>>>>>> kernel
>>>>>>>>>
>>>>>>>>> Hi Stefan, Thanks it's working ! (I have not aware of vlan-raw-device
>>>> syntax).
>>>>>>>>>
>>>>>>>>> Based of this, I have a better setup, putting ip addresse on vlan
>>>>>>>>> interface, and not on a bridge.
>>>>>>>>> So it's a small change.
>>>>>>>>>
>>>>>>>>> But I really think this change should not go in stable pve repo
>>>>>>>>> before a big release like proxmox 2.3.
>>>>>>>>> As It ll require reboot of the host to have clean bridges without
>>>>>>>>> mix of tagged interfaces and tagged bridges interfaces.
>>>>>>>>
>>>>>>>> 2.3 release is the next release planned end of February. There is a
>>>>>>>> new kernel, and a new kvm (1.4, including new backup code), so we
>>>> need to recommend a reboot anyways.
>>>>>>>>
>>>>>>>> Here is a list of advantages and disadvantages:
>>>>>>>>
>>>>>>>> new code:
>>>>>>>>
>>>>>>>> + works with any number of physical interfaces works with gvrp
>>>>>>>> - only tested by a few people
>>>>>>>> - not fully compatible with existing vlan setup
>>>>>>>>
>>>>>>>> old code:
>>>>>>>>
>>>>>>>> + works well for many users
>>>>>>>> + also used by RHEV/libvirt
>>>>>>>> - needs exactly one physical interface (should also work with 0
>>>>>>>> physical interfaces)
>>>>>>>> - gvrp does not work (https://lkml.org/lkml/2013/2/7/107)
>>>>>>>> + can use vlan hardware support (better performance?)
>>>>>>>>
>>>>>>>>
>>>>>>>> Seems GVRP is a rarely used feature, because it is very dangerous
>>>> security wise.
>>>>>>>>
>>>>>>>> So what is your opinion:
>>>>>>>>
>>>>>>>> A.) keep old VLAN code (revert change)
>>>>>>>> B.) use new VLAN code
>>>>>>>>
>>>>>>>> Please can we vote on that? Also include a short explanation why you
>>>> prefer something.
>>>>>>>>
>>>>>>>> - Dietmar
>>>>>>>>
>>>>>>>>
>>>
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>

More information about the pve-devel mailing list