openstack
/
neutron
Code Issues Proposed changes
neutron/neutron
History
Kevin Benton fb55693713 Use diffs for iptables restore instead of all rules 
This patch changes our iptables logic to generate a delta of
iptables commands (inserts + deletes) to get from the current
iptables state to the new state. This will significantly reduce
the amount of data that we have to shell out to iptables-restore
on every call (and reduce the amount of data iptables-restore has
to parse).

We no longer have to worry about preserving counters since
we are adding and deleting specific rules, so the rule modification
code got a nice cleanup to get rid of the old rule matching.

This also gives us a new method of functionally testing that we are
generating rules in the correct manner. After applying new rules
once, a subsequent call should always have no work to do. The new
functional tests added leverage that property heavily and should
protect us from regressions in how rules are formed.


Performance metrics relative to HEAD~1:
+====================================+============+=======+
|               Scenario             | This patch | HEAD~1|
|------------------------------------|------------|-------|
| 200 VMs*22 rules existing - startup|            |       |
|                       _modify_rules|   0.67s    | 1.05s |
|                 _apply_synchronized|   1.87s    | 2.89s |
|------------------------------------|------------|-------|
| 200 VMs*22 rules existing - add VM |            |       |
|                       _modify_rules|   0.68s    | 1.05s |
|                 _apply_synchronized|   2.07s    | 2.92s |
|------------------------------------+------------+-------+
|200 VMs*422 rules existing - startup|            |       |
|                       _modify_rules|   5.43s    | 8.17s |
|                 _apply_synchronized|  12.77s    |28.00s |
|------------------------------------|------------|-------|
|200 VMs*422 rules existing - add VM |            |       |
|                       _modify_rules|   6.41s    | 8.33s |
|                 _apply_synchronized|  33.09s    |33.80s |
+------------------------------------+------------+-------+

The _apply_synchronized times seem to converge when dealing
with ~85k rules. In the profile I can see that both approaches
seem to wait on iptables-restore for approximately the same
amount of time so it could be hitting the performance limits
of iptables-restore.

DocImpact
Partial-Bug: #1502297
Change-Id: Ia6470c85b6b71979006ffe5da9095fdcce3122c1
(cherry picked from commit f066e46bb7)
 		2015-12-09 15:55:17 +00:00
..
agent Use diffs for iptables restore instead of all rules 2015-12-09 15:55:17 +00:00
api Ensure l3 agent receives notification about added router 2015-12-03 15:17:50 +03:00
callbacks Merge "Add support for PluginWorker and Process creation notification" 2015-09-04 05:02:52 +00:00
cmd usage_audit: Fix usage_audit to work with ML2 2015-10-02 15:59:19 +00:00
common Merge "Add the missing arg of RetryRequest exception in _lock_subnetpool" into stable/liberty 2015-12-01 01:43:39 +00:00
core_extensions Forbid attaching rules if policy isn't accessible 2015-08-12 09:52:33 +00:00
db Merge "DVR:don't reschedule the l3 agent running on compute node" into stable/liberty 2015-12-09 13:08:01 +00:00
debug Deprecate external_network_bridge option in L3 agent 2015-09-01 20:41:54 -07:00
extensions Fix default RBAC policy quota 2015-12-03 23:34:30 -08:00
hacking Restructure agent code in preparation for decomp 2015-06-26 15:06:49 +00:00
ipam Add the missing arg of RetryRequest exception in _lock_subnetpool 2015-11-27 13:11:00 +00:00
locale Imported Translations from Zanata 2015-11-01 06:13:30 +00:00
notifiers Remove hack for discovery novaclients extension 2015-09-09 14:35:26 +00:00
objects No network devices on network attached qos policies 2015-09-16 15:11:04 +02:00
openstack Switch to the oslo_utils.fileutils 2015-07-15 08:09:26 +03:00
pecan_wsgi Fix the bug of "Spelling error of a word" 2015-10-16 11:40:21 +00:00
plugins Merge "Lower l2pop "isn't bound to any segement" log to debug" into stable/liberty 2015-12-08 05:35:28 +00:00
quota Merge "docstring fix" 2015-09-14 18:36:55 +00:00
scheduler Add transaction for setting agent_id in L3HARouterAgentPortBinding 2015-11-17 08:18:37 +00:00
server Merge "Introduce a separate RPC server" into feature/pecan 2015-09-18 16:58:54 +00:00
services Mock oslo policy HTTPCheck instead of urllib 2015-10-13 17:26:23 +02:00
tests Use diffs for iptables restore instead of all rules 2015-12-09 15:55:17 +00:00
__init__.py Allow users to run 'tox -epy34' 2015-05-11 16:09:51 +02:00
auth.py Migrate to oslo.log 2015-03-12 11:22:56 +01:00
context.py Add DB support for resource usage tracking 2015-07-26 15:26:10 -07:00
i18n.py
manager.py Mock oslo policy HTTPCheck instead of urllib 2015-10-13 17:26:23 +02:00
neutron_plugin_base_v2.py Add support for PluginWorker and Process creation notification 2015-09-03 06:40:50 +00:00
policy.py Mock oslo policy HTTPCheck instead of urllib 2015-10-13 17:26:23 +02:00
service.py Add support for PluginWorker and Process creation notification 2015-09-03 06:40:50 +00:00
version.py
worker.py Add support for PluginWorker and Process creation notification 2015-09-03 06:40:50 +00:00
wsgi.py Add support for PluginWorker and Process creation notification 2015-09-03 06:40:50 +00:00