neutron

  1. Bug #1439817
  2. Comment #8

Comment 8 for bug 1439817

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (stable/kilo)

Reviewed: https://review.openstack.org/174699
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=a6b2c22dcea73754dbfd0ef39c60ad28ab2dbb73
Submitter: Jenkins
Branch: stable/kilo

commit a6b2c22dcea73754dbfd0ef39c60ad28ab2dbb73
Author: Kevin Benton <email address hidden>
Date: Mon Mar 30 23:52:56 2015 -0700

    Set IPset hash type to 'net' instead of 'ip'

    The previous hash type was 'ip' and this caused a major
    issue with the allowed address pairs extension since it
    results in CIDRs being passed to ipset. When the hash type
    is 'ip', a CIDR is completely enumerated into all of its
    addresses so 10.100.0.0/16 results in ~65k entries. This
    meant a single allowed_address_pairs entry could easily
    exhaust an entire set.

    This patch changes the hash type to 'net', which is designed
    to handle a CIDRs as a single entry.

    This patch also changes the names of the ipsets because
    creating an ipset with different parameters will cause an
    error and our ipset manager code isn't robust enough to handle
    that at this time. There is another ongoing patch to fix
    that but it won't be ready in time.[1]

    The related bug was closed by increasing the set limit, which
    did alleviate the problem. However, this change would also
    address the issue because the gate tests run an allowed address
    pairs extension test with the CIDR mentioned above.

    1. I59e2e1c090cb95ee1bd14dbb53b6ff2c5e2713fd

    Related-Bug: #1439817
    Closes-Bug: #1444397
    Change-Id: I8177699b157cd3eac46e2f481f47b5d966c49b07
    (cherry picked from commit a38b5df5cd3c47672705aad4c30e789ae11ec958)