0dbd35df1b
With a large number of instances and/or security group rules,
conntrack updates when ports are removed or rules are changed
can take a long time to process. By enqueuing these to a set
or worker threads, the agent can continue with other work while
they are processed in the background.
This is a change in behavior in the agent since it could
program a new set of security group rules before all existing
conntrack entries are deleted, but since the iptables or OVSfw
NAT rules will have been removed, it should not pose a
security issue.
Change-Id: Ibf858c7fdf7a822a30e4a0c4722d70fd272741b6
Closes-bug: #1745468
(cherry picked from commit 65a81623fc)
14 lines
488 B
YAML
14 lines
488 B
YAML
---
|
|
prelude: >
|
|
In order to reduce the time spent processing security group updates in
|
|
the L2 agent, conntrack deletion is now performed in a set of worker
|
|
threads instead of the main agent thread, so it can return to processing
|
|
other events quickly.
|
|
upgrade:
|
|
- |
|
|
On an upgrade, conntrack entries will now be cleaned-up in a worker
|
|
thread, instead of in the calling thread.
|
|
fixes:
|
|
- |
|
|
Fixes bug `1745468 <https://bugs.launchpad.net/neutron/+bug/1745468>`_.
|