public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: Christoph Heiss <c.heiss@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH ve-rs/firewall/qemu-server/manager/docs v4 00/14] fix #5180: migrate conntrack state on live migration
Date: Thu, 17 Jul 2025 16:15:16 +0200	[thread overview]
Message-ID: <20250717141530.1471199-1-c.heiss@proxmox.com> (raw)

Fixes #5180 [0].

This implements migration of per-VM conntrack state on live-migration.

The core of the implementation are in patch #7 & #8. See there for more
details.

Patch #1 - #3 implement CONNMARK'ing any VM traffic with their unique
VMID. This is needed later on to filter conntrack entries for the
migration. These three patches can be applied independently,
CONNMARK'ing traffic does not have any visible impact.

Regarding the use of connlabels instead, as was discussed in v2:
Connlabels are (unfortunately) pure bitmasks and cannot be used for
storing arbitrary values such as VMIDs. Thus we are basically stuck with
using connmarks.

Currently, remote/inter-cluster migration is not supported and indicated
to the user with a warning. See also patch #8 for a bit more in-depth
explanation.

[0] https://bugzilla.proxmox.com/show_bug.cgi?id=5180

Dependencies
============

proxmox-firewall depends on the proxmox-ve-rs changes.
qemu-server depends on the pve-firewall/proxmox-firewall changes.

pve-manager only soft-depends on the other, as it will detect whether
conntrack migration is supported.

Testing
=======

I've primarily tested intra-cluster live-migrations, with both the
iptables-based and nftables-based firewall), using the reproducer as
described in #5180. I further verified that the D-Bus services get
started as expected and are _always_ stopped, even in the case of some
migration error.

Finally, I also checked using `conntrack -L -m <vmid>` tool that the
conntrack entries are 
a) added/updated on the target node and 
b) removed from the source node afterwards

Also tested was the migration from/to an "old" (unpatched) node, which
results in the issue as per #5180 & appropriate warnings in the UI.

For remote migrations, tested that the warning is logged as expected.

History
=======

v1: https://lore.proxmox.com/pve-devel/20250317141152.1247324-1-c.heiss@proxmox.com/
v2: https://lore.proxmox.com/pve-devel/20250424111941.730528-1-c.heiss@proxmox.com/
v3: https://lore.proxmox.com/pve-devel/20250703115621.883244-1-c.heiss@proxmox.com/

Changes v1 -> v2:
  * rebased as necessary
  * "un-rfc'd" firewall conntrack flushing patches
  * use an instanced systemd service instead of fork+exec for the
    pve-dbus-vmstate helper

Changes v2 -> v3:
  * rebased on trixie/latest masters
  * added documentation patch
  * moved node capability module to 
    PVE::API2::NodeCapabilities::Qemu::Migration, based on Fiona's 
    suggestion

Changes v3 -> v4:
  * rebased on latest masters

Diffstat
========

proxmox-ve-rs:

Christoph Heiss (1):
  config: guest: allow access to raw Vmid value

 proxmox-ve-config/src/guest/types.rs | 4 ++++
 1 file changed, 4 insertions(+)

proxmox-firewall:

Christoph Heiss (1):
  firewall: add connmark rule with VMID to all guest chains

 proxmox-firewall/src/firewall.rs              | 14 +++-
 .../integration_tests__firewall.snap          | 84 +++++++++++++++++++
 proxmox-nftables/src/expression.rs            |  9 ++
 proxmox-nftables/src/statement.rs             | 10 ++-
 4 files changed, 114 insertions(+), 3 deletions(-)

pve-firewall:

Christoph Heiss (2):
  firewall: add connmark rule with VMID to all guest chains
  firewall: helpers: add sub for flushing conntrack entries by mark

 debian/control              |  3 ++-
 src/PVE/Firewall.pm         | 14 ++++++++++++--
 src/PVE/Firewall/Helpers.pm | 20 ++++++++++++++++++++
 3 files changed, 34 insertions(+), 3 deletions(-)

qemu-server:

Christoph Heiss (5):
  qmp helpers: allow passing structured args via qemu_objectadd()
  api2: qemu: add module exposing node migration capabilities
  fix #5180: dbus-vmstate: add daemon for QEMUs dbus-vmstate interface
  fix #5180: migrate: integrate helper for live-migrating conntrack info
  migrate: flush old VM conntrack entries after successful migration

