Noopfirewall driver or security group disabled should avoid impose security group related calls to Neutron server
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
High
|
zhu zhu | ||
Juno |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
With openvswitch neutron agent, during the daemon loop, the phase for setup_port_filters will try to grab/call method 'security_
And this operation will be very time consuming and have big performance bottleneck as it include ports query, rules query, network query as well as reconstruct the huge Security groups Dict Message. This message size is very large and for processing it, it will occupy a lot of CPU of Neutron Server. In cases like VM/perhost arrive to 700, the Neutron server will be busy doing the message and couldn't to do other thing and this could lead to message queue connection timeout and make queue disconnect the consumers. As a result the Neutron server is crashed and not function either for deployments or for API calls.
For the Noopfirewall or security group disabled situation, this operation should be avoided. Because eventually these reply message would not be used by Noopfirewall driver. (There methods are pass).
with self.firewall.
for device in devices.values():
description: | updated |
Changed in neutron: | |
milestone: | none → juno-rc1 |
importance: | Undecided → High |
tags: | added: ovs sg-fw |
Changed in neutron: | |
milestone: | juno-rc1 → kilo-1 |
tags: | added: juno-backport-potential |
Changed in neutron: | |
status: | Fix Committed → Fix Released |
Changed in neutron: | |
milestone: | kilo-1 → 2015.1.0 |
Fix proposed to branch: master /review. openstack. org/119313
Review: https:/