>>(currently, if a CT or VM is booting fast, it's also possible to have some >>seconds with open firewall)
sorry,that's wrong. The rules exist if the config file is present (vm started or stopped) ----- Mail original ----- De: "aderumier" <aderum...@odiso.com> À: "dietmar" <diet...@proxmox.com> Cc: "pve-devel" <pve-devel@pve.proxmox.com> Envoyé: Mercredi 13 Février 2019 16:20:15 Objet: Re: [pve-devel] pve-firewall : vm live migration: rules applied only after vm config file move >>Maybe live migration can tell firewall on target node to activate rules >>before we start migration. But I am not sure >>how to implement that. I think it should be done at vm/ct start, force firewall to activate rules before launching qemu or lxc. Like this we can be sure than rules are applied, before os has finished to boot. (currently, if a CT or VM is booting fast, it's also possible to have some seconds with open firewall) I don't known how, maybe do we need to add an api in pve-firewall daemon to force it to sync? ----- Mail original ----- De: "dietmar" <diet...@proxmox.com> À: "pve-devel" <pve-devel@pve.proxmox.com>, "aderumier" <aderum...@odiso.com> Envoyé: Mardi 12 Février 2019 10:21:46 Objet: Re: [pve-devel] pve-firewall : vm live migration: rules applied only after vm config file move > That mean that when we do a live migration, > the rules are not apply until the config file is moved. (and vm resume just > after). > > So, we can have some seconds where the rules are not yet applied. > > > I'm not sure how we could handle this correctly ? > > 1) force rules update after the config move but before the resume.(but maybe > for complex/big iptables this will give us some seconds of timeout for the > vm) > > 2) update rules during live migration (maybe simply detect if vm process is > running (pid ? systemd scope ?), or if vmbrfw device exist ? Maybe live migration can tell firewall on target node to activate rules before we start migration. But I am not sure how to implement that. _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
