[pve-devel] pve-firewall : vm live migration: rules applied only after vm config file move

Paul Chambers bod at bod.org
Thu Feb 14 20:28:29 CET 2019


Perhaps using Network Namespaces would help? I'd like to see Proxmox 
officially support them for other reasons, this might be one reason to do.

You could recreate the Network Namespace in the destination for the VM 
about to be migrated.

- Paul

Alexandre DERUMIER wrote on 2/11/2019 3:05 PM:
> Hi,
>
> Currently pve-firewall only applied vm rules,
> for vms where config are local to the node.
>
>
> That mean that when we do a live migration,
> the rules are not apply until the config file is moved. (and vm resume just after).
>
> So, we can have some seconds where the rules are not yet applied.
>
>
> I'm not sure how we could handle this correctly ?
>
> 1) force rules update after the config move but before the resume.(but maybe for complex/big iptables this will give us some seconds of timeout for the vm)
>
> 2) update rules during live migration (maybe simply detect if vm process is running (pid ? systemd scope ?), or if vmbrfw device exist ?
>
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

-- 
http://about.me/paul.chambers


More information about the pve-devel mailing list