yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1365806] [NEW] Noopfirewall driver or security group disabled should avoid impose security group related calls to Neutron server

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: zhu zhu <zhuzhubj@xxxxxxxxxx>
Date: Fri, 05 Sep 2014 03:04:41 -0000
Reply-to: Bug 1365806 <1365806@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

With openvswitch neutron agent, during the daemon loop, the phase for
setup_port_filters will try to grab the cast method
'security_group_rules_for_devices'  to Neutron Server.

And this operation will be very time consuming  and performance
bottleneck as it include ports query,  rules query, network query as
well as reconstruct the huge Security groups Dict Message.  This message
process will occupy a lot of CPU of Neutron Server.

For the Noopfirewall or security group disabled situation, this
operation should be avoided. As eventually these reply message would not
be used by Noopfirewall driver.  (There methods are pass).

 with self.firewall.defer_apply():
            for device in devices.values():
                LOG.debug(_("Update port filter for %s"), device['device'])
                self.firewall.update_port_filter(device)

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1365806

Title:
  Noopfirewall driver or security group disabled should avoid impose
  security group related calls to Neutron server

Status in OpenStack Neutron (virtual network service):
  New

Bug description:
  With openvswitch neutron agent, during the daemon loop, the phase for
  setup_port_filters will try to grab the cast method
  'security_group_rules_for_devices'  to Neutron Server.

  And this operation will be very time consuming  and performance
  bottleneck as it include ports query,  rules query, network query as
  well as reconstruct the huge Security groups Dict Message.  This
  message process will occupy a lot of CPU of Neutron Server.

  For the Noopfirewall or security group disabled situation, this
  operation should be avoided. As eventually these reply message would
  not be used by Noopfirewall driver.  (There methods are pass).

   with self.firewall.defer_apply():
              for device in devices.values():
                  LOG.debug(_("Update port filter for %s"), device['device'])
                  self.firewall.update_port_filter(device)

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1365806/+subscriptions

Follow ups

[Bug 1365806] Re: Noopfirewall driver or security group disabled should avoid impose security group related calls to Neutron server
From: Thierry Carrez, 2014-12-18
[Bug 1365806] Re: Noopfirewall driver or security group disabled should avoid impose security group related calls to Neutron server
From: Alan Pevec, 2014-12-05
[Bug 1365806] Re: Noopfirewall driver or security group disabled should avoid impose security group related calls to Neutron server
From: Alan Pevec, 2014-12-04
[Bug 1365806] [NEW] Noopfirewall driver or security group disabled should avoid impose security group related calls to Neutron server
From: zhu zhu, 2014-09-05

References

[Bug 1365806] [NEW] Noopfirewall driver or security group disabled should avoid impose security group related calls to Neutron server
From: zhu zhu, 2014-09-05