← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #88952

[Bug 1975674] [NEW] Neutron agent blocks during VM deletion when a remote security group is involved

  Thread PreviousDate PreviousThread Next 
Public bug reported:

When deleting a VM that has a security group referring to a remote
security group, the neutron agent will block for as long as it takes to
remove the respective flows. This happens when the remote security group
contains many (thousands) ports referring to other VMs.

Steps to reproduce:
  - Create a VM with security group A
  - Add a rule to security group A allowing access from a remote security group B
  - Add a large number or ports to security group B (e.g. 2000)
    - The respective ovs flows will be added
  - Delete the VM
    - The ovs flows will be removed

Expected:
  - VM and flow to be deleted within seconds
  - No impact to other VMs on the same hypervisor

Actual:
  - Flow deletion takes a long time, sometimes up to 10 minutes
  - While flows are being deleted, no VMs can be created on the same hypervisor

The reason for this behavior is that under the hood the agent calls ovs-
ofctl (via execve()) once for each port in the remote security group.
These calls quickly add up to minutes if there are many ports.

The proposed solution would be to use deferred execution for the flow
deletion. In that case it becomes a bulk operation and around 400 flows
are deleted in one call. In addition it runs in the background and does
not block the agent for other operations.

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1975674

Title:
  Neutron agent blocks during VM deletion when a remote security group
  is involved

Status in neutron:
  New

Bug description:
  When deleting a VM that has a security group referring to a remote
  security group, the neutron agent will block for as long as it takes
  to remove the respective flows. This happens when the remote security
  group contains many (thousands) ports referring to other VMs.

  Steps to reproduce:
    - Create a VM with security group A
    - Add a rule to security group A allowing access from a remote security group B
    - Add a large number or ports to security group B (e.g. 2000)
      - The respective ovs flows will be added
    - Delete the VM
      - The ovs flows will be removed

  Expected:
    - VM and flow to be deleted within seconds
    - No impact to other VMs on the same hypervisor

  Actual:
    - Flow deletion takes a long time, sometimes up to 10 minutes
    - While flows are being deleted, no VMs can be created on the same hypervisor

  The reason for this behavior is that under the hood the agent calls
  ovs-ofctl (via execve()) once for each port in the remote security
  group. These calls quickly add up to minutes if there are many ports.

  The proposed solution would be to use deferred execution for the flow
  deletion. In that case it becomes a bulk operation and around 400
  flows are deleted in one call. In addition it runs in the background
  and does not block the agent for other operations.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1975674/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next