From 6494fcc2e44d9d9310e3ebaa92582f4f78d08b75 Mon Sep 17 00:00:00 2001
From: LIU Yulong <liuyul@chinatelecom.cn>
Date: Wed, 20 Feb 2019 16:47:42 +0800
Subject: [PATCH] Divide-and-conquer security group beasts

In one specific compute node, the security group rules
can be enormous quantity. This patch adds a step-by-step
processing method to deal with the large number of the
security group rules. And also changes or adds some LOG.

Related-Bug: #1813703
Related-Bug: #1813704
Related-Bug: #1813707

Conflicts:
	neutron/common/constants.py

Change-Id: I57bf27ec75cf848271c5a28b22beee12b8bd5faa
(cherry picked from commit 6ac420df7eb3ed324669472c61fec41b3d9cb35b)
---
 neutron/agent/common/ovs_lib.py                  |  8 ++++++--
 neutron/agent/securitygroups_rpc.py              | 16 +++++++++++-----
 neutron/common/constants.py                      | 12 ++++++++++++
 .../openvswitch/agent/ovs_neutron_agent.py       |  6 +++++-
 .../tests/unit/agent/test_securitygroups_rpc.py  |  6 +++---
 5 files changed, 37 insertions(+), 11 deletions(-)

diff --git a/neutron/agent/common/ovs_lib.py b/neutron/agent/common/ovs_lib.py
index 88f2c1fc7a7..cd2d4492cf4 100644
--- a/neutron/agent/common/ovs_lib.py
+++ b/neutron/agent/common/ovs_lib.py
@@ -440,10 +440,14 @@ class OVSBridge(BaseOVS):
         else:
             flow_strs = [_build_flow_expr_str(kw, action, strict)
                          for kw in kwargs_list]
+            LOG.debug("Processing %d OpenFlow rules.", len(flow_strs))
             if use_bundle:
                 extra_param.append('--bundle')
-            self.run_ofctl('%s-flows' % action, extra_param + ['-'],
-                           '\n'.join(flow_strs))
+
+            step = common_constants.AGENT_RES_PROCESSING_STEP
+            for i in range(0, len(flow_strs), step):
+                self.run_ofctl('%s-flows' % action, extra_param + ['-'],
+                               '\n'.join(flow_strs[i:i + step]))
 
     def add_flow(self, **kwargs):
         self.do_action_flows('add', [kwargs])
diff --git a/neutron/agent/securitygroups_rpc.py b/neutron/agent/securitygroups_rpc.py
index 9ad65e44182..7305340b78f 100644
--- a/neutron/agent/securitygroups_rpc.py
+++ b/neutron/agent/securitygroups_rpc.py
@@ -21,6 +21,7 @@ from oslo_log import log as logging
 import oslo_messaging
 
 from neutron.agent import firewall
+from neutron.common import constants as common_constants
 from neutron.conf.agent import securitygroups_rpc as sc_cfg
 
 
@@ -130,12 +131,17 @@ class SecurityGroupAgentRpc(object):
         self._apply_port_filter(device_ids)
 
