[PVE-User] Firewall settings for migration type insecure

Thomas Lamprecht t.lamprecht at proxmox.com
Fri Mar 23 15:35:09 CET 2018


Uwe,

On 3/23/18 3:31 PM, Uwe Sauter wrote:
> a quick follow-up: is it possible to create PVE firewall rules for port ranges? It seems that only a single port is allowed per
> rule. If I enter "60000-60050" it displays:
> 
> Parameter verification failed. (400)
> 
> sport: invalid format - invalid port '60000-60050'
> dport: invalid format - invalid port '60000-60050'
> 

See: https://pve.proxmox.com/pve-docs/chapter-pve-firewall.html#_firewall_rules

You can pass ranges with START:STOP . For your case that would be:
60000:60050

cheers,
Thomas

> Best,
> 	Uwe
> 
> 
> Am 23.03.2018 um 15:15 schrieb Thomas Lamprecht:
>> Hi Uwe!
>>
>> On 3/23/18 3:02 PM, Uwe Sauter wrote:
>>> Hi there,
>>>
>>> I wanted to test "migration: type=insecure" in /etc/pve/datacenter.cfg but migrations fail with this setting.
>>>
>>> ##### log of failed insecure migration #####
>>> 2018-03-23 14:58:44 starting migration of VM 101 to node 'px-bravo-cluster' (169.254.42.49)
>>> 2018-03-23 14:58:44 copying disk images
>>> 2018-03-23 14:58:44 starting VM 101 on remote node 'px-bravo-cluster'
>>> 2018-03-23 14:58:46 start remote tunnel
>>> 2018-03-23 14:58:47 ssh tunnel ver 1
>>> 2018-03-23 14:58:47 starting online/live migration on tcp:169.254.42.49:60000
>>> 2018-03-23 14:58:47 migrate_set_speed: 8589934592
>>> 2018-03-23 14:58:47 migrate_set_downtime: 0.1
>>> 2018-03-23 14:58:47 set migration_caps
>>> 2018-03-23 14:58:47 set cachesize: 429496729
>>> 2018-03-23 14:58:47 start migrate command to tcp:169.254.42.49:60000
>>> 2018-03-23 14:58:48 migration status error: failed
>>> 2018-03-23 14:58:48 ERROR: online migrate failure - aborting
>>> 2018-03-23 14:58:48 aborting phase 2 - cleanup resources
>>> 2018-03-23 14:58:48 migrate_cancel
>>> 2018-03-23 14:58:50 ERROR: migration finished with problems (duration 00:00:06)
>>> TASK ERROR: migration problems
>>> #############################################
>>>
>>> If I migrate without this setting, all is well:
>>>
>>> ##### log of secure migration #####
>>> 2018-03-23 14:59:22 starting migration of VM 101 to node 'px-bravo-cluster' (169.254.42.49)
>>> 2018-03-23 14:59:22 copying disk images
>>> 2018-03-23 14:59:22 starting VM 101 on remote node 'px-bravo-cluster'
>>> 2018-03-23 14:59:24 start remote tunnel
>>> 2018-03-23 14:59:25 ssh tunnel ver 1
>>> 2018-03-23 14:59:25 starting online/live migration on unix:/run/qemu-server/101.migrate
>>> 2018-03-23 14:59:25 migrate_set_speed: 8589934592
>>> 2018-03-23 14:59:25 migrate_set_downtime: 0.1
>>> 2018-03-23 14:59:25 set migration_caps
>>> 2018-03-23 14:59:25 set cachesize: 429496729
>>> 2018-03-23 14:59:25 start migrate command to unix:/run/qemu-server/101.migrate
>>> 2018-03-23 14:59:26 migration status: active (transferred 364346358, remaining 1538641920), total 4312604672)
>>> 2018-03-23 14:59:26 migration xbzrle cachesize: 268435456 transferred 0 pages 0 cachemiss 0 overflow 0
>>> 2018-03-23 14:59:27 migration status: active (transferred 807140830, remaining 406495232), total 4312604672)
>>> 2018-03-23 14:59:27 migration xbzrle cachesize: 268435456 transferred 0 pages 0 cachemiss 0 overflow 0
>>> 2018-03-23 14:59:28 migration speed: 1365.33 MB/s - downtime 55 ms
>>> 2018-03-23 14:59:28 migration status: completed
>>> 2018-03-23 14:59:31 migration finished successfully (duration 00:00:09)
>>> TASK OK
>>> ###################################
>>>
>>> I suspect that the failure is due to firewall settings. Could someone explain which ports need to be opened to allow insecure
>>> migration? From the log I can see port 60000/tcp but are there others?
>>>
>>
>> Migration ports are allocated from the range [60000 to 60050],
>> to allow multiple migrations at the same time.
>>
>> cheers,
>> Thomas
>>
> 
> 




More information about the pve-user mailing list