In our clouds running Havana with VMware NSX, we often see an explosion of OVS flows when there are many complex security group rules. Specifically when the rules involve remote_group_id (security profile in NSX), there are OVS flow rules created for every pair of VMs belonging to the tenant resulting in O(n^2) rules. In large deployments, this results in severe performance issues when the number of OVS flow rules in gets into millions. In addition, this results in an exponential increase in memory consumption on NSX controllers.
Nicira plugin should make an attempt at summarizing the security group rules created by the users, so that it results in efficient representation on OVS as well as reduces memory consumption on NSX controllers.
Examples:
1. With every security group, Nicira automatically adds a hidden (hidden = not stored in Neutron) security group rule to allow ingress IPv4 UDP traffic on DHCP port 68. If a user creates exactly the same rule, then a duplicate rule is created and maintained by NSX controllers and pushed down to OVS on hypervisors. The other case is even if the user creates a broader rule allowing UDP traffic on all ports, NSX maintains both the broader rule and the hidden DHCP rule. In this case, there is no need to have the additional more specific DHCP hidden rule.
2. We have seen cases where users have created both a broader rule to allow UDP/TCP/ICMP traffic from outside and additional rules to restrict the same traffic to their tenant VMs. In this case, the self-referential rules significantly increase OVS flows and can be completely avoided.
Ideally, NVP plugin (nvplib.py in Havana) should summarize the rules in the security group before submitting them NSX controller.
Fix proposed to branch: stable/havana
Review: https:/