review.fuel-infra Code Review - openstack-build/neutron-build.git/commit

author	Rawlin Peters <rawlin.peters@hp.com>
	Thu, 18 Jun 2015 17:22:13 +0000 (11:22 -0600)
committer	Rawlin Peters <rawlin.peters@hp.com>
	Mon, 22 Jun 2015 16:17:01 +0000 (10:17 -0600)
commit	7e117c13fd3fb125c857dadfa2945799b39e1634
tree	44b52a7b0b9dd4438df82a3650daa9dcd77e16da	tree \| snapshot
parent	f12a65ad07a87fe98a9d47b9ccb96e97798e6371	commit \| diff

Optimize ipset usage in IptablesFirewallDriver

Currently, IptablesFirewallDriver._update_ipset_members() iterates
through a list of security group IDs and makes a call to
IpsetManager.set_members() for each security group ID in the list. The
problem is that set_members() is repeatedly called with the same
arguments over and over again because the list of security group IDs
contains duplicates. These duplicated calls are unnecessary because they
are idempotent.

For instance, with a security group of 50 rules created in this manner:
neutron security-group-rule-create $SECGRP --remote_group_id $SECGRP
--protocol tcp --port_range_min $i --port_range_max $i

Adding a server to that security group will cause 50 calls to
IpsetManager.set_members() because the list of security group IDs is 50 of
the same ID. Only one call to IpsetManager.set_members() is necessary
per security group ID.

This patch converts that list of security group IDs into a set, which
eliminates the duplicate idempotent calls to
IpsetManager.set_members() with the same arguments. This will affect
performance by reducing the amount of file locking around ipset when
adding servers to security groups.

Change-Id: Id2c8c8c1093c8abcf1fd897b23b0358aeb55b526
Closes-Bug: 1466921

neutron/agent/linux/iptables_firewall.py		diff \| blob \| history
neutron/tests/unit/agent/linux/test_iptables_firewall.py		diff \| blob \| history