openstack
/
neutron
Code Issues Proposed changes
neutron/neutron/tests
History
Kevin Benton fb55693713 Use diffs for iptables restore instead of all rules 
This patch changes our iptables logic to generate a delta of
iptables commands (inserts + deletes) to get from the current
iptables state to the new state. This will significantly reduce
the amount of data that we have to shell out to iptables-restore
on every call (and reduce the amount of data iptables-restore has
to parse).

We no longer have to worry about preserving counters since
we are adding and deleting specific rules, so the rule modification
code got a nice cleanup to get rid of the old rule matching.

This also gives us a new method of functionally testing that we are
generating rules in the correct manner. After applying new rules
once, a subsequent call should always have no work to do. The new
functional tests added leverage that property heavily and should
protect us from regressions in how rules are formed.


Performance metrics relative to HEAD~1:
+====================================+============+=======+
|               Scenario             | This patch | HEAD~1|
|------------------------------------|------------|-------|
| 200 VMs*22 rules existing - startup|            |       |
|                       _modify_rules|   0.67s    | 1.05s |
|                 _apply_synchronized|   1.87s    | 2.89s |
|------------------------------------|------------|-------|
| 200 VMs*22 rules existing - add VM |            |       |
|                       _modify_rules|   0.68s    | 1.05s |
|                 _apply_synchronized|   2.07s    | 2.92s |
|------------------------------------+------------+-------+
|200 VMs*422 rules existing - startup|            |       |
|                       _modify_rules|   5.43s    | 8.17s |
|                 _apply_synchronized|  12.77s    |28.00s |
|------------------------------------|------------|-------|
|200 VMs*422 rules existing - add VM |            |       |
|                       _modify_rules|   6.41s    | 8.33s |
|                 _apply_synchronized|  33.09s    |33.80s |
+------------------------------------+------------+-------+

The _apply_synchronized times seem to converge when dealing
with ~85k rules. In the profile I can see that both approaches
seem to wait on iptables-restore for approximately the same
amount of time so it could be hitting the performance limits
of iptables-restore.

DocImpact
Partial-Bug: #1502297
Change-Id: Ia6470c85b6b71979006ffe5da9095fdcce3122c1
(cherry picked from commit f066e46bb7)
 		2015-12-09 15:55:17 +00:00
..
api Fix default RBAC policy quota 2015-12-03 23:34:30 -08:00
common Make fullstack test_connectivity tests more forgiving 2015-11-27 13:31:26 +00:00
contrib Merge "Fixed filters for functional tests" 2015-09-08 22:40:52 +00:00
etc Get rid of ConfigParser code in ProviderConfiguration 2015-09-21 10:55:56 -07:00
fullstack Make fullstack test_connectivity tests more forgiving 2015-11-27 13:31:26 +00:00
functional Use diffs for iptables restore instead of all rules 2015-12-09 15:55:17 +00:00
retargetable Remove lingering traces of q_ 2015-07-07 17:04:44 -04:00
tempest Use tempest-lib's token_client 2015-09-16 10:08:50 +00:00
unit Use diffs for iptables restore instead of all rules 2015-12-09 15:55:17 +00:00
var Allow combined certificate/key files for SSL 2014-04-13 09:22:23 +00:00
__init__.py Add eventlet monkey_patch helper 2015-03-24 08:44:00 -07:00
base.py Add tunneling support to full stack tests 2015-09-10 14:30:21 +00:00
fake_notifier.py Pass serializer to oslo.messaging Notifier 2014-06-20 14:58:28 +02:00
post_mortem_debug.py Cleanup recent generalization in post mortem debugger 2014-12-04 15:28:11 +01:00
tools.py test_db_base_plugin_v2: Skip a few tests on some platforms 2015-11-02 17:29:16 +01:00