yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1376981] Re: NSX plugin security group rules OVS flow explosion

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Armando Migliaccio <1376981@xxxxxxxxxxxxxxxxxx>
Date: Thu, 01 Oct 2015 00:45:08 -0000
Reply-to: Bug 1376981 <1376981@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Also affects: vmware-nsx
   Importance: Undecided
       Status: New

** No longer affects: neutron

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1376981

Title:
  NSX plugin security group rules OVS flow explosion

Status in vmware-nsx:
  New

Bug description:
  In our clouds running Havana with VMware NSX, we often see an
  explosion of OVS flows when there are many complex security group
  rules. Specifically when the rules involve remote_group_id (security
  profile in NSX), there are OVS flow rules created for every pair of
  VMs belonging to the tenant resulting in O(n^2) rules. In large
  deployments, this results in severe performance issues when the number
  of OVS flow rules in gets into millions. In addition, this results in
  an exponential increase in memory consumption on NSX controllers.

  Nicira plugin should make an attempt at summarizing the security group
  rules created by the users, so that it results in efficient
  representation on OVS as well as reduces memory consumption on NSX
  controllers.

  Examples:

  1. With every security group, Nicira automatically adds a hidden
  (hidden = not stored in Neutron) security group rule to allow ingress
  IPv4  UDP traffic on DHCP port 68. If a user creates exactly the same
  rule, then a duplicate rule is created and maintained by NSX
  controllers and pushed down to OVS on hypervisors. The other case is
  even if the user creates a broader rule allowing UDP traffic on all
  ports, NSX maintains both the broader rule and the hidden DHCP rule.
  In this case, there is no need to have the additional more specific
  DHCP hidden rule.

  2. We have seen cases where users have created both a broader rule to
  allow UDP/TCP/ICMP traffic from outside and additional rules to
  restrict the same traffic to their tenant VMs. In this case, the self-
  referential rules significantly increase OVS flows and can be
  completely avoided.

  Ideally, NVP plugin (nvplib.py in Havana) should summarize the rules
  in the security group before submitting them NSX controller.

To manage notifications about this bug go to:
https://bugs.launchpad.net/vmware-nsx/+bug/1376981/+subscriptions

References

[Bug 1376981] [NEW] NSX plugin security group rules OVS flow explosion
From: Sudheendra Murthy, 2014-10-03