tripleo-firewall role needs optimization
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Fix Released
|
Medium
|
Kevin Carter |
Bug Description
Looping over each firewall rule individually in the tripleo-firewall role ends up creating a lot of tasks.
100 compute nodes took 15 minutes in one of my tests. A lot of the time is spent skipping tasks, but even that adds up. This also scales pretty linearly, so it's going to be a large slowdown with more nodes.
We need to find a way for the role to operate in bulk fashion somehow instead of looping over each rule.
We could subclass the iptables module and modify it so that it can take as input "bulk_rules", and then each individual node would quickly loop over the rules and apply them, instead of the looping happening on the ansible control node.
Another idea could be to use a template for /etc/sysconfig/
In the meantime, we may need to revert: https:/
Changed in tripleo: | |
status: | New → Confirmed |
importance: | Undecided → Medium |
milestone: | none → ussuri-2 |
Changed in tripleo: | |
assignee: | nobody → Kevin Carter (kevin-carter) |
status: | Confirmed → In Progress |
Reviewed: https:/ /review. opendev. org/698620 /git.openstack. org/cgit/ openstack/ tripleo- ansible/ commit/ ?id=38c75fb83e0 59b44e7344eca93 a8fdadee04630f
Committed: https:/
Submitter: Zuul
Branch: master
commit 38c75fb83e059b4 4e7344eca93a8fd adee04630f
Author: Kevin Carter <email address hidden>
Date: Wed Dec 11 20:02:49 2019 -0600
Update firewall role to use an action plugin
This change updates our firewall role so that its using an action plugin
to invoke the iptables module. This is being done to speed up rule creation
and maintenance.
Tests have been updated to ensure we're capturing all of the logic within
the action plugin accordingly.
Depends-On: Ie9b6fd5792efb2 70ae577b08d6a2d 5b78dabe5e7 b5d1cb9aa6a7c3e ee6ecc235fb
Closes-Bug: #1856094
Change-Id: I3e4c6586796753
Signed-off-by: Kevin Carter <email address hidden>