yahoo-eng-team team mailing list archive

[Alan Pevec <1365806@xxxxxxxxxxxxxxxxxx>]

** Also affects: neutron/juno
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1365806

Title:
  Noopfirewall driver or security group disabled should avoid impose
  security group related calls to Neutron server

Status in OpenStack Neutron (virtual network service):
  Fix Committed
Status in neutron juno series:
  New

Bug description:
  With openvswitch neutron agent, during the daemon loop, the phase for
  setup_port_filters will try to grab/call method
  'security_group_rules_for_devices'  to Neutron Server.

  And this operation will be very time consuming and have big
  performance bottleneck as it include ports query,  rules query,
  network query as well as reconstruct the huge Security groups Dict
  Message.  This message size is very large and for processing it, it
  will occupy a lot of CPU of Neutron Server. In cases like VM/perhost
  arrive to 700, the Neutron server will be busy doing the message and
  couldn't to do other thing and this could lead to message queue
  connection timeout and make queue disconnect the consumers. As a
  result the Neutron server is crashed and not function either for
  deployments or for API calls.

  For the Noopfirewall or security group disabled situation, this
  operation should be avoided. Because eventually these reply message
  would not be used by Noopfirewall driver.  (There methods are pass).

   with self.firewall.defer_apply():
              for device in devices.values():
                  LOG.debug(_("Update port filter for %s"), device['device'])
                  self.firewall.update_port_filter(device)

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1365806/+subscriptions