[pve-devel] Quorum problems with NICs Intel of 10 Gb/s and VMsturns off

Cesar Peschiera brain at click.com.py
Sun Jan 4 01:32:54 CET 2015


Hi to Alexandre and Michael Rasmussen.

Many thanks for your replies
(received in other mail for the case of Michael)

I would like to order a bit of help for configure my switch correctly, your
help will be greatly appreciated.
And many thanks to you and the patience for help me.

Alexandre said about of the firewall in the VM:
>(I known they was a bug with openswitch , but with linux bridge it's should
>work without any problem)
I was testing with openvswitch, and after as DRBD don't work with
openvswitch, i changed to linux bridge, so i will do some tests with the
linux bridge enabled.

Alexandre said:
>If you enable multicast snooping (on linux bridge, or physical switch),
>you need an igmp querier (or more) on your network.

- I have in stack 2 switches Dell N2024, according to this web link:
http://www.dell.com/us/business/p/networking-n2000-series/pd
- The CLI is very similar to Cisco, but i don't know how configure igmp
querier correctly (my ignorance about that's is my problem)
- The Switch has the configuration option of igmp querier.
- Also, i don't know as work exactly "igmp querier".

Now in the switch i have igmp snooping disabled, but i want to avoid
flooding the entire VLAN and the VMs

Moreover, 1 month ago, i was testing this configuration (see below), and my
PVE nodes receive the packets multicast, but i believe that the VMs also
receive the packets multicast, this last i don't like.

General notes about of my PVE nodes:
- I have a cluster of 8 PVE nodes
- 2 Nodes has PVE 2.3 version (and maybe has a old version of igmp protocol)
- 6 nodes has PVE 3.3 version (with kernel 3.10)

General notes about of my network configuration:
- In the switch, i have only vlan1 enabled (that is necessary)
- My PVE nodes has LACP configured for the cluster communication and was
using port-channel in the switch.
- The cluster communication uses the 239.192.190.115 IP address.
- The square brackets in my example below are only as reference.
- The switch has configured several "port-channel LACP" for use with the PVE
nodes

config# ip igmp snooping vlan [1]
config# mac address-table static 239.192.190.115 vlan [1] interface
port-channel [port-channel-num]
(this last line is repetitive for each PVE node with different
"port-channels" configured for each PVE node)

- Then, if you can help me with the configuration of the switch, i will can
finish of do it correctly.
- The target: that only the PVE nodes can receive the multicast packets, and
not the VMs and the workstations connected to the switch.

- Finally i guess that i only need apply these commands in the switch
without consider the configuration of my previous test, but i am not sure,
"And always considering my target":

- For enable multicast-filter in the global configuration:
config# ip igmp snooping
- For enable multicast-filter to the vlan 1:
config# ip igmp snooping vlan 1
- For enable multicast-querier to a IP address specific:
config# ip igmp snooping querier vlan 1 239.192.190.115

- And please!!!, consider that i am not a expert in networks managed when
you give me your answers (if is possible)

Best regards
Cesar

----- Original Message ----- 
From: "Alexandre DERUMIER" <aderumier at odiso.com>
To: "Cesar Peschiera" <brain at click.com.py>
Cc: "pve-devel" <pve-devel at pve.proxmox.com>
Sent: Saturday, January 03, 2015 12:40 PM
Subject: Re: [pve-devel] Quorum problems with NICs Intel of 10 Gb/s and
VMsturns off


>>After a minute of apply on only a node (pve6), these commands, i lost the
>>quorum in two nodes (pve5 and pve6):
>>The commands executed on only a node (pve6):
>>echo 1 > /sys/devices/virtual/net/vmbr0/bridge/multicast_snooping
>>echo 0 > /sys/class/net/vmbr0/bridge/multicast_querier

If you enable multicast snooping (on linux bridge, or physical switch),
you need an igmp querier (or more) on your network.

Personnaly, I really don't like use querier from linux bridge,
So I enable it on my physical switches.

You can have multiple querier, but only one is working at one time.
(They are some kind of election when a querier is going down)

on linux bridge, disable multicast_snooping also disable multicast querier
by default.


>>1) Why the pve5 node lost the quorum if i don't applied any change in this
>>node?
>>(this node always had the multicast snooping filter disabled)

Is igmp snooping enabled on your physical switch ?
Maybe pve6 was the master igmp querier.


>>2) Why the VM that is running on pve5 node and also is configured in HA
>>turns off brutally?
>>3) If it is a bug, can someone apply a patch to code?

Can't comment about this, I don't use HA in production. Maybe because it's
loose quorum.
You really need a stable multicast (really really stable) to use HA.



>>Moreover, talking about of firewall enabled for the VMs:
>>I remember that +/- 1 month ago, i tried apply to the firewall a rule
>>restrictive of access of the IP address of cluster communication to the
>>VMs
>>without successful, ie, with a policy of firewall by default of "allow",
>>each time that i enable this unique and restrictive rule to the VM, the VM
>>lose all network communication. Maybe i am wrong in something.
>>
>>So i would like to ask you somethings:
>>
>>4) Can you do a test, and then tell me the results?
>>5) If the results are positives, can you tell me how do it?
>>6) And if the results are negatives, can you apply a patch to code?

I'll do test, but I don't see why It'll not work.
(I known they was a bug with openswitch , but with linux bridge it's should
work without any problem)



>>7) As each PVE node has his "firewall" tag in the PVE GUI, i guess that
>>such
>>option is for apply firewall rules of in/out that affect only to this
>>node,
>>right?, or for what exist such option?

Yes, exactly, firewall tab on the node, is the firewall for INPUT|OUTPUT
rules to|from the node.
At datacenter level, it's apply on all nodes IN|OUT


----- Mail original -----
De: "aderumier" <aderumier at odiso.com>
À: "Cesar Peschiera" <brain at click.com.py>
Cc: "pve-devel" <pve-devel at pve.proxmox.com>
Envoyé: Samedi 3 Janvier 2015 16:31:11
Objet: Re: [pve-devel] Quorum problems with NICs Intel of 10 Gb/s and
VMsturns off







Alexandre Derumier
Ingénieur système et stockage


Fixe : 03 20 68 90 88
Fax : 03 20 68 90 81


45 Bvd du Général Leclerc 59100 Roubaix
12 rue Marivaux 75002 Paris


MonSiteEstLent.com - Blog dédié à la webperformance et la gestion de pics de
trafic




More information about the pve-devel mailing list