Open Stack

+1, With cured I mean sitting on master to make sure they don't introduce any new issue.
I like Claudiu's definition of the problem, it's actually very descriptive.

Claudiu, I believe all plugins gerrit/CI on stable/juno may be enough to validate the backports,
am I right?. Otherwise the process could go too complicated (manual backport D/S for every CI, and
specific testing... that actually may happen before the next D/S release based on juno).

----- Original Message -----
> Hello,
> 
> The security groups really needs a performance boost, since it becomes
> troublesome in large deployments.
> 
> Let's say we have an OpenStack deployment of 10,000 vms. Each time we modify
> a security group rule, the L2 agents will be notified that the security
> group has changed. Some of them (I don't know if all of them) will do a full
> refresh. This would mean 10,000 refreshes each time a security group
> changes.
> 
> Now, the question is, how often will the security groups change? Well, as far
> as I know, a security group rule is created whenever a new port is created
> and is bound to a network (for example., nova boot --nic net-id=...). Also,
> when a vm is deleted, the security group rule will be removed as well. I
> also assume that the L2 agent will refresh the security group rules in case
> of migration and resize.
> 
> Also, there are some agents (Hyper-V L2 agent) that will refresh all the
> ports it manages when they start.
> Also, a vm can have multiple security groups, so when an agent will do a
> refresh, it will refresh for each security group.
> Also, a vm can have multiple nics, which can mean more ports and more rules.
> 
> There might be other common scenarios I didn't mention, but my point is that
> any performance boost, even a small one, for security groups will have a big
> impact.
> 
> I am in favor of this, but still, I think we will have to make sure it
> introduce new issues for some L2 agents, since they are the main consumers
> of the security groups. The commits will have to be validated by all the
> CIs.
> 
> Best regards,
> Claudiu Belu
> ________________________________________
> From: Ihar Hrachyshka [ihrachys at redhat.com]
> Sent: Wednesday, October 29, 2014 12:59 PM
> To: Miguel Angel Ajo Pelayo
> Cc: openstack-stable-maint
> Subject: Re: [Openstack-stable-maint] Neutron backports for security group
> performance
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> On 29/10/14 11:39, Miguel Angel Ajo Pelayo wrote:
> > In the case of backporting, I'd, at least, let some time to get
> > those changes cured, and make sure they are not introducing any new
> > failure mode.
> 
> Cured? What do you mean? Giving them some time to sit in master before
> proceeding with backports?
> 
> /Ihar
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
> 
> iQEcBAEBCgAGBQJUUMiBAAoJEC5aWaUY1u57FVQH+QH8gSgkvr1r8Tj9+EBONf+O
> n5ht7BIkd0P4bMLTWEZ/s3CX8z5EqhuBr6DcOyhQEq+Sf+AOQgkcy360DSPlRyGu
> FzwHt3v2DARCC6sZ6xSryZiyZcrYjucUP70ZOSSLhDR25wdKsNF/RTWBanryFLQD
> X7rABJdgSQN2e0uF7gshApMwzzC6ypRt6TimXHO1CBiK+MvUfEJN2NuS8TGx4+F3
> 8O+W7cwdn9RxNoqMP30qZGcUzfJTqnRse05JSmj9xgWOI1QUVA3Ql3LXfh+SDBe1
> NyxKGk1DmvoWNhVw6F8T1gfghXt/yg5xCbbqCindZawwcFNjgxniFQDpVe8OOoM=
> =QwWs
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Openstack-stable-maint mailing list
> Openstack-stable-maint at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-stable-maint
> 
> _______________________________________________
> Openstack-stable-maint mailing list
> Openstack-stable-maint at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-stable-maint
>