[PVE-User] Firewall settings for migration type insecure

Uwe Sauter uwe.sauter.de at gmail.com
Fri Mar 23 15:36:08 CET 2018


Ah, syntax. Thanks again.

Have a nice weekend.


Am 23.03.2018 um 15:35 schrieb Thomas Lamprecht:
> Uwe,
> 
> On 3/23/18 3:31 PM, Uwe Sauter wrote:
>> a quick follow-up: is it possible to create PVE firewall rules for port ranges? It seems that only a single port is allowed per
>> rule. If I enter "60000-60050" it displays:
>>
>> Parameter verification failed. (400)
>>
>> sport: invalid format - invalid port '60000-60050'
>> dport: invalid format - invalid port '60000-60050'
>>
> 
> See: https://pve.proxmox.com/pve-docs/chapter-pve-firewall.html#_firewall_rules
> 
> You can pass ranges with START:STOP . For your case that would be:
> 60000:60050
> 
> cheers,
> Thomas
> 
>> Best,
>> 	Uwe
>>
>>
>> Am 23.03.2018 um 15:15 schrieb Thomas Lamprecht:
>>> Hi Uwe!
>>>
>>> On 3/23/18 3:02 PM, Uwe Sauter wrote:
>>>> Hi there,
>>>>
>>>> I wanted to test "migration: type=insecure" in /etc/pve/datacenter.cfg but migrations fail with this setting.
>>>>
>>>> ##### log of failed insecure migration #####
>>>> 2018-03-23 14:58:44 starting migration of VM 101 to node 'px-bravo-cluster' (169.254.42.49)
>>>> 2018-03-23 14:58:44 copying disk images
>>>> 2018-03-23 14:58:44 starting VM 101 on remote node 'px-bravo-cluster'
>>>> 2018-03-23 14:58:46 start remote tunnel
>>>> 2018-03-23 14:58:47 ssh tunnel ver 1
>>>> 2018-03-23 14:58:47 starting online/live migration on tcp:169.254.42.49:60000
>>>> 2018-03-23 14:58:47 migrate_set_speed: 8589934592
>>>> 2018-03-23 14:58:47 migrate_set_downtime: 0.1
>>>> 2018-03-23 14:58:47 set migration_caps
>>>> 2018-03-23 14:58:47 set cachesize: 429496729
>>>> 2018-03-23 14:58:47 start migrate command to tcp:169.254.42.49:60000
>>>> 2018-03-23 14:58:48 migration status error: failed
>>>> 2018-03-23 14:58:48 ERROR: online migrate failure - aborting
>>>> 2018-03-23 14:58:48 aborting phase 2 - cleanup resources
>>>> 2018-03-23 14:58:48 migrate_cancel
>>>> 2018-03-23 14:58:50 ERROR: migration finished with problems (duration 00:00:06)
>>>> TASK ERROR: migration problems
>>>> #############################################
>>>>
>>>> If I migrate without this setting, all is well:
>>>>
>>>> ##### log of secure migration #####
>>>> 2018-03-23 14:59:22 starting migration of VM 101 to node 'px-bravo-cluster' (169.254.42.49)
>>>> 2018-03-23 14:59:22 copying disk images
>>>> 2018-03-23 14:59:22 starting VM 101 on remote node 'px-bravo-cluster'
>>>> 2018-03-23 14:59:24 start remote tunnel
>>>> 2018-03-23 14:59:25 ssh tunnel ver 1
>>>> 2018-03-23 14:59:25 starting online/live migration on unix:/run/qemu-server/101.migrate
>>>> 2018-03-23 14:59:25 migrate_set_speed: 8589934592
>>>> 2018-03-23 14:59:25 migrate_set_downtime: 0.1
>>>> 2018-03-23 14:59:25 set migration_caps
>>>> 2018-03-23 14:59:25 set cachesize: 429496729
>>>> 2018-03-23 14:59:25 start migrate command to unix:/run/qemu-server/101.migrate
>>>> 2018-03-23 14:59:26 migration status: active (transferred 364346358, remaining 1538641920), total 4312604672)
>>>> 2018-03-23 14:59:26 migration xbzrle cachesize: 268435456 transferred 0 pages 0 cachemiss 0 overflow 0
>>>> 2018-03-23 14:59:27 migration status: active (transferred 807140830, remaining 406495232), total 4312604672)
>>>> 2018-03-23 14:59:27 migration xbzrle cachesize: 268435456 transferred 0 pages 0 cachemiss 0 overflow 0
>>>> 2018-03-23 14:59:28 migration speed: 1365.33 MB/s - downtime 55 ms
>>>> 2018-03-23 14:59:28 migration status: completed
>>>> 2018-03-23 14:59:31 migration finished successfully (duration 00:00:09)
>>>> TASK OK
>>>> ###################################
>>>>
>>>> I suspect that the failure is due to firewall settings. Could someone explain which ports need to be opened to allow insecure
>>>> migration? From the log I can see port 60000/tcp but are there others?
>>>>
>>>
>>> Migration ports are allocated from the range [60000 to 60050],
>>> to allow multiple migrations at the same time.
>>>
>>> cheers,
>>> Thomas
>>>
>>
>>
> 
> 



More information about the pve-user mailing list