yahoo-eng-team team mailing list archive

[Rodolfo Alonso <1662568@xxxxxxxxxxxxxxxxxx>]

Closing this bug due to lack of attention. Please feel free to reopen if
needed.

** Changed in: neutron
       Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1662568

Title:
  ovs flows aren't cleaned up after switch to iptables firewall under
  high-load

Status in neutron:
  Won't Fix

Bug description:
  Seen on: newton devstack, ubuntu 16.04, firewall_driver=openvswitch.

  To emulate high load I cleared all quotas, created a security-group A
  with ~4200 security group rules with remote_group_id pointing to
  security-group B and booted 2 vms (one with secgroup A and another
  with secgroup B). Due to
  https://bugs.launchpad.net/neutron/+bug/1628819 every next VM boot
  resulted in plenty of ovs flows, so after booting 15 vms and reaching
  ~23000 flows every other VM would go into ERROR with nova blaming
  neutron for not providing network for an instance (nova compute logs -
  http://paste.openstack.org/show/597972/). The ovs-vswitchd logs
  complained of excessive load as well so my initial guess was that high
  load was the matter.

  After the environment was "heavy loaded" the switch to iptables
  firewall (and subsequent ovs-agent restart) didn't clean up the
  generated flows (23407 flows remained), although ovs-agent logs showed
  that the driver was changed http://paste.openstack.org/show/597978/

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1662568/+subscriptions