NSX plugin security group rules OVS flow explosion

Bug #1376981 reported by Sudheendra Murthy on 2014-10-03
This bug affects 2 people
Affects Status Importance Assigned to Milestone

Bug Description

In our clouds running Havana with VMware NSX, we often see an explosion of OVS flows when there are many complex security group rules. Specifically when the rules involve remote_group_id (security profile in NSX), there are OVS flow rules created for every pair of VMs belonging to the tenant resulting in O(n^2) rules. In large deployments, this results in severe performance issues when the number of OVS flow rules in gets into millions. In addition, this results in an exponential increase in memory consumption on NSX controllers.

Nicira plugin should make an attempt at summarizing the security group rules created by the users, so that it results in efficient representation on OVS as well as reduces memory consumption on NSX controllers.


1. With every security group, Nicira automatically adds a hidden (hidden = not stored in Neutron) security group rule to allow ingress IPv4 UDP traffic on DHCP port 68. If a user creates exactly the same rule, then a duplicate rule is created and maintained by NSX controllers and pushed down to OVS on hypervisors. The other case is even if the user creates a broader rule allowing UDP traffic on all ports, NSX maintains both the broader rule and the hidden DHCP rule. In this case, there is no need to have the additional more specific DHCP hidden rule.

2. We have seen cases where users have created both a broader rule to allow UDP/TCP/ICMP traffic from outside and additional rules to restrict the same traffic to their tenant VMs. In this case, the self-referential rules significantly increase OVS flows and can be completely avoided.

Ideally, NVP plugin (nvplib.py in Havana) should summarize the rules in the security group before submitting them NSX controller.

Changed in neutron:
assignee: nobody → Sudheendra Murthy (sudhi-vm)
Changed in neutron:
importance: Undecided → High

Change abandoned by Alan Pevec (<email address hidden>) on branch: stable/havana
Review: https://review.openstack.org/125851
Reason: The stable/havana branch has reached end of life and will no longer be supported now that 2013.2.4 is released. As such, all remaining open changes for this branch on official OpenStack projects are being abandoned.

Fix proposed to branch: master
Review: https://review.openstack.org/126408

Changed in neutron:
status: New → In Progress
Eugene Nikanorov (enikanorov) wrote :

Any updates on the patch?

Change abandoned by Armando Migliaccio (<email address hidden>) on branch: master
Review: https://review.openstack.org/126408
Reason: superseded

no longer affects: neutron
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers