[PVE-User] Firewall settings for migration type insecure
Uwe Sauter
uwe.sauter.de at gmail.com
Fri Mar 23 15:31:39 CET 2018
Thomas,
a quick follow-up: is it possible to create PVE firewall rules for port ranges? It seems that only a single port is allowed per
rule. If I enter "60000-60050" it displays:
Parameter verification failed. (400)
sport: invalid format - invalid port '60000-60050'
dport: invalid format - invalid port '60000-60050'
Best,
Uwe
Am 23.03.2018 um 15:15 schrieb Thomas Lamprecht:
> Hi Uwe!
>
> On 3/23/18 3:02 PM, Uwe Sauter wrote:
>> Hi there,
>>
>> I wanted to test "migration: type=insecure" in /etc/pve/datacenter.cfg but migrations fail with this setting.
>>
>> ##### log of failed insecure migration #####
>> 2018-03-23 14:58:44 starting migration of VM 101 to node 'px-bravo-cluster' (169.254.42.49)
>> 2018-03-23 14:58:44 copying disk images
>> 2018-03-23 14:58:44 starting VM 101 on remote node 'px-bravo-cluster'
>> 2018-03-23 14:58:46 start remote tunnel
>> 2018-03-23 14:58:47 ssh tunnel ver 1
>> 2018-03-23 14:58:47 starting online/live migration on tcp:169.254.42.49:60000
>> 2018-03-23 14:58:47 migrate_set_speed: 8589934592
>> 2018-03-23 14:58:47 migrate_set_downtime: 0.1
>> 2018-03-23 14:58:47 set migration_caps
>> 2018-03-23 14:58:47 set cachesize: 429496729
>> 2018-03-23 14:58:47 start migrate command to tcp:169.254.42.49:60000
>> 2018-03-23 14:58:48 migration status error: failed
>> 2018-03-23 14:58:48 ERROR: online migrate failure - aborting
>> 2018-03-23 14:58:48 aborting phase 2 - cleanup resources
>> 2018-03-23 14:58:48 migrate_cancel
>> 2018-03-23 14:58:50 ERROR: migration finished with problems (duration 00:00:06)
>> TASK ERROR: migration problems
>> #############################################
>>
>> If I migrate without this setting, all is well:
>>
>> ##### log of secure migration #####
>> 2018-03-23 14:59:22 starting migration of VM 101 to node 'px-bravo-cluster' (169.254.42.49)
>> 2018-03-23 14:59:22 copying disk images
>> 2018-03-23 14:59:22 starting VM 101 on remote node 'px-bravo-cluster'
>> 2018-03-23 14:59:24 start remote tunnel
>> 2018-03-23 14:59:25 ssh tunnel ver 1
>> 2018-03-23 14:59:25 starting online/live migration on unix:/run/qemu-server/101.migrate
>> 2018-03-23 14:59:25 migrate_set_speed: 8589934592
>> 2018-03-23 14:59:25 migrate_set_downtime: 0.1
>> 2018-03-23 14:59:25 set migration_caps
>> 2018-03-23 14:59:25 set cachesize: 429496729
>> 2018-03-23 14:59:25 start migrate command to unix:/run/qemu-server/101.migrate
>> 2018-03-23 14:59:26 migration status: active (transferred 364346358, remaining 1538641920), total 4312604672)
>> 2018-03-23 14:59:26 migration xbzrle cachesize: 268435456 transferred 0 pages 0 cachemiss 0 overflow 0
>> 2018-03-23 14:59:27 migration status: active (transferred 807140830, remaining 406495232), total 4312604672)
>> 2018-03-23 14:59:27 migration xbzrle cachesize: 268435456 transferred 0 pages 0 cachemiss 0 overflow 0
>> 2018-03-23 14:59:28 migration speed: 1365.33 MB/s - downtime 55 ms
>> 2018-03-23 14:59:28 migration status: completed
>> 2018-03-23 14:59:31 migration finished successfully (duration 00:00:09)
>> TASK OK
>> ###################################
>>
>> I suspect that the failure is due to firewall settings. Could someone explain which ports need to be opened to allow insecure
>> migration? From the log I can see port 60000/tcp but are there others?
>>
>
> Migration ports are allocated from the range [60000 to 60050],
> to allow multiple migrations at the same time.
>
> cheers,
> Thomas
>
More information about the pve-user
mailing list