yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1662568] [NEW] ovs flows aren't cleaned up after switch to iptables firewall under high-load

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Inessa Vasilevskaya <ivasilevskaya@xxxxxxxxxxxx>
Date: Tue, 07 Feb 2017 15:59:58 -0000
Reply-to: Bug 1662568 <1662568@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Seen on: newton devstack, ubuntu 16.04, firewall_driver=openvswitch.

To emulate high load I cleared all quotas, created a security-group A
with ~4200 security group rules with remote_group_id pointing to
security-group B and booted 2 vms (one with secgroup A and another with
secgroup B). Due to https://bugs.launchpad.net/neutron/+bug/1628819
every next VM boot resulted in plenty of ovs flows, so after booting 15
vms and reaching ~23000 flows every other VM would go into ERROR with
nova blaming neutron for not providing network for an instance (nova
compute logs - http://paste.openstack.org/show/597972/). The ovs-
vswitchd logs complained of excessive load as well so my initial guess
was that high load was the matter.

After the environment was "heavy loaded" the switch to iptables firewall
(and subsequent ovs-agent restart) didn't clean up the generated flows
(23407 flows remained), although ovs-agent logs showed that the driver
was changed http://paste.openstack.org/show/597978/

** Affects: neutron
     Importance: Undecided
         Status: New


** Tags: ovs-fw

** Tags added: ovs-fw

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1662568

Title:
  ovs flows aren't cleaned up after switch to iptables firewall under
  high-load

Status in neutron:
  New

Bug description:
  Seen on: newton devstack, ubuntu 16.04, firewall_driver=openvswitch.

  To emulate high load I cleared all quotas, created a security-group A
  with ~4200 security group rules with remote_group_id pointing to
  security-group B and booted 2 vms (one with secgroup A and another
  with secgroup B). Due to
  https://bugs.launchpad.net/neutron/+bug/1628819 every next VM boot
  resulted in plenty of ovs flows, so after booting 15 vms and reaching
  ~23000 flows every other VM would go into ERROR with nova blaming
  neutron for not providing network for an instance (nova compute logs -
  http://paste.openstack.org/show/597972/). The ovs-vswitchd logs
  complained of excessive load as well so my initial guess was that high
  load was the matter.

  After the environment was "heavy loaded" the switch to iptables
  firewall (and subsequent ovs-agent restart) didn't clean up the
  generated flows (23407 flows remained), although ovs-agent logs showed
  that the driver was changed http://paste.openstack.org/show/597978/

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1662568/+subscriptions