[Openstack-stable-maint] Neutron backports for security group performance

Claudiu Belu cbelu at cloudbasesolutions.com
Wed Oct 29 11:29:03 UTC 2014


Hello,

The security groups really needs a performance boost, since it becomes troublesome in large deployments. 

Let's say we have an OpenStack deployment of 10,000 vms. Each time we modify a security group rule, the L2 agents will be notified that the security group has changed. Some of them (I don't know if all of them) will do a full refresh. This would mean 10,000 refreshes each time a security group changes.

Now, the question is, how often will the security groups change? Well, as far as I know, a security group rule is created whenever a new port is created and is bound to a network (for example., nova boot --nic net-id=...). Also, when a vm is deleted, the security group rule will be removed as well. I also assume that the L2 agent will refresh the security group rules in case of migration and resize.

Also, there are some agents (Hyper-V L2 agent) that will refresh all the ports it manages when they start.
Also, a vm can have multiple security groups, so when an agent will do a refresh, it will refresh for each security group.
Also, a vm can have multiple nics, which can mean more ports and more rules.

There might be other common scenarios I didn't mention, but my point is that any performance boost, even a small one, for security groups will have a big impact.

I am in favor of this, but still, I think we will have to make sure it introduce new issues for some L2 agents, since they are the main consumers of the security groups. The commits will have to be validated by all the CIs.

Best regards,
Claudiu Belu
________________________________________
From: Ihar Hrachyshka [ihrachys at redhat.com]
Sent: Wednesday, October 29, 2014 12:59 PM
To: Miguel Angel Ajo Pelayo
Cc: openstack-stable-maint
Subject: Re: [Openstack-stable-maint] Neutron backports for security group performance

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 29/10/14 11:39, Miguel Angel Ajo Pelayo wrote:
> In the case of backporting, I'd, at least, let some time to get
> those changes cured, and make sure they are not introducing any new
> failure mode.

Cured? What do you mean? Giving them some time to sit in master before
proceeding with backports?

/Ihar
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)

iQEcBAEBCgAGBQJUUMiBAAoJEC5aWaUY1u57FVQH+QH8gSgkvr1r8Tj9+EBONf+O
n5ht7BIkd0P4bMLTWEZ/s3CX8z5EqhuBr6DcOyhQEq+Sf+AOQgkcy360DSPlRyGu
FzwHt3v2DARCC6sZ6xSryZiyZcrYjucUP70ZOSSLhDR25wdKsNF/RTWBanryFLQD
X7rABJdgSQN2e0uF7gshApMwzzC6ypRt6TimXHO1CBiK+MvUfEJN2NuS8TGx4+F3
8O+W7cwdn9RxNoqMP30qZGcUzfJTqnRse05JSmj9xgWOI1QUVA3Ql3LXfh+SDBe1
NyxKGk1DmvoWNhVw6F8T1gfghXt/yg5xCbbqCindZawwcFNjgxniFQDpVe8OOoM=
=QwWs
-----END PGP SIGNATURE-----

_______________________________________________
Openstack-stable-maint mailing list
Openstack-stable-maint at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-stable-maint



More information about the Openstack-stable-maint mailing list