Good day.
I have installed PROXMOX VE on Deb10 host node where has been already running and configured Firewalld & MariaDB & postfix & BIND.
It is new fresh installation of PROXMOX where host is currently w no load, no traffic, yet idling. (host node is OVH KVM 2vCPU, nested virtualization enabled)
Host node net config /etc/network/interfaces:
Firewalld uses 2 zones:
PUBLIC for host node (for ens3):
TRUSTED for KVM instance (for vmbr0; allowing all traffic to vmbr0 IPs passthrough host system without filtering by its running firewall):
ISSUES:
------------
Immediately (or after host node reboot) all works fine:
- Hostnode OS has low CPU load (0% - max 8 or 9%; permanently always under 10%),
- KVM instance (using vmbr0 iface) load is also idling (<4-5% CPU permanently, all time, its LAMP+MTA & all internet connections work fine),
- both no traffic, ALL FINE
BUT: after a few hours (second days morning) i always found:
- Hostnode does have crazy load 100% of CPU: ebtables-restor process consume permanently/whole time all available CPU; traffic is still idling
- (KVM instance remain ok, idling CPU and no traffic too, there is no problem)
BTW: I tried the same (allow all traffic for vbmr0 go directly to VM without be affected by host firewall) also with other (to me know) option with other firewall config as FORWARD rules:
But unfortunately, the result after several hours is exactly the same ISSUE as in 1st case with vmbr0 added in TRUSTED zone (host node does have after few hours 100% bussy CPU, consumed by ebtables-restor )
I am already total desparate from it: I killed 2 whole days with this issue (tried all reinstall several times on new, but always exactly the same problem happened and ebtables consume all 100% CPU on idling hostnode & servers. I also cannot find 1 such or similar cases when search on internet or any useful resolutions, suggestions, nothing... Absolutely strange thingh for me and i am not able resolving it and move somewhere.
BTW#2: I know that best is have on host running nothing but Proxmox only, but i need keep current case from severa reasons (have and keep on host node running also firewalld + mentioned software, and cant place it inside nested VM behind proxmox host node)
Thank you very much for all time and help, i would be really very grateful if someone can help me resolve this crazy, strange (for me) issue. All attemps really highly appreciated by me.
regards Milos
I have installed PROXMOX VE on Deb10 host node where has been already running and configured Firewalld & MariaDB & postfix & BIND.
It is new fresh installation of PROXMOX where host is currently w no load, no traffic, yet idling. (host node is OVH KVM 2vCPU, nested virtualization enabled)
Host node net config /etc/network/interfaces:
Code:
auto lo
iface lo inet loopback
# The primary network interface for PROXMOX host node
auto ens3
iface ens3 inet static
address 152.228.91.75/32
gateway 152.228.90.1
pointopoint 152.228.90.1
dns-nameservers 127.0.0.1 8.8.8.8 8.8.4.4
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up echo 1 > /proc/sys/net/ipv4/conf/ens3/proxy_arp
# for KVM VM-IPs
auto vmbr0
iface vmbr0 inet static
address 152.228.91.75/32
bridge_ports none
bridge_stp off
bridge_fd 0
# up ip route for additional-IPs/32 on vmbr0
up ip route add 178.32.100.221/32 dev vmbr0Firewalld uses 2 zones:
PUBLIC for host node (for ens3):
Code:
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<interface name="ens3"/>
<service name="smtp"/>
<service name="smtps"/>
<service name="pop3"/>
<service name="pop3s"/>
<service name="imap"/>
<service name="imaps"/>
<port port="587" protocol="tcp"/>
<port port="53" protocol="tcp"/>
<port port="2222" protocol="tcp"/>
<port port="3306" protocol="tcp"/>
<port port="53" protocol="udp"/>
<port port="22" protocol="tcp"/>
<port port="8006" protocol="tcp"/>
</zone>TRUSTED for KVM instance (for vmbr0; allowing all traffic to vmbr0 IPs passthrough host system without filtering by its running firewall):
Code:
<?xml version="1.0" encoding="utf-8"?>
<zone target="ACCEPT">
<short>Trusted</short>
<description>All network connections are accepted.</description>
<interface name="vmbr0"/>
</zone>ISSUES:
------------
Immediately (or after host node reboot) all works fine:
- Hostnode OS has low CPU load (0% - max 8 or 9%; permanently always under 10%),
- KVM instance (using vmbr0 iface) load is also idling (<4-5% CPU permanently, all time, its LAMP+MTA & all internet connections work fine),
- both no traffic, ALL FINE
BUT: after a few hours (second days morning) i always found:
- Hostnode does have crazy load 100% of CPU: ebtables-restor process consume permanently/whole time all available CPU; traffic is still idling
- (KVM instance remain ok, idling CPU and no traffic too, there is no problem)
BTW: I tried the same (allow all traffic for vbmr0 go directly to VM without be affected by host firewall) also with other (to me know) option with other firewall config as FORWARD rules:
Code:
firewall-cmd --permanent --direct --passthrough ipv4 -I FORWARD -i vmbr0 -j ACCEPT
firewall-cmd --permanent --direct --passthrough ipv4 -I FORWARD -o vmbr0 -j ACCEPT
firewall-cmd --reload; service firewalld restartI am already total desparate from it: I killed 2 whole days with this issue (tried all reinstall several times on new, but always exactly the same problem happened and ebtables consume all 100% CPU on idling hostnode & servers. I also cannot find 1 such or similar cases when search on internet or any useful resolutions, suggestions, nothing... Absolutely strange thingh for me and i am not able resolving it and move somewhere.
BTW#2: I know that best is have on host running nothing but Proxmox only, but i need keep current case from severa reasons (have and keep on host node running also firewalld + mentioned software, and cant place it inside nested VM behind proxmox host node)
Thank you very much for all time and help, i would be really very grateful if someone can help me resolve this crazy, strange (for me) issue. All attemps really highly appreciated by me.
regards Milos
Last edited:
