6:17 a.m.
Hi Team,
I am using QEMU/KVM for launching VMs and libvirt to govern those VMs.
I would like to synchronise the connection tracking entries specific
to the VM during the VM LIVE migrations. It is required when the
firewall is implemented at the host level like libvirt's "network
filters". If stateful firewall is enabled, then unless these
connection tracking entries are synchronised, all the connections to
the VM are lost and all TCP connections should be reestablished. Is
there any option already available? I don't think current libvirt
hooks are helpful, as VM pause in the source hypervisor and VM on in
the destination hypervisor is done by QEMU and it does not wait for
any application that needs to sync-up some metadata — In my case, it
is conntrack entries.
Also I tried with the existing hooks - stop, release, startcpus and
nothing worked well.
Has anybody came across similar scenario? If yes, how you overcome this?
--
Regards,
Bharath
6:42 a.m.
On Fri, Jul 26, 2019 at 04:47:22PM +0530, bharath paulraj wrote:
Hi Team,
I am using QEMU/KVM for launching VMs and libvirt to govern those VMs.
I would like to synchronise the connection tracking entries specific
to the VM during the VM LIVE migrations. It is required when the
firewall is implemented at the host level like libvirt's "network
filters". If stateful firewall is enabled, then unless these
connection tracking entries are synchronised, all the connections to
the VM are lost and all TCP connections should be reestablished. Is
there any option already available? I don't think current libvirt
hooks are helpful, as VM pause in the source hypervisor and VM on in
the destination hypervisor is done by QEMU and it does not wait for
any application that needs to sync-up some metadata — In my case, it
is conntrack entries.
Also I tried with the existing hooks - stop, release, startcpus and
nothing worked well.
Has anybody came across similar scenario? If yes, how you overcome this?
If you need network connections to survive live migration, then you
must not use the virtual network, as NAT state cannot be transferred.
Bridge the guest directly to the LAN, instead of using IP layer forwarding
and NAT.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
1946
days inactive
1946
days old
1 comments
2 participants
participants (2)
-
bharath paulraj -
Daniel P. Berrangé