all lists on lists.proxmox.com
 help / color / mirror / Atom feed
From: Christoph Heiss <c.heiss@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH docs v3 14/14] qm: document conntrack state migration for live migrations
Date: Thu,  3 Jul 2025 13:54:16 +0200	[thread overview]
Message-ID: <20250703115621.883244-15-c.heiss@proxmox.com> (raw)
In-Reply-To: <20250703115621.883244-1-c.heiss@proxmox.com>

Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
Changes v2 -> v3:
  * new patch

 qm.adoc | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/qm.adoc b/qm.adoc
index 8b9e096..823e818 100644
--- a/qm.adoc
+++ b/qm.adoc
@@ -1664,6 +1664,22 @@ For Live Migration to work, there are some things required:
   configured, but it cannot be guaranteed - so please test before deploying
   such a setup in production.
 
+Conntrack State Migration
+^^^^^^^^^^^^^^^^^^^^^^^^^
+
+NOTE: Conntrack state migration is considered best-effort only and might not
+work, as it heavily depends on the network setup.
+
+Conntrack is a Linux kernel mechanism to enable a stateful firewall by tracking
+individual connection. When live migrating running VMs, active in- and/or
+outbound connections *might* get interrupted as soon as the VM starts running on
+the target host, as the new host node does not have the same conntrack entries
+and thus the firewall can drop packets.
+
+Conntrack state migration copies all conntrack entries on the host for the
+live-migrated VM to the target node and afterwards flushes the migrated entries
+from the conntrack table on the source node.
+
 Offline Migration
 ~~~~~~~~~~~~~~~~~
 
-- 
2.49.0



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


  parent reply	other threads:[~2025-07-03 11:57 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-07-03 11:54 [pve-devel] [PATCH ve-rs/firewall/qemu-server/manager/docs v3 00/14] fix #5180: migrate conntrack state on live migration Christoph Heiss
2025-07-03 11:54 ` [pve-devel] [PATCH proxmox-ve-rs v3 01/14] config: guest: allow access to raw Vmid value Christoph Heiss
2025-07-03 11:54 ` [pve-devel] [PATCH proxmox-firewall v3 02/14] firewall: add connmark rule with VMID to all guest chains Christoph Heiss
2025-07-03 11:54 ` [pve-devel] [PATCH firewall v3 03/14] " Christoph Heiss
2025-07-03 11:54 ` [pve-devel] [PATCH firewall v3 04/14] firewall: helpers: add sub for flushing conntrack entries by mark Christoph Heiss
2025-07-03 11:54 ` [pve-devel] [PATCH qemu-server v3 05/14] qmp helpers: allow passing structured args via qemu_objectadd() Christoph Heiss
2025-07-03 11:54 ` [pve-devel] [PATCH qemu-server v3 06/14] api2: qemu: add module exposing node migration capabilities Christoph Heiss
2025-07-03 11:54 ` [pve-devel] [PATCH qemu-server v3 07/14] fix #5180: dbus-vmstate: add daemon for QEMUs dbus-vmstate interface Christoph Heiss
2025-07-03 11:54 ` [pve-devel] [PATCH qemu-server v3 08/14] fix #5180: migrate: integrate helper for live-migrating conntrack info Christoph Heiss
2025-07-03 11:54 ` [pve-devel] [PATCH qemu-server v3 09/14] migrate: flush old VM conntrack entries after successful migration Christoph Heiss
2025-07-03 11:54 ` [pve-devel] [PATCH manager v3 10/14] api2: capabilities: explicitly import CPU capabilities module Christoph Heiss
2025-07-03 11:54 ` [pve-devel] [PATCH manager v3 11/14] api2: capabilities: proxy index endpoints to respective nodes Christoph Heiss
2025-07-03 11:54 ` [pve-devel] [PATCH manager v3 12/14] api2: capabilities: expose new qemu/migration endpoint Christoph Heiss
2025-07-03 11:54 ` [pve-devel] [PATCH manager v3 13/14] ui: window: Migrate: add checkbox for migrating VM conntrack state Christoph Heiss
2025-07-03 11:54 ` Christoph Heiss [this message]
2025-07-17 14:16 ` [pve-devel] [PATCH ve-rs/firewall/qemu-server/manager/docs v3 00/14] fix #5180: migrate conntrack state on live migration Christoph Heiss

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250703115621.883244-15-c.heiss@proxmox.com \
    --to=c.heiss@proxmox.com \
    --cc=pve-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal