yahoo-eng-team team mailing list archive

[Sudheendra Murthy <sudhi.vm@xxxxxxxxx>]

Public bug reported:

In our clouds running Havana with VMware NSX, we often see an explosion
of OVS flows when there are many complex security group rules.
Specifically when the rules involve remote_group_id (security profile in
NSX), there are OVS flow rules created for every pair of VMs belonging
to the tenant resulting in O(n^2) rules. In large deployments, this
results in severe performance issues when the number of OVS flow rules
in gets into millions. In addition, this results in an exponential
increase in memory consumption on NSX controllers.

Nicira plugin should make an attempt at summarizing the security group
rules created by the users, so that it results in efficient
representation on OVS as well as reduces memory consumption on NSX
controllers.

Examples:

1. With every security group, Nicira automatically adds a hidden (hidden
= not stored in Neutron) security group rule to allow ingress IPv4  UDP
traffic on DHCP port 68. If a user creates exactly the same rule, then a
duplicate rule is created and maintained by NSX controllers and pushed
down to OVS on hypervisors. The other case is even if the user creates a
broader rule allowing UDP traffic on all ports, NSX maintains both the
broader rule and the hidden DHCP rule. In this case, there is no need to
have the additional more specific DHCP hidden rule.

2. We have seen cases where users have created both a broader rule to
allow UDP/TCP/ICMP traffic from outside and additional rules to restrict
the same traffic to their tenant VMs. In this case, the self-referential
rules significantly increase OVS flows and can be completely avoided.

Ideally, NVP plugin (nvplib.py in Havana) should summarize the rules in
the security group before submitting them NSX controller.

** Affects: neutron
     Importance: Undecided
     Assignee: Sudheendra Murthy (sudhi-vm)
         Status: New


** Tags: folsom-backport-potential icehouse-backport-potential nicira vmware

** Changed in: neutron
     Assignee: (unassigned) => Sudheendra Murthy (sudhi-vm)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1376981

Title:
  NSX plugin security group rules OVS flow explosion

Status in OpenStack Neutron (virtual network service):
  New

Bug description:
  In our clouds running Havana with VMware NSX, we often see an
  explosion of OVS flows when there are many complex security group
  rules. Specifically when the rules involve remote_group_id (security
  profile in NSX), there are OVS flow rules created for every pair of
  VMs belonging to the tenant resulting in O(n^2) rules. In large
  deployments, this results in severe performance issues when the number
  of OVS flow rules in gets into millions. In addition, this results in
  an exponential increase in memory consumption on NSX controllers.

  Nicira plugin should make an attempt at summarizing the security group
  rules created by the users, so that it results in efficient
  representation on OVS as well as reduces memory consumption on NSX
  controllers.

  Examples:

  1. With every security group, Nicira automatically adds a hidden
  (hidden = not stored in Neutron) security group rule to allow ingress
  IPv4  UDP traffic on DHCP port 68. If a user creates exactly the same
  rule, then a duplicate rule is created and maintained by NSX
  controllers and pushed down to OVS on hypervisors. The other case is
  even if the user creates a broader rule allowing UDP traffic on all
  ports, NSX maintains both the broader rule and the hidden DHCP rule.
  In this case, there is no need to have the additional more specific
  DHCP hidden rule.

  2. We have seen cases where users have created both a broader rule to
  allow UDP/TCP/ICMP traffic from outside and additional rules to
  restrict the same traffic to their tenant VMs. In this case, the self-
  referential rules significantly increase OVS flows and can be
  completely avoided.

  Ideally, NVP plugin (nvplib.py in Havana) should summarize the rules
  in the security group before submitting them NSX controller.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1376981/+subscriptions