Port creation is slow due to the way networking-ovn handles ACLs
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
networking-ovn |
Fix Released
|
Undecided
|
Maciej Jozefczyk | ||
ovsdbapp |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
I raised the problem in OVS mailing list at [0].
Basically the port creation times grows linearly due to the fact that we're creating duplicated ACL entries in the NB database every time a port is added to a Logical Switch. Most of those ACL's are exactly the same except for the inport/outport fields which makes reference to every single port affected by that rule. Whenever some data comes from ovsdb-server, the Python IDL takes a lot of time for processing such a big amount of data (especially in JSON conversions).
As an initial optimization, I sent a patch [1] that improved a lot the processing in the OVS Python IDL as you can see in this graph [2]. However, even though this looks good enough, there's still room for improvement by cutting down the number of ACLs to 1 per SG rule per Logical Switch instead of 1 per SG rule per Port per Logical Switch, especially at scale. This will make networking-ovn much faster when creating/updating ports/security group rules and also will make ovn-northd less busy as there'll be less ACLs to process.
There's a chain of patches in Core OVN currently under review [3] that will add the required functionality there and we would need to make use of it in networking-ovn as well.
[0] https:/
[1] https:/
[2] http://
[3] https:/
tags: | added: networking-ovn-proactive-backport-potential |
tags: | removed: networking-ovn-proactive-backport-potential |
Reviewed: https:/ /review. openstack. org/549249 /git.openstack. org/cgit/ openstack/ networking- ovn/commit/ ?id=93737fdc85c 66213166e1e3bb1 4519871a2efad4
Committed: https:/
Submitter: Zuul
Branch: master
commit 93737fdc85c6621 3166e1e3bb14519 871a2efad4
Author: Daniel Alvarez <email address hidden>
Date: Fri Mar 2 15:59:15 2018 +0100
ACL optimizations design spec
This spec describes the current problem with ACL's, the changes being
done in the core OVN side and the proposed solution on the OpenStack
integration driver to solve it.
Partial-Bug: #1752897
Change-Id: I23c4150606ef9e 51ab0af0abaad7f e3f56e5f754
Signed-off-by: Daniel Alvarez <email address hidden>