     def _apply_port_filter(self, device_ids, update_filter=False):
+        step = common_constants.AGENT_RES_PROCESSING_STEP
         if self.use_enhanced_rpc:
-            devices_info = self.plugin_rpc.security_group_info_for_devices(
-                self.context, list(device_ids))
-            devices = devices_info['devices']
-            security_groups = devices_info['security_groups']
-            security_group_member_ips = devices_info['sg_member_ips']
+            devices = {}
+            security_groups = {}
+            security_group_member_ips = {}
+            for i in range(0, len(device_ids), step):
+                devices_info = self.plugin_rpc.security_group_info_for_devices(
+                    self.context, list(device_ids)[i:i + step])
+                devices.update(devices_info['devices'])
+                security_groups.update(devices_info['security_groups'])
+                security_group_member_ips.update(devices_info['sg_member_ips'])
         else:
             devices = self.plugin_rpc.security_group_rules_for_devices(
                 self.context, list(device_ids))
diff --git a/neutron/common/constants.py b/neutron/common/constants.py
index 809054e7539..8b98be69a78 100644
--- a/neutron/common/constants.py
+++ b/neutron/common/constants.py
@@ -253,3 +253,15 @@ EXT_PARENT_RESOURCE_MAPPING = {
     l3.FLOATINGIP: plugin_consts.L3
 }
 EXT_PARENT_PREFIX = 'ext_parent'
+
+# Number of resources for neutron agent side functions to deal
+# with large sets.
+# Setting this value does not count on special conditions, it is just a human
+# countable or scalable number. [1] gives us the method to test the scale
+# issue. And we have tested the value of 1000, 500, 200, 100. But for 100,
+# ovs-agent will have a lower timeout probability. And according to the
+# testing result, step size 100 can indeed cost about 10% much more time
+# than 500/1000. But such extra time looks inevitably needed to be sacrificed
+# for the restart success rate.
+# [1] http://paste.openstack.org/show/745685/
+AGENT_RES_PROCESSING_STEP = 100
diff --git a/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py b/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py
index 14806ac545f..156430b0b12 100644
--- a/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py
+++ b/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py
@@ -1722,8 +1722,8 @@ class OVSNeutronAgent(l2population_rpc.L2populationRpcCallBackTunnelMixin,
         need_binding_devices = []
         skipped_devices = set()
         binding_no_activated_devices = set()
+        start = time.time()
         if devices_added_updated:
-            start = time.time()
             (skipped_devices, binding_no_activated_devices,
              need_binding_devices, failed_devices['added']) = (
                 self.treat_devices_added_or_updated(
@@ -1752,6 +1752,10 @@ class OVSNeutronAgent(l2population_rpc.L2populationRpcCallBackTunnelMixin,
         self._add_port_tag_info(need_binding_devices)
         self.sg_agent.setup_port_filters(added_ports,
                                          port_info.get('updated', set()))
+        LOG.info("process_network_ports - iteration:%(iter_num)d - "
+                 "agent port security group processed in %(elapsed).3f",
+                 {'iter_num': self.iter_num,
+                  'elapsed': time.time() - start})
         failed_devices['added'] |= self._bind_devices(need_binding_devices)
 
         if 'removed' in port_info and port_info['removed']:
diff --git a/neutron/tests/unit/agent/test_securitygroups_rpc.py b/neutron/tests/unit/agent/test_securitygroups_rpc.py
index 5bef722f4ca..32695694abe 100644
--- a/neutron/tests/unit/agent/test_securitygroups_rpc.py
+++ b/neutron/tests/unit/agent/test_securitygroups_rpc.py
@@ -1001,7 +1001,7 @@ class SecurityGroupAgentEnhancedRpcTestCase(
                                         mock.call.defer_apply(),
                                         mock.call.remove_port_filter(
                                             self.fake_device),
-                                        ])
+                                        ], any_order=True)
 
     def test_security_groups_rule_updated_enhanced_rpc(self):
         sg_list = ['fake_sgid1', 'fake_sgid3']
@@ -1058,7 +1058,7 @@ class SecurityGroupAgentEnhancedRpcTestCase(
                  mock.call.update_port_filter(self.fake_device),
                  mock.call.process_trusted_ports([])]
 
-        self.firewall.assert_has_calls(calls)
+        self.firewall.assert_has_calls(calls, any_order=True)
 
     def test_refresh_firewall_devices_enhanced_rpc(self):
         self.agent.prepare_devices_filter(['fake_device'])
@@ -1081,7 +1081,7 @@ class SecurityGroupAgentEnhancedRpcTestCase(
                  mock.call.update_port_filter(self.fake_device),
                  mock.call.process_trusted_ports([]),
                  ]
-        self.firewall.assert_has_calls(calls)
+        self.firewall.assert_has_calls(calls, any_order=True)
 
     def test_refresh_firewall_none_enhanced_rpc(self):
         self.agent.refresh_firewall([])