Security group performance issue for iptables driver due to "stateless feature"
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Medium
|
Rodolfo Alonso |
Bug Description
There is a huge performance issue with the security groups when using the iptables implementation:
If you have a security group with say 500 rules it will take minutes for the RPC server to create the the port configuration.
You will see this when you restart the neutron-
In the agent log you will see "Preparing filters for devices" and this will take minutes for a single port when having a significate amount of rules in the security group.
After some investigation this seems to be cause:
In the commit below stateful functionality was added for iptables implementation:
However there is a huge performance impact, in the following function in
neutron/
def security_
For EACH rule in the security group rule in a a group it will do a database lookup to check what the setting is on the group:
Which will call:
def _is_security_
return sg_obj.
So if you have say 500 rules it will go 500 times(!) to the database to check the exact same property on the group object which absolutely tanks performance.
I played around with caching the stateful property for the group (since it is not even changeable on a security group if there are rules present) and the function went from taking multiple minutes to about a second.
Changed in neutron: | |
importance: | Undecided → Medium |
Hi, thanks for reporting this issue. Could you give some more details please?
Are you seeing the same performance issue on master or you tested only on specific branch? I assume you are using the hybrid firewall driver with OVS or am I wrong?