[pve-devel] pve-firewall : vm live migration: rules applied only after vm config file move

[Alexandre DERUMIER]

>>Maybe live migration can tell firewall on target node to activate rules before we start migration. But I am not sure
>>how to implement that.

I think it should be done at vm/ct start, force firewall to activate rules before launching qemu or lxc. Like this we can be sure than rules are applied, before
os has finished to boot. (currently, if a CT or VM is booting fast, it's also possible to have some seconds with open firewall)
 

I don't known how, maybe do we need to add an api in pve-firewall daemon to force it to sync? 


----- Mail original -----
De: "dietmar" <dietmar at proxmox.com>
À: "pve-devel" <pve-devel at pve.proxmox.com>, "aderumier" <aderumier at odiso.com>
Envoyé: Mardi 12 Février 2019 10:21:46
Objet: Re: [pve-devel] pve-firewall : vm live migration: rules applied only after vm config file move

> That mean that when we do a live migration, 
> the rules are not apply until the config file is moved. (and vm resume just after). 
> 
> So, we can have some seconds where the rules are not yet applied. 
> 
> 
> I'm not sure how we could handle this correctly ? 
> 
> 1) force rules update after the config move but before the resume.(but maybe for complex/big iptables this will give us some seconds of timeout for the vm) 
> 
> 2) update rules during live migration (maybe simply detect if vm process is running (pid ? systemd scope ?), or if vmbrfw device exist ? 

Maybe live migration can tell firewall on target node to activate rules before we start migration. But I am not sure 
how to implement that.