To ensure we got the relevant rules for conntrack migration available.
Only do a suggests on the newer nft based proxmox-firewall, we do not
have any hard-dependency on it anywhere currently.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
First part to fixing #5180 [0].
Adds a simple D-Bus server which implements the `org.qemu.VMState1`
interface as specified in the QEMU documentation [1].
Using the built-in QEMU VMState machinery saves us from having to worry
about transfer and convergence of the data and letl QEMU take care of
it.
Any object on the D-Bus path `/org/qemu/VMState1` implementing that
interface will be called by QEMU during live-migration, iif the `Id`
property is registered within the `dbus-vmstate` QEMU object for a
specific VM.
The actual state loading/restoring is done via the conntrack(8) tool, a
small tool which already implements hard parts of interacting with the
conntrack subsystem via netlink.
Filtering is done on CONNMARK, which is set to the specific VMID for all
packets by the firewall.
Additionally, a custom `com.proxmox.VMStateHelper` interface is
implemented by the object, adding a small `Quit` method for cleanly
shutting down the daemon via the D-Bus API.
For all to work, D-Bus needs a policy describing who is allowed to
access the interface. [2]
Currently, there is a hard-limit of 1 MiB of state enforced by QEMU.
Typical conntrack state entries as dumped by conntrack(8) in the `save`
output format are just plaintext, ASCII lines and mostly around
150-200 characters. That translates then to about ~5200 entries that can
be migrated.
Such a typical line looks like:
-A -t 431974 -u SEEN_REPLY,ASSURED -s 10.1.0.1 -d 10.1.1.20 \
-r 10.1.1.20 -q 10.1.0.1 -p tcp --sport 48550 --dport 22 \
--reply-port-src 22 --reply-port-dst 48550 --state ESTABLISHED
In the future, compression could be implemented for these before sending
them to QEMU, which should increase the above number quite a bit - since
these entries are nicely compressible.
[0] https://bugzilla.proxmox.com/show_bug.cgi?id=5180
[1] https://www.qemu.org/docs/master/interop/dbus-vmstate.html
[2] https://dbus.freedesktop.org/doc/dbus-daemon.1.html#configuration_file
Tested-by: Stefan Hanreich <s.hanreich@proxmox.com>
Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
Link: https://lore.proxmox.com/20250730094549.263805-7-c.heiss@proxmox.com
pve-firewall introduced a new helper for deciding whether to create a
firewall bridge for a given tap interface. In addition to checking for
nftables, it also checks for the type of the bridge. This fixes an
issue with OVS and the nftables firewall, where firewall bridges are
still required in order for the guest firewall to work and the new
helper in pve-firewall checks for that condition now.
Previously, only the vm network script checked the condition for
creating a firewall bridge properly, but not the function for
hotplugging VM network devices. This caused a firewall bridge to
always get created when hotplugging a network device. The additional
firewall bridge had no influence on the functionality of nftables, but
was unnecessary.
For that matter a helper in qemu-server is introduced that should be
used by all call sites.
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
Reviewed-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
FG: adapted context slightly
FG: bump versioned dependency
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Restoring old backups should still work when properties are dropped
from the schema. In particular, it is necessary to skip such
properties when parsing the configuration during restore.
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
FG: make dropping unconditional, not just for restore
FG: add pve-common min version to d/control
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Version 5.2.0 of libpve-guest-common-perl is required for the
PVE/Mapping/Dir.pm module, but there was a transitive dependency for
libpve-cluster-perl missing for tracking the corresponding file on the
cluster file system and build would still fail with: > unknown file
'mapping/directory.cfg' at /usr/share/perl5/PVE/Cluster.pm
Version 5.2.2 of libpve-guest-common-perl depends on recent enough
libpve-cluster-perl to fix this.
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
Add support for sharing directories with a guest VM.
virtio-fs needs virtiofsd to be started. In order to start virtiofsd
as a process (despite being a daemon it is does not run in the
background), a double-fork is used.
virtiofsd should close itself together with QEMU.
There are the parameters dirid and the optional parameters direct-io,
cache and writeback. Additionally the expose-xattr & expose-acl
parameter can be set to expose xattr & acl settings from the shared
filesystem to the guest system.
The dirid gets mapped to the path on the current node and is also used
as a mount tag (name used to mount the device on the guest).
example config:
```
virtiofs0: foo,direct-io=1,cache=always,expose-acl=1
virtiofs1: dirid=bar,cache=never,expose-xattr=1,writeback=1
```
For information on the optional parameters see the coherent doc patch
and the official gitlab README:
https://gitlab.com/virtio-fs/virtiofsd/-/blob/main/README.md
Also add a permission check for virtiofs directory access.
Add virtiofsd to the Recommends list for the qemu-server Debian
package, this allows users to opt-out of installing this package, e.g.
for certification reasons.
Signed-off-by: Markus Frank <m.frank@proxmox.com>
Link: https://lore.proxmox.com/20250407134950.265270-3-m.frank@proxmox.com
Tested-by: Lukas Wagner <l.wagner@proxmox.com>
[TL: squash d/control change and re-add Lukas' T-b, as nothing
essentially changed from the v16 where his tag applied]
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
The 'reconnect' option was replaced by 'reconnect-ms' in QEMU commit
c8e2b6b4d7 ("chardev: introduce 'reconnect-ms' and deprecate
'reconnect'").
Makes qemu-server build-depend on QEMU 9.2 for the tests.
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
Link: https://lore.proxmox.com/20250407073256.8889-2-f.ebner@proxmox.com
To ensure the new Confidential VM (CVM) images that got the Secure
Management Mode (SMM) disabled are available.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
