bharath paulraj
2019-Jul-26 11:17 UTC
[libvirt-users] <VM LIVE Migration> <Sync conntrack entries>
Hi Team, I am using QEMU/KVM for launching VMs and libvirt to govern those VMs. I would like to synchronise the connection tracking entries specific to the VM during the VM LIVE migrations. It is required when the firewall is implemented at the host level like libvirt's "network filters". If stateful firewall is enabled, then unless these connection tracking entries are synchronised, all the connections to the VM are lost and all TCP connections should be reestablished. Is there any option already available? I don't think current libvirt hooks are helpful, as VM pause in the source hypervisor and VM on in the destination hypervisor is done by QEMU and it does not wait for any application that needs to sync-up some metadata — In my case, it is conntrack entries. Also I tried with the existing hooks - stop, release, startcpus and nothing worked well. Has anybody came across similar scenario? If yes, how you overcome this? -- Regards, Bharath
Daniel P. Berrangé
2019-Jul-26 11:42 UTC
Re: [libvirt-users] <VM LIVE Migration> <Sync conntrack entries>
On Fri, Jul 26, 2019 at 04:47:22PM +0530, bharath paulraj wrote:> Hi Team, > > I am using QEMU/KVM for launching VMs and libvirt to govern those VMs. > I would like to synchronise the connection tracking entries specific > to the VM during the VM LIVE migrations. It is required when the > firewall is implemented at the host level like libvirt's "network > filters". If stateful firewall is enabled, then unless these > connection tracking entries are synchronised, all the connections to > the VM are lost and all TCP connections should be reestablished. Is > there any option already available? I don't think current libvirt > hooks are helpful, as VM pause in the source hypervisor and VM on in > the destination hypervisor is done by QEMU and it does not wait for > any application that needs to sync-up some metadata — In my case, it > is conntrack entries. > > Also I tried with the existing hooks - stop, release, startcpus and > nothing worked well. > > Has anybody came across similar scenario? If yes, how you overcome this?If you need network connections to survive live migration, then you must not use the virtual network, as NAT state cannot be transferred. Bridge the guest directly to the LAN, instead of using IP layer forwarding and NAT. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|