OpenContrail

ACL limit causing rules not being applied on vrouter

Bug #1701093 reported by Piyush Srivastava on 2017-06-28

This bug affects 2 people

	Status	Importance	Assigned to	Milestone
Juniper Openstack	Status tracked in Trunk
R2.21.x	Fix Committed	Undecided	Sahil Sabharwal	Juniper Openstack r2.21.3
R3.0	Fix Committed	Undecided	Sahil Sabharwal	Juniper Openstack r3.0.4.0
R3.1	Fix Committed	Undecided	Sahil Sabharwal
R3.2	Fix Committed	Undecided	Sahil Sabharwal	Juniper Openstack r3.2.4.0
R4.0	Fix Committed	Undecided	Sahil Sabharwal	Juniper Openstack r4.0.1.0 "r4.0.1.0"
Trunk	Fix Committed	Undecided	Sahil Sabharwal	Juniper Openstack r4.1.0.0-fcs "r4.1"
OpenContrail	Fix Committed	Undecided	Sahil Sabharwal

Bug Description

Build: 2.21.3-71 Icehouse

It looks like we are hitting some contrail limits on the number of ACL rules that can be applied on a particular network. The network in this case has two policies applied to it. These two policies combined together result in 169 ACL rules which seems to be past the limit that we have identified. We could create 134 rules without any issues but Contrail didn’t accept rules more than that. The problem is that when the rule limit hits, Contrail is not able to process these ACLs and push them down to the vrouters which means that these rules don’t take effect and that’s why we see connectivity issues.

Steps to reproduce:
- Create a contrail virtual network
- Create a policy with 135 rules
- Add this policy to the virtual network
- Boot a VM on this network
- Look at the ACLs installed on the vrouter
- ACLs in the policy not pushed to the vrouter, it has two default ACLs

Repeat this with a lower number, for eg. 120 rules in a policy and you will see the ACLs being installed on the vrouter.

See original description

Tags:

Piyush Srivastava (piyush0101) on 2017-06-28

description:

updated

Vineet Gupta (vineetrf) on 2017-06-29

tags:

added: wpc

Sachin Bansal (sbansal) on 2017-06-30

Changed in opencontrail:
assignee:	nobody → Ignatious Johnson Christopher (ijohnson-x)

Sachin Bansal (sbansal) on 2017-07-05

Changed in juniperopenstack:
assignee:	nobody → Ignatious Johnson Christopher (ijohnson-x)

Revision history for this message

Sachin Bansal (sbansal) wrote on 2017-07-08:

For 2.21.3, we will provide a config knob in api server config file to set the bottle request size limit. In future releases, we have more optimizations to reduce acl size.

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-07-08: [Review update] R2.21.x

Review in progress for https://review.opencontrail.org/33497
Submitter: <email address hidden> (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-07-14: A change has been merged

#12

Reviewed: https://review.opencontrail.org/33497
Committed: http://github.com/Juniper/contrail-controller/commit/74c62bf48597db53fc48d0ac7c6fdac197b030bc
Submitter: Zuul (<email address hidden>)
Branch: R2.21.x

commit 74c62bf48597db53fc48d0ac7c6fdac197b030bc
Author: Sahil <email address hidden>
Date: Fri Jul 7 19:16:21 2017 -0700

Making bottle base requests size configurable

Earlier bottle.BaseRequest.MEMFILE_MAX was hard coded to 1024000 in
vnc_cfg_api_server.py.
Adding config. parameter "max_request_size" to enable setting of
bottle.BaseRequest.MEMFILE_MAX through contrail-api.conf file.

