[pve-devel] [PATCH many 00/14] fix #5180: migrate conntrack state on live migration
DERUMIER, Alexandre
alexandre.derumier at groupe-cyllene.com
Tue Mar 18 09:52:02 CET 2025
Hi Christoph,
this look really great !
I have an old bugzilla related
https://bugzilla.proxmox.com/show_bug.cgi?id=2451
where we could finally enabled nf_conntrack_tcp_loose=0 with this patch
serie
-------- Message initial --------
De: Christoph Heiss <c.heiss at proxmox.com>
Répondre à: Proxmox VE development discussion <pve-
devel at lists.proxmox.com>
À: pve-devel at lists.proxmox.com
Objet: [pve-devel] [PATCH many 00/14] fix #5180: migrate conntrack
state on live migration
Date: 17/03/2025 15:11:37
Fixes #5180 [0].
This implements migration of per-VM conntrack state on live-migration.
The core of the implementation are in patch #7 & #8. See there for more
details.
Patch #1 - #3 implement CONNMARK'ing any VM traffic with their unique
VMID. This is needed later on to filter conntrack entries for the
migration. These three patches can be applied independently,
CONNMARK'ing traffic does not have any visible impact.
Patch #13 & #14 are marked RFC, as I'm not sure if we need/should
implement that. But it's working well and cleanup of old resources is
always good IMHO.
Currently, remote/inter-cluster migration is not supported and
indicated
to the user with a warning. See also patch #8 for a bit more in-depth
explanation.
Needed dependency bumps between packages are indicated in the notes
appropriately.
Testing
=======
I've primarily tested intra-cluster live-migrations, with both the
iptables-based and nftables-based firewall), using the reproducer as
described in #5180. I further verified that the D-Bus servers get
started as expected and are _always_ stopped, even in the case of some
migration error.
Finally, I also checked using `conntrack -L -m <vmid>` tool that the
conntrack entries are
a) added/updated on the target node and
b) removed from the source node (w/ patch #13/#14 applied).
Also tested was the migration from/to an "old" (unpatched) node, which
results in the issue as per #5180 & appropriate warnings in the UI.
For remote migrations, only tested that the warning is logged as
expected.
Diffstat
========
pve-firewall:
Christoph Heiss (2):
firewall: add connmark rule with VMID to all guest chains
firewall: helpers: add sub for flushing conntrack entries by mark
debian/control | 3 ++-
src/PVE/Firewall.pm | 7 +++++--
src/PVE/Firewall/Helpers.pm | 11 +++++++++++
3 files changed, 18 insertions(+), 3 deletions(-)
proxmox-firewall:
Christoph Heiss (1):
firewall: add connmark rule with VMID to all guest chains
proxmox-firewall/src/firewall.rs | 14 ++-
.../integration_tests__firewall.snap | 85 ++++++++++++++++++-
proxmox-nftables/src/expression.rs | 9 ++
proxmox-nftables/src/statement.rs | 10 ++-
4 files changed, 114 insertions(+), 4 deletions(-)
proxmox-ve-rs:
Christoph Heiss (1):
config: guest: allow access to raw Vmid value
proxmox-ve-config/src/guest/types.rs | 4 ++++
1 file changed, 4 insertions(+)
qemu-server:
Christoph Heiss (5):
qmp helpers: allow passing structured args via qemu_objectadd()
api2: qemu: add module exposing node migration capabilities
fix #5180: libexec: add QEMU dbus-vmstate daemon for migrating
conntrack
fix #5180: migrate: integrate helper for live-migrating conntrack
info
migrate: flush old VM conntrack entries after successful migration
Makefile | 3 +
PVE/API2/Qemu.pm | 72 +++++++++++++++
PVE/API2/Qemu/Makefile | 2 +-
PVE/API2/Qemu/Migration.pm | 46 ++++++++++
PVE/CLI/qm.pm | 5 ++
PVE/QemuMigrate.pm | 69 ++++++++++++++
PVE/QemuServer.pm | 6 ++
PVE/QemuServer/DBusVMState.pm | 124 +++++++++++++++++++++++++
PVE/QemuServer/Makefile | 1 +
PVE/QemuServer/QMPHelpers.pm | 4 +-
debian/control | 7 +-
libexec/dbus-vmstate | 164 ++++++++++++++++++++++++++++++++++
org.qemu.VMState1.conf | 11 +++
13 files changed, 510 insertions(+), 4 deletions(-)
create mode 100644 PVE/API2/Qemu/Migration.pm
create mode 100644 PVE/QemuServer/DBusVMState.pm
create mode 100755 libexec/dbus-vmstate
create mode 100644 org.qemu.VMState1.conf
pve-common:
Christoph Heiss (1):
tools: add run_fork_detached() for spawning daemons
src/PVE/Tools.pm | 30 ++++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)
pve-manager:
Christoph Heiss (4):
api2: capabilities: explicitly import CPU capabilities module
api2: capabilities: proxy index endpoints to respective nodes
api2: capabilities: expose new qemu/migration endpoint
ui: window: Migrate: add checkbox for migrating VM conntrack state
PVE/API2/Capabilities.pm | 9 +++++
www/manager6/window/Migrate.js | 73 ++++++++++++++++++++++++++++++++--
2 files changed, 78 insertions(+), 4 deletions(-)
More information about the pve-devel
mailing list