 Makefile                                      |   4 +-
 debian/control                                |   7 +-
 src/Makefile                                  |   1 +
 src/PVE/API2/Makefile                         |   1 +
 src/PVE/API2/NodeCapabilities/Makefile        |   9 +
 .../API2/NodeCapabilities/Qemu/Migration.pm   |  48 +++++
 src/PVE/API2/Qemu.pm                          |  75 ++++++++
 src/PVE/CLI/qm.pm                             |   5 +
 src/PVE/QemuMigrate.pm                        |  78 ++++++++
 src/PVE/QemuServer.pm                         |   6 +
 src/PVE/QemuServer/DBusVMState.pm             | 125 +++++++++++++
 src/PVE/QemuServer/Makefile                   |   1 +
 src/PVE/QemuServer/QMPHelpers.pm              |   4 +-
 src/dbus-vmstate/Makefile                     |  11 ++
 src/dbus-vmstate/dbus-vmstate                 | 168 ++++++++++++++++++
 src/dbus-vmstate/org.qemu.VMState1.conf       |  11 ++
 src/dbus-vmstate/pve-dbus-vmstate@.service    |  10 ++
 17 files changed, 560 insertions(+), 4 deletions(-)
 create mode 100644 src/PVE/API2/NodeCapabilities/Makefile
 create mode 100644 src/PVE/API2/NodeCapabilities/Qemu/Migration.pm
 create mode 100644 src/PVE/QemuServer/DBusVMState.pm
 create mode 100644 src/dbus-vmstate/Makefile
 create mode 100755 src/dbus-vmstate/dbus-vmstate
 create mode 100644 src/dbus-vmstate/org.qemu.VMState1.conf
 create mode 100644 src/dbus-vmstate/pve-dbus-vmstate@.service

pve-manager:

Christoph Heiss (4):
  api2: capabilities: explicitly import CPU capabilities module
  api2: capabilities: proxy index endpoints to respective nodes
  api2: capabilities: expose new qemu/migration endpoint
  ui: window: Migrate: add checkbox for migrating VM conntrack state

 PVE/API2/Capabilities.pm       | 11 ++++-
 www/manager6/window/Migrate.js | 82 ++++++++++++++++++++++++++++++++--
 2 files changed, 89 insertions(+), 4 deletions(-)

pve-docs:

Christoph Heiss (1):
  qm: document conntrack state migration for live migrations

 qm.adoc | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

-- 
2.47.1



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


             reply	other threads:[~2025-07-17 14:15 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-07-17 14:15 Christoph Heiss [this message]
2025-07-17 14:15 ` [pve-devel] [PATCH proxmox-ve-rs v4 01/14] config: guest: allow access to raw Vmid value Christoph Heiss
2025-07-17 19:00   ` [pve-devel] applied: " Thomas Lamprecht
2025-07-17 14:15 ` [pve-devel] [PATCH proxmox-firewall v4 02/14] firewall: add connmark rule with VMID to all guest chains Christoph Heiss
2025-07-17 14:15 ` [pve-devel] [PATCH firewall v4 03/14] " Christoph Heiss
2025-07-17 14:15 ` [pve-devel] [PATCH firewall v4 04/14] firewall: helpers: add sub for flushing conntrack entries by mark Christoph Heiss
2025-07-17 14:15 ` [pve-devel] [PATCH qemu-server v4 05/14] qmp helpers: allow passing structured args via qemu_objectadd() Christoph Heiss
2025-07-17 14:15 ` [pve-devel] [PATCH qemu-server v4 06/14] api2: qemu: add module exposing node migration capabilities Christoph Heiss
2025-07-17 14:15 ` [pve-devel] [PATCH qemu-server v4 07/14] fix #5180: dbus-vmstate: add daemon for QEMUs dbus-vmstate interface Christoph Heiss
2025-07-17 14:15 ` [pve-devel] [PATCH qemu-server v4 08/14] fix #5180: migrate: integrate helper for live-migrating conntrack info Christoph Heiss
2025-07-17 14:15 ` [pve-devel] [PATCH qemu-server v4 09/14] migrate: flush old VM conntrack entries after successful migration Christoph Heiss
2025-07-17 14:15 ` [pve-devel] [PATCH manager v4 10/14] api2: capabilities: explicitly import CPU capabilities module Christoph Heiss
2025-07-17 21:28   ` [pve-devel] applied: " Thomas Lamprecht
2025-07-17 14:15 ` [pve-devel] [PATCH manager v4 11/14] api2: capabilities: proxy index endpoints to respective nodes Christoph Heiss
2025-07-17 21:28   ` [pve-devel] applied: " Thomas Lamprecht
2025-07-17 14:15 ` [pve-devel] [PATCH manager v4 12/14] api2: capabilities: expose new qemu/migration endpoint Christoph Heiss
2025-07-17 14:15 ` [pve-devel] [PATCH manager v4 13/14] ui: window: Migrate: add checkbox for migrating VM conntrack state Christoph Heiss
2025-07-17 14:15 ` [pve-devel] [PATCH docs v4 14/14] qm: document conntrack state migration for live migrations Christoph Heiss
2025-07-21 14:49 ` [pve-devel] [PATCH ve-rs/firewall/qemu-server/manager/docs v4 00/14] fix #5180: migrate conntrack state on live migration Gabriel Goller
2025-07-30  9:33   ` Christoph Heiss

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250717141530.1471199-1-c.heiss@proxmox.com \
    --to=c.heiss@proxmox.com \
    --cc=pve-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal