yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #25758
[Bug 1365806] Re: Noopfirewall driver or security group disabled should avoid impose security group related calls to Neutron server
** Changed in: neutron
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1365806
Title:
Noopfirewall driver or security group disabled should avoid impose
security group related calls to Neutron server
Status in OpenStack Neutron (virtual network service):
Fix Released
Status in neutron juno series:
Fix Released
Bug description:
With openvswitch neutron agent, during the daemon loop, the phase for
setup_port_filters will try to grab/call method
'security_group_rules_for_devices' to Neutron Server.
And this operation will be very time consuming and have big
performance bottleneck as it include ports query, rules query,
network query as well as reconstruct the huge Security groups Dict
Message. This message size is very large and for processing it, it
will occupy a lot of CPU of Neutron Server. In cases like VM/perhost
arrive to 700, the Neutron server will be busy doing the message and
couldn't to do other thing and this could lead to message queue
connection timeout and make queue disconnect the consumers. As a
result the Neutron server is crashed and not function either for
deployments or for API calls.
For the Noopfirewall or security group disabled situation, this
operation should be avoided. Because eventually these reply message
would not be used by Noopfirewall driver. (There methods are pass).
with self.firewall.defer_apply():
for device in devices.values():
LOG.debug(_("Update port filter for %s"), device['device'])
self.firewall.update_port_filter(device)
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1365806/+subscriptions
References