openstack team mailing list archive

Thread
Date

Re: Security Group Rule Refresh

To: "McNally, Dave (HP Cloud Services)" <dave.mcnally@xxxxxx>
From: Soren Hansen <soren@xxxxxxxxxxx>
Date: Thu, 23 Feb 2012 13:52:38 +0100
Authentication-results: mr.google.com; spf=pass (google.com: domain of soren@xxxxxxxxxxx designates 10.68.220.71 as permitted sender) smtp.mail=soren@xxxxxxxxxxx
Cc: "openstack@xxxxxxxxxxxxxxxxxxx" <openstack@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <2C5F128CB959784A9598804B519B6A0C9521952904@GVW1102EXC.americas.hpqcorp.net>

2012/2/22 McNally, Dave (HP Cloud Services) <dave.mcnally@xxxxxx>:
> Currently I’m trying to track how a refresh of the security groups is
> handled (upon creation or deletion of a vm). Following through the
> code I get to ‘do_refresh_security_group_rules’ in
> libvirt/firewall.py. Up to this point the security group in question
> has been carried through however it seems to be discarded here and
> rather than filtering the instances to refresh the rules for based on
> this group it looks to me like all instances on the current host are
> iterated through and then there is an attempt to update the rules for
> all these instances.
>
> Is this full refresh necessary/intentional? If so can anyone tell me
> why it’s required?

I forget the exact history here (i.e. why some of the method calls
include it and why some don't), but there are three reasons I decided to
do a full refresh:

 1 deal with the situation where a refresh call to one of the compute
   nodes got lost. If that happened, at least it would all get sorted
   out on the next refresh.
 2 the routine that turned the rules from the database into iptables
   rules was complex enough as it was. Making it remove only rules for a
   single security group or a single instance or whatever would make it
   even worse.
 3 The difference in terms of efficiency is miniscule. iptables replaces
   full tables at a time anyway, and while the relative amount of data
   needed to be fetched from the database might be much larger than with
   a more selective refresh, the absolute amount of data is still pretty
   small.


Point 1 could be addressed now by a periodical refresh of the rules, if
one was so inclined.

Point 2 should be more palatable now that the simpler implementation has
proven itself.

Point 3 might be less true now. In the beginning, there were separate
chains for each security group, now it's just one big list, IIRC. That
may change things.

-- 
Soren Hansen             | http://linux2go.dk/
Senior Software Engineer | http://www.cisco.com/
Ubuntu Developer         | http://www.ubuntu.com/
OpenStack Developer      | http://www.openstack.org/

Follow ups

Re: Security Group Rule Refresh
From: Day, Phil, 2012-02-23

References

Security Group Rule Refresh
From: McNally, Dave (HP Cloud Services), 2012-02-22