>>Perhaps using Network Namespaces would help? I'd like to see Proxmox >>officially support them for other reasons, this might be one reason to do. >>You could recreate the Network Namespace in the destination for the VM about >>to be migrated.
Well, we already have a fwbr created when target vm is starting, so we could detect that to enable rules, even if config file is not present. but for CT, it's stop/move config/start . so if CT is booting fast, firewall rules could be applied too late. I think it's same for HA with vm. ----- Mail original ----- De: "Paul Chambers" <[email protected]> À: "Alexandre Derumier" <[email protected]> Cc: "pve-devel" <[email protected]> Envoyé: Jeudi 14 Février 2019 20:28:29 Objet: Re: [pve-devel] pve-firewall : vm live migration: rules applied only after vm config file move Perhaps using Network Namespaces would help? I'd like to see Proxmox officially support them for other reasons, this might be one reason to do. You could recreate the Network Namespace in the destination for the VM about to be migrated. - Paul Alexandre DERUMIER wrote on 2/11/2019 3:05 PM: Hi, Currently pve-firewall only applied vm rules, for vms where config are local to the node. That mean that when we do a live migration, the rules are not apply until the config file is moved. (and vm resume just after). So, we can have some seconds where the rules are not yet applied. I'm not sure how we could handle this correctly ? 1) force rules update after the config move but before the resume.(but maybe for complex/big iptables this will give us some seconds of timeout for the vm) 2) update rules during live migration (maybe simply detect if vm process is running (pid ? systemd scope ?), or if vmbrfw device exist ? _______________________________________________ pve-devel mailing list [ mailto:[email protected] | [email protected] ] [ https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel | https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel ] -- [ http://about.me/paul.chambers | http://about.me/paul.chambers ] _______________________________________________ pve-devel mailing list [email protected] https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
