yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1466921] [NEW] IptablesFirewallDriver making extra unnecessary calls to IpsetManager.set_members()

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Rawlin Peters <rawlin.peters@xxxxxx>
Date: Fri, 19 Jun 2015 15:55:41 -0000
Reply-to: Bug 1466921 <1466921@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Currently, IptablesFirewallDriver iterates over a list of security group
IDs and makes calls to IpsetManager.set_members() passing each security
group ID. The problem is that this list of security group IDs can
contain duplicates, which causes IpsetManager.set_members() to be
repeatedly called with the same arguments. This method is idempotent, so
there is nothing different happening after the first time it's called
with a certain set of arguments; it should only be called once per set
of arguments.

IpsetManager.set_members() acquires an external file lock on ipset to
perform its operations, so eliminating these unnecessary file lock
acquisitions will have a positive effect on the performance of this
code.

** Affects: neutron
     Importance: Undecided
     Assignee: Rawlin Peters (rawlin-peters)
         Status: New


** Tags: driver firewall ipset ipsetmanager iptables iptablesfirewalldriver

** Changed in: neutron
     Assignee: (unassigned) => Rawlin Peters (rawlin-peters)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1466921

Title:
  IptablesFirewallDriver making extra unnecessary calls to
  IpsetManager.set_members()

Status in OpenStack Neutron (virtual network service):
  New

Bug description:
  Currently, IptablesFirewallDriver iterates over a list of security
  group IDs and makes calls to IpsetManager.set_members() passing each
  security group ID. The problem is that this list of security group IDs
  can contain duplicates, which causes IpsetManager.set_members() to be
  repeatedly called with the same arguments. This method is idempotent,
  so there is nothing different happening after the first time it's
  called with a certain set of arguments; it should only be called once
  per set of arguments.

  IpsetManager.set_members() acquires an external file lock on ipset to
  perform its operations, so eliminating these unnecessary file lock
  acquisitions will have a positive effect on the performance of this
  code.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1466921/+subscriptions

Follow ups

[Bug 1466921] Re: IptablesFirewallDriver making extra unnecessary calls to IpsetManager.set_members()
From: Alan Pevec, 2015-07-23
[Bug 1466921] Re: IptablesFirewallDriver making extra unnecessary calls to IpsetManager.set_members()
From: Thierry Carrez, 2015-06-24
[Bug 1466921] [NEW] IptablesFirewallDriver making extra unnecessary calls to IpsetManager.set_members()
From: Rawlin Peters, 2015-06-19

References

[Bug 1466921] [NEW] IptablesFirewallDriver making extra unnecessary calls to IpsetManager.set_members()
From: Rawlin Peters, 2015-06-19