Recently, these messages have been noticed in both tempest
logs, as well as reported by downstream users syslog:
Set IPv4915d358d-2c5b-43b5-9862 is full, maxelem 65536 reached
So the default of 64K is not sufficient enough.
This change adds two config options to control both the number
of elements as well as the hashsize, since they should be
tuned together for best performance. Slightly different
formats were required for 'ipset create' and 'ipset restore'.
The default values for these are now set to 131072 (maxelem) and
2048 (hashsize), which is an increase over their typical default values
of 65536/1024 (respectively), in order to fix the errors seen in
the tempest tests.
DocImpact
Change-Id: Ic0b5b38a840e737dc6be938230f4052974c8620f
Closes-bug: #
1439817
# each rule's purpose. (System must support the iptables comments module.)
# comment_iptables_rules = True
+# Maximum number of elements which can be stored in an IPset.
+# If None is specified, the system default will be used.
+# ipset_maxelem = 131072
+
+# Initial hash size for an IPset. Must be a power of 2,
+# else the kernel will round it up automatically.
+# If None is specified, the system default will be used.
+# ipset_hashsize = 2048
+
# Use the root helper when listing the namespaces on a system. This may not
# be required depending on the security configuration. If the root helper is
# not required, set this to False for a performance improvement.
help=_("Add comments to iptables rules.")),
]
+IPSET_OPTS = [
+ cfg.IntOpt('ipset_maxelem', default=131072,
+ help=_("Maximum number of elements which can be stored in "
+ "an IPset. If None is specified, the system default "
+ "will be used.")),
+ cfg.IntOpt('ipset_hashsize', default=2048,
+ help=_("Initial hash size for an IPset. Must be a power of 2, "
+ "else the kernel will round it up automatically. If "
+ "None is specified, the system default will be used.")),
+]
+
PROCESS_MONITOR_OPTS = [
cfg.StrOpt('check_child_processes_action', default='respawn',
choices=['respawn', 'exit'],
conf.register_opts(IPTABLES_OPTS, 'AGENT')
+def register_ipset_opts(conf):
+ conf.register_opts(IPSET_OPTS, 'AGENT')
+
+
def register_process_monitor_opts(conf):
conf.register_opts(PROCESS_MONITOR_OPTS, 'AGENT')
# See the License for the specific language governing permissions and
# limitations under the License.
+from oslo_config import cfg
+
+from neutron.agent.common import config
from neutron.agent.linux import utils as linux_utils
from neutron.common import utils
def __init__(self, execute=None, namespace=None):
self.execute = execute or linux_utils.execute
self.namespace = namespace
+ config.register_ipset_opts(cfg.CONF)
self.ipset_sets = {}
@staticmethod
name = ethertype + id
return name[:IPSET_NAME_MAX_LENGTH]
+ @staticmethod
+ def get_hashargs():
+ args = []
+ if cfg.CONF.AGENT.ipset_hashsize:
+ args.extend(['hashsize', str(cfg.CONF.AGENT.ipset_hashsize)])
+ if cfg.CONF.AGENT.ipset_maxelem:
+ args.extend(['maxelem', str(cfg.CONF.AGENT.ipset_maxelem)])
+ return args
+
def set_exists(self, id, ethertype):
"""Returns true if the id+ethertype pair is known to the manager."""
set_name = self.get_name(id, ethertype)
def _refresh_set(self, set_name, member_ips, ethertype):
new_set_name = set_name + SWAP_SUFFIX
set_type = self._get_ipset_set_type(ethertype)
- process_input = ["create %s hash:ip family %s" % (new_set_name,
- set_type)]
+ hash_args = ' '.join(self.get_hashargs())
+ process_input = ["create %s hash:ip family %s %s" % (new_set_name,
+ set_type,
+ hash_args)]
for ip in member_ips:
process_input.append("add %s %s" % (new_set_name, ip))
def _create_set(self, set_name, ethertype):
cmd = ['ipset', 'create', '-exist', set_name, 'hash:ip', 'family',
self._get_ipset_set_type(ethertype)]
+ cmd.extend(self.get_hashargs())
self._apply(cmd)
self.ipset_sets[set_name] = []
# limitations under the License.
import mock
+from oslo_config import cfg
+from neutron.agent.common import config as a_cfg
from neutron.agent.linux import ipset_manager
from neutron.tests import base
class BaseIpsetManagerTest(base.BaseTestCase):
- def setUp(self):
+ def setUp(self, maxelem=None, hashsize=None):
super(BaseIpsetManagerTest, self).setUp()
+ cfg.CONF.register_opts(a_cfg.IPSET_OPTS, 'AGENT')
+ cfg.CONF.set_override('ipset_maxelem', maxelem, 'AGENT')
+ cfg.CONF.set_override('ipset_hashsize', hashsize, 'AGENT')
+ self.maxelem = maxelem
+ self.hashsize = hashsize
self.ipset = ipset_manager.IpsetManager()
self.execute = mock.patch.object(self.ipset, "execute").start()
self.expected_calls = []
self.execute.assert_has_calls(self.expected_calls, any_order=False)
def expect_set(self, addresses):
- temp_input = ['create IPv4fake_sgid-new hash:ip family inet']
+ hash_args = []
+ if self.hashsize:
+ hash_args.extend(['hashsize', str(self.hashsize)])
+ if self.maxelem:
+ hash_args.extend(['maxelem', str(self.maxelem)])
+ temp_input = ['create IPv4fake_sgid-new hash:ip family inet %s' %
+ ' '.join(hash_args)]
temp_input.extend('add IPv4fake_sgid-new %s' % ip for ip in addresses)
input = '\n'.join(temp_input)
self.expected_calls.extend([
run_as_root=True) for ip in addresses)
def expect_create(self):
+ ipset_call = ['ipset', 'create', '-exist', TEST_SET_NAME,
+ 'hash:ip', 'family', 'inet']
+ if self.hashsize:
+ ipset_call.extend(['hashsize', str(self.hashsize)])
+ if self.maxelem:
+ ipset_call.extend(['maxelem', str(self.maxelem)])
self.expected_calls.append(
- mock.call(['ipset', 'create', '-exist', TEST_SET_NAME,
- 'hash:ip', 'family', 'inet'],
+ mock.call(ipset_call,
process_input=None,
run_as_root=True))
class IpsetManagerTestCase(BaseIpsetManagerTest):
+ """Run all tests, but with maxelem/hashsize values not configured
+ """
+ def setUp(self):
+ super(IpsetManagerTestCase, self).setUp()
def test_set_exists(self):
self.add_first_ip()
self.expect_destroy()
self.ipset.destroy(TEST_SET_ID, ETHERTYPE)
self.verify_mock_calls()
+
+
+class IpsetManagerTestCaseHashArgs