group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1727366] Re: virsh start/destroy is too slow after adding firewall rule

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: ChristianEhrhardt <1727366@xxxxxxxxxxxxxxxxxx>
Date: Fri, 27 Oct 2017 12:02:26 -0000
Reply-to: Bug 1727366 <1727366@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Not sure if it is a strace artifact, but in the slow case I see way more system calls.
Those extra calls are what consumes the time.

It seems that after the call it does some cleanup.
But it does not a guided cleanup (e.g. closing all FDs it knows).
No - instead it seems to run a loop closing all FDs possible.

Now on Artful that runs 1-8192 (14bit), but on Zesty it is 1-1048575 (20 bit).
I think I remember having seen that close all FDs in the past, but can't remember exactly where.

But while I miss that I remember the limits I see here.
libvirtd before Artful had LimitNOFILE=infinity in its service file.
On Artful and later it has LimitNOFILE=8192 (actually we had to raise that recently for bigger installations, but never the less way smaller than 1M).

Adapting those limits makes it fast.

So summarizing what we know:
- some cleanup seems to clsoe all *possible* files
- the number of possible files got reduced in later libvirt version (for other reasons)
- We can't SRU a smaller limit anyway, but looking forward I want to look into the "close all" and which code does so.
- A solution for those affected is available by adapting LimitNOFILE in /lib/systemd/system/libvirtd.service

I'll mark this as Won't Fix for the reasons outline in older releases,
but want to take a look if that "close all" can be optimized.

** Also affects: libvirt (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Also affects: libvirt (Ubuntu Zesty)
   Importance: Undecided
       Status: New

** Changed in: libvirt (Ubuntu Xenial)
       Status: New => Won't Fix

** Changed in: libvirt (Ubuntu Zesty)
       Status: New => Won't Fix

** Changed in: libvirt (Ubuntu)
       Status: Confirmed => In Progress

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1727366

Title:
  virsh start/destroy is too slow after adding firewall rule

Status in libvirt package in Ubuntu:
  In Progress
Status in libvirt source package in Xenial:
  Won't Fix
Status in libvirt source package in Zesty:
  Won't Fix

Bug description:
  Description:	Ubuntu 16.04.3 LTS
  Release:	16.04

  libvirt-bin:
    Installed: 1.3.1-1ubuntu10.14
    Candidate: 1.3.1-1ubuntu10.14

  The starting/stopping time of the domain is dramatically increased
  after adding nw-filter rule:

  Actual timings:
  --------------

  # time virsh destroy 9000
  Domain 9000 destroyed

  
  real	0m9.252s
  user	0m0.024s
  sys	0m0.000s

  Expected timings: (without active filterref item)
  ----------------

  $ time virsh destroy 9000
  Domain 9000 destroyed

  real    0m0.633s
  user    0m0.012s
  sys     0m0.008s

  Steps to reproduce:
  ------------------

  1. Enable any firewall rule, which is shipped with a package. In
  example it could be allow-arp:

      <interface type='bridge'>
        <mac address='52:54:00:86:69:a7'/>
        <source bridge='br0'/>
        <model type='virtio'/>
        <filterref filter='allow-arp'/>
        <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
      </interface>

  2. Stop domain:

  $ virsh destroy 9000

  3. Start domain:

  $ LIBVIRT_DEBUG=debug virsh start 9000

  Debug output attached as libvirt-debug.log

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1727366/+subscriptions