Closes-Bug: #1701093
Change-Id: I6fb67f92bc7262261a33cf5d8c9748a176a62de0

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-07-20: [Review update] R3.2

#13

Review in progress for https://review.opencontrail.org/33839
Submitter: <email address hidden> (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-07-20: [Review update] R4.0

#15

Review in progress for https://review.opencontrail.org/33840
Submitter: <email address hidden> (<email address hidden>)

Sahil Sabharwal (ssabharwal) on 2017-07-20

Changed in juniperopenstack:
assignee:	Ignatious Johnson Christopher (ijohnson-x) → Sahil Sabharwal (ssabharwal)
Changed in opencontrail:
assignee:	Ignatious Johnson Christopher (ijohnson-x) → Sahil Sabharwal (ssabharwal)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-07-20: [Review update] master

#17

Review in progress for https://review.opencontrail.org/33853
Submitter: <email address hidden> (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-07-20: [Review update] R3.0

#19

Review in progress for https://review.opencontrail.org/33854
Submitter: <email address hidden> (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-07-20: [Review update] R3.1

#21

Review in progress for https://review.opencontrail.org/33855
Submitter: <email address hidden> (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-07-21: A change has been merged

#23

Reviewed: https://review.opencontrail.org/33853
Committed: http://github.com/Juniper/contrail-controller/commit/7f42f4538b5e796d1203dea3398847559b59d317
Submitter: Zuul (<email address hidden>)
Branch: master

commit 7f42f4538b5e796d1203dea3398847559b59d317
Author: Sahil <email address hidden>
Date: Thu Jul 20 11:16:53 2017 -0700

Making bottle base requests size configurable

Change-Id: I8a4d9e2ee7cf2c362647070bdd1865254f297236
Closes-Bug: #1701093

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-07-21:

#24

Reviewed: https://review.opencontrail.org/33839
Committed: http://github.com/Juniper/contrail-controller/commit/c4ea1ba784477c18861bb2ca326442f031f8ffe6
Submitter: Zuul (<email address hidden>)
Branch: R3.2

commit c4ea1ba784477c18861bb2ca326442f031f8ffe6
Author: Sahil <email address hidden>
Date: Thu Jul 20 11:07:43 2017 -0700

Making bottle base requests size configurable

Change-Id: If9d11d5f0856701ab7db71d55383d7f01f9abda7
Closes-Bug: #1701093

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-07-21:

#25

Reviewed: https://review.opencontrail.org/33855
Committed: http://github.com/Juniper/contrail-controller/commit/e7602cad787359f47806ab29c103edc31653de54
Submitter: Zuul (<email address hidden>)
Branch: R3.1

commit e7602cad787359f47806ab29c103edc31653de54
Author: Sahil <email address hidden>
Date: Thu Jul 20 15:41:27 2017 -0700

Making bottle base requests size configurable

Change-Id: I3be5102d835fdacaa4a4d5ea7ae39ac858c2f547
Closes-Bug: #1701093

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-07-21:

#27

Reviewed: https://review.opencontrail.org/33840
Committed: http://github.com/Juniper/contrail-controller/commit/19f691b847bd1fe848721b7a7330d5afd932a324
Submitter: Zuul (<email address hidden>)
Branch: R4.0

commit 19f691b847bd1fe848721b7a7330d5afd932a324
Author: Sahil <email address hidden>
Date: Thu Jul 20 11:16:53 2017 -0700

Making bottle base requests size configurable

Change-Id: I8a4d9e2ee7cf2c362647070bdd1865254f297236
Closes-Bug: #1701093

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-07-22:

#28

Reviewed: https://review.opencontrail.org/33854
Committed: http://github.com/Juniper/contrail-controller/commit/8093f2722693dab76c997dfef1309fb45f0e9e7c
Submitter: Zuul (<email address hidden>)
Branch: R3.0

commit 8093f2722693dab76c997dfef1309fb45f0e9e7c
Author: Sahil <email address hidden>
Date: Thu Jul 20 15:41:27 2017 -0700

Making bottle base requests size configurable

Change-Id: I3be5102d835fdacaa4a4d5ea7ae39ac858c2f547
Closes-Bug: #1701093

Sachin Bansal (sbansal) on 2017-08-03

Changed in opencontrail:
status:	New → Fix Committed

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.