tripleo

tripleo-firewall role needs optimization

Bug #1856094 reported by James Slagle
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Medium
Kevin Carter
tripleo ussuri-2 "tripleo ussuri-2"

Bug Description

Looping over each firewall rule individually in the tripleo-firewall role ends up creating a lot of tasks.

100 compute nodes took 15 minutes in one of my tests. A lot of the time is spent skipping tasks, but even that adds up. This also scales pretty linearly, so it's going to be a large slowdown with more nodes.

We need to find a way for the role to operate in bulk fashion somehow instead of looping over each rule.

We could subclass the iptables module and modify it so that it can take as input "bulk_rules", and then each individual node would quickly loop over the rules and apply them, instead of the looping happening on the ansible control node.

Another idea could be to use a template for /etc/sysconfig/iptables that we only need to render once per role on the ansible control node, then we can just copy into place and use iptables-restore (or something).

In the meantime, we may need to revert: https://review.opendev.org/#/c/677237/

James Slagle (james-slagle)
Changed in tripleo:
status: New → Confirmed
importance: Undecided → Medium
milestone: none → ussuri-2
OpenStack Infra (hudson-openstack)
Changed in tripleo:
assignee: nobody → Kevin Carter (kevin-carter)
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-ansible (master)

Reviewed: https://review.opendev.org/698620
Committed: https://git.openstack.org/cgit/openstack/tripleo-ansible/commit/?id=38c75fb83e059b44e7344eca93a8fdadee04630f
Submitter: Zuul
Branch: master

commit 38c75fb83e059b44e7344eca93a8fdadee04630f
Author: Kevin Carter <email address hidden>
Date: Wed Dec 11 20:02:49 2019 -0600

    Update firewall role to use an action plugin

    This change updates our firewall role so that its using an action plugin
    to invoke the iptables module. This is being done to speed up rule creation
    and maintenance.

    Tests have been updated to ensure we're capturing all of the logic within
    the action plugin accordingly.

    Depends-On: Ie9b6fd5792efb270ae577b08d6a2d5b78dabe5e7
    Closes-Bug: #1856094
    Change-Id: I3e4c6586796753b5d1cb9aa6a7c3eee6ecc235fb
    Signed-off-by: Kevin Carter <email address hidden>

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-ansible 1.1.0

This issue was fixed in the openstack/tripleo-ansible 1.1.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-ansible (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/744224

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-ansible (stable/train)

Reviewed: https://review.opendev.org/744224
Committed: https://git.openstack.org/cgit/openstack/tripleo-ansible/commit/?id=6b943357fcf53419ce8b071d7bea66f583cf881d
Submitter: Zuul
Branch: stable/train

commit 6b943357fcf53419ce8b071d7bea66f583cf881d
Author: Kevin Carter <email address hidden>
Date: Wed Dec 11 20:02:49 2019 -0600

    Update firewall role to use an action plugin

    This change updates our firewall role so that its using an action plugin
    to invoke the iptables module. This is being done to speed up rule creation
    and maintenance.

    Tests have been updated to ensure we're capturing all of the logic within
    the action plugin accordingly.

    Depends-On: Ie9b6fd5792efb270ae577b08d6a2d5b78dabe5e7
    Closes-Bug: #1856094
    Change-Id: I3e4c6586796753b5d1cb9aa6a7c3eee6ecc235fb
    Signed-off-by: Kevin Carter <email address hidden>
    (cherry picked from commit 38c75fb83e059b44e7344eca93a8fdadee04630f)

tags: added: in-stable-train
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-ansible 0.6.0

This issue was fixed in the openstack/tripleo-ansible 0.6.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.