← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1810563] [NEW] adding rules to security groups is slow

 

Public bug reported:

Sometime between liberty and pike, adding rules to SG's got slow, and
slower with every rule added.

Gerrit review with fixes is incoming.

You can repro with a vanilla devstack install on master, and this
script:

#!/bin/bash

OPENSTACK_TOKEN=$(openstack token issue | grep '| id' | awk '{print $4}')
export OPENSTACK_TOKEN

CCN1=10.210.162.2
CCN3=10.210.162.10
export ENDPOINT=localhost

make_rules() {
    iter=$1
    prefix=$2
    file="$3"

    echo "generating rules"

    cat >$file <<EOF
{"security_group_rules":[
EOF

    comma=","
    i=0
    while [ $i -lt $iter ]; do
	j=0
	while [ $j -lt 10 ]; do
	    if [ $i -eq $(($iter-1)) -a $j -eq 9 ]; then
		comma=""
	    fi
	    cat >>$file <<EOF
{"direction":"ingress","ethertype":"IPv4","port_range_max":10000,"port_range_min":8000,"protocol":"tcp"
,"remote_ip_prefix":"$prefix.$i.$j.0/24","security_group_id":"$SG_UUID"}${comma}
EOF
	    j=$((j+1))
	done
	i=$((i+1))
    done

    cat >>$file <<EOF
]}
EOF
}

hit_api() {
    json="$1"

    echo "hitting api"

    start=$(perl -e "print time();")
    time curl --silent -g -i -X POST http://$ENDPOINT:9696/v2.0/security-group-rules.json -H "User-Agen
t: python-neutronclient" -H "Content-Type: application/json" -H "Accept: application/json" -H "X-Auth-T
oken: $OPENSTACK_TOKEN" -d @${json} >/dev/null
    end=$(perl -e "print time();")
    echo $((end-start))
}

tmp=/tmp/sg-test.$$.tmp

echo "Doing test with 1000 rules in bulk"
openstack security group delete dw-test-1
uuid=$(openstack security group create dw-test-1 | grep '| id' | awk '{print $4}')
export SG_UUID="$uuid"
make_rules 100 4 $tmp
hit_api $tmp

echo "Doing loop test"
openstack security group delete dw-test-2
uuid=$(openstack security group create dw-test-2 | grep '| id' | awk '{print $4}')
export SG_UUID="$uuid"
elapsed=0
mm=0
while [ $mm -lt 20 ]; do
    make_rules 5 $(($mm+1)) $tmp
    n=$(hit_api $tmp | tail -1)
    elapsed=$((elapsed+n))
    mm=$((mm+1))
done
echo "Loop test took $elapsed seconds"

** Affects: neutron
     Importance: Undecided
     Assignee: Doug Wiegley (dougwig)
         Status: In Progress

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1810563

Title:
  adding rules to security groups is slow

Status in neutron:
  In Progress

Bug description:
  Sometime between liberty and pike, adding rules to SG's got slow, and
  slower with every rule added.

  Gerrit review with fixes is incoming.

  You can repro with a vanilla devstack install on master, and this
  script:

  #!/bin/bash

  OPENSTACK_TOKEN=$(openstack token issue | grep '| id' | awk '{print $4}')
  export OPENSTACK_TOKEN

  CCN1=10.210.162.2
  CCN3=10.210.162.10
  export ENDPOINT=localhost

  make_rules() {
      iter=$1
      prefix=$2
      file="$3"

      echo "generating rules"

      cat >$file <<EOF
  {"security_group_rules":[
  EOF

      comma=","
      i=0
      while [ $i -lt $iter ]; do
  	j=0
  	while [ $j -lt 10 ]; do
  	    if [ $i -eq $(($iter-1)) -a $j -eq 9 ]; then
  		comma=""
  	    fi
  	    cat >>$file <<EOF
  {"direction":"ingress","ethertype":"IPv4","port_range_max":10000,"port_range_min":8000,"protocol":"tcp"
  ,"remote_ip_prefix":"$prefix.$i.$j.0/24","security_group_id":"$SG_UUID"}${comma}
  EOF
  	    j=$((j+1))
  	done
  	i=$((i+1))
      done

      cat >>$file <<EOF
  ]}
  EOF
  }

  hit_api() {
      json="$1"

      echo "hitting api"

      start=$(perl -e "print time();")
      time curl --silent -g -i -X POST http://$ENDPOINT:9696/v2.0/security-group-rules.json -H "User-Agen
  t: python-neutronclient" -H "Content-Type: application/json" -H "Accept: application/json" -H "X-Auth-T
  oken: $OPENSTACK_TOKEN" -d @${json} >/dev/null
      end=$(perl -e "print time();")
      echo $((end-start))
  }

  tmp=/tmp/sg-test.$$.tmp

  echo "Doing test with 1000 rules in bulk"
  openstack security group delete dw-test-1
  uuid=$(openstack security group create dw-test-1 | grep '| id' | awk '{print $4}')
  export SG_UUID="$uuid"
  make_rules 100 4 $tmp
  hit_api $tmp

  echo "Doing loop test"
  openstack security group delete dw-test-2
  uuid=$(openstack security group create dw-test-2 | grep '| id' | awk '{print $4}')
  export SG_UUID="$uuid"
  elapsed=0
  mm=0
  while [ $mm -lt 20 ]; do
      make_rules 5 $(($mm+1)) $tmp
      n=$(hit_api $tmp | tail -1)
      elapsed=$((elapsed+n))
      mm=$((mm+1))
  done
  echo "Loop test took $elapsed seconds"

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1810563/+subscriptions


Follow ups