openstack
/
kuryr-libnetwork
Code Issues Proposed changes

Allow skip processing exposed ports 

The endpoints 'network_driver_program_external_connectivity'
and 'network_driver_revoke_external_connectivity' will dynamically
create security group and security group rules to open the ports
exposed by the docker container. However, such processing invokes
too much neutron API calls thus significantly slowing down the
container start/stop. However, such processing is not mandatory
because users can manually configure the SGs to achieve the
equivalent.

This patch make the processing of exposed ports configurable.
As a result, it can be disabled if users want a better performance.

Change-Id: I6d6d176512e6b30bb7372408aec1a7bac12335ab
This commit is contained in:
Hongbin Lu 2018-04-22 02:00:27 +00:00
parent bf529e0d25
commit 17db307e27
5 changed files with 94 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
devstack/plugin.sh
View File

@ -59,6 +59,7 @@ function configure_kuryr {
configure_auth_token_middleware "$KURYR_CONFIG" kuryr \
"$KURYR_AUTH_CACHE_DIR" neutron
iniset $KURYR_CONFIG DEFAULT capability_scope $KURYR_CAPABILITY_SCOPE
iniset $KURYR_CONFIG DEFAULT process_external_connectivity $KURYR_PROCESS_EXTERNAL_CONNECTIVITY
fi
if [[ "$ENABLE_PLUGINV2" == "True" ]]; then

1
devstack/settings
View File

@ -20,6 +20,7 @@ KURYR_POOL_PREFIX=${KURYR_POOL_PREFIX:-10.10.0.0/16}
KURYR_POOL_PREFIX_LEN=${KURYR_POOL_PREFIX_LEN:-24}
KURYR_CAPABILITY_SCOPE=${KURYR_CAPABILITY_SCOPE:-local}
KURYR_PROCESS_EXTERNAL_CONNECTIVITY=${KURYR_PROCESS_EXTERNAL_CONNECTIVITY:-True}
KURYR_DOCKER_ENGINE_PORT=${KURYR_DOCKER_ENGINE_PORT:-2375}
DOCKER_CLUSTER_STORE=${DOCKER_CLUSTER_STORE:-etcd://$SERVICE_HOST:$ETCD_PORT}

3
kuryr_libnetwork/config.py
View File

@ -52,6 +52,9 @@ core_opts = [
cfg.ListOpt('enabled_port_drivers',
default=['kuryr_libnetwork.port_driver.drivers.veth'],
help=_('Available port drivers')),
cfg.BoolOpt('process_external_connectivity',
default=True,
help=_('Do processing external connectivity')),
cfg.StrOpt('ssl_cert_file',
default='/var/lib/kuryr/certs/cert.pem',
help=_('This option allows setting absolute path'

6
kuryr_libnetwork/controllers.py
View File

@ -1437,6 +1437,9 @@ def network_driver_program_external_connectivity():
json_data = flask.request.get_json(force=True)
LOG.debug("Received JSON data %s for"
" /NetworkDriver.ProgramExternalConnectivity", json_data)
if not cfg.CONF.process_external_connectivity:
return flask.jsonify(const.SCHEMA['SUCCESS'])
# TODO(banix): Add support for exposed ports
port = _get_neutron_port_from_docker_endpoint(json_data['EndpointID'])
if port:
@ -1459,6 +1462,9 @@ def network_driver_revoke_external_connectivity():
json_data = flask.request.get_json(force=True)
LOG.debug("Received JSON data %s for"
" /NetworkDriver.RevokeExternalConnectivity", json_data)
if not cfg.CONF.process_external_connectivity:
return flask.jsonify(const.SCHEMA['SUCCESS'])
# TODO(banix): Add support for removal of exposed ports
port = _get_neutron_port_from_docker_endpoint(json_data['EndpointID'])
if port:

83
kuryr_libnetwork/tests/unit/test_external_connectivity.py
View File

@ -21,6 +21,7 @@ from oslo_utils import uuidutils
from kuryr.lib import constants as lib_const
from kuryr.lib import utils as lib_utils
from kuryr_libnetwork import config
from kuryr_libnetwork import constants
from kuryr_libnetwork.tests.unit import base
from kuryr_libnetwork import utils
@ -55,6 +56,7 @@ class TestExternalConnectivityKuryr(base.TestKuryrBase):
num_ports, mock_list_ports, mock_create_security_group,
mock_create_security_group_rule, mock_show_port,
mock_update_port):
config.CONF.set_override('process_external_connectivity', True)
fake_docker_net_id = lib_utils.get_hash()
fake_docker_endpoint_id = lib_utils.get_hash()
@ -142,6 +144,51 @@ class TestExternalConnectivityKuryr(base.TestKuryrBase):
decoded_json = jsonutils.loads(response.data)
self.assertEqual(constants.SCHEMA['SUCCESS'], decoded_json)
@mock.patch('kuryr_libnetwork.controllers.app.neutron.update_port')
@mock.patch('kuryr_libnetwork.controllers.app.neutron.show_port')
@mock.patch(
'kuryr_libnetwork.controllers.app.neutron.create_security_group_rule')
@mock.patch(
'kuryr_libnetwork.controllers.app.neutron.create_security_group')
@mock.patch('kuryr_libnetwork.controllers.app.neutron.list_ports')
@ddt.data((False, 1), (True, 1), (False, 2), (True, 2))
@ddt.unpack
def test_network_driver_program_external_connectivity_disabled(
self, existing_sg,
num_ports, mock_list_ports, mock_create_security_group,
mock_create_security_group_rule, mock_show_port,
mock_update_port):
config.CONF.set_override('process_external_connectivity', False)
fake_docker_net_id = lib_utils.get_hash()
fake_docker_endpoint_id = lib_utils.get_hash()
port_opt = []
for i in range(num_ports):
port_opt.append({u'Port': PORT + i, u'Proto': PROTOCOL_TCP})
port_opt.append({u'Port': PORT + i, u'Proto': PROTOCOL_UDP})
port_opt.append({u'Port': SINGLE_PORT, u'Proto': PROTOCOL_UDP})
options = {'com.docker.network.endpoint.exposedports':
port_opt,
'com.docker.network.portmap':
[]}
data = {
'NetworkID': fake_docker_net_id,
'EndpointID': fake_docker_endpoint_id,
'Options': options,
}
response = self.app.post('/NetworkDriver.ProgramExternalConnectivity',
content_type='application/json',
data=jsonutils.dumps(data))
self.assertEqual(200, response.status_code)
mock_update_port.assert_not_called()
mock_show_port.assert_not_called()
mock_create_security_group_rule.assert_not_called()
mock_create_security_group.assert_not_called()
mock_list_ports.assert_not_called()
decoded_json = jsonutils.loads(response.data)
self.assertEqual(constants.SCHEMA['SUCCESS'], decoded_json)
@mock.patch('kuryr_libnetwork.controllers.app.neutron.update_port')
@mock.patch('kuryr_libnetwork.controllers.app.neutron.show_port')
@mock.patch(
@ -155,6 +202,7 @@ class TestExternalConnectivityKuryr(base.TestKuryrBase):
removing_sg, mock_list_ports, mock_list_security_groups,
mock_delete_security_groups, mock_show_port,
mock_update_port):
config.CONF.set_override('process_external_connectivity', True)
fake_docker_net_id = lib_utils.get_hash()
fake_docker_endpoint_id = lib_utils.get_hash()
@ -219,3 +267,38 @@ class TestExternalConnectivityKuryr(base.TestKuryrBase):
mock_update_port.assert_not_called()
decoded_json = jsonutils.loads(response.data)
self.assertEqual(constants.SCHEMA['SUCCESS'], decoded_json)
@mock.patch('kuryr_libnetwork.controllers.app.neutron.update_port')
@mock.patch('kuryr_libnetwork.controllers.app.neutron.show_port')
@mock.patch(
'kuryr_libnetwork.controllers.app.neutron.delete_security_group')
@mock.patch(
'kuryr_libnetwork.controllers.app.neutron.list_security_groups')
@mock.patch('kuryr_libnetwork.controllers.app.neutron.list_ports')
@ddt.data((False, False), (False, True), (True, False), (True, True))
@ddt.unpack
def test_network_driver_revoke_external_connectivity_disabled(
self, existing_sg,
removing_sg, mock_list_ports, mock_list_security_groups,
mock_delete_security_groups, mock_show_port,
mock_update_port):
config.CONF.set_override('process_external_connectivity', False)
fake_docker_net_id = lib_utils.get_hash()
fake_docker_endpoint_id = lib_utils.get_hash()
data = {
'NetworkID': fake_docker_net_id,
'EndpointID': fake_docker_endpoint_id,
}
response = self.app.post('/NetworkDriver.RevokeExternalConnectivity',
content_type='application/json',
data=jsonutils.dumps(data))
self.assertEqual(200, response.status_code)
mock_list_ports.assert_not_called()
mock_list_security_groups.assert_not_called()
mock_delete_security_groups.assert_not_called()
mock_show_port.assert_not_called()
mock_update_port.assert_not_called()
decoded_json = jsonutils.loads(response.data)
self.assertEqual(constants.SCHEMA['SUCCESS'], decoded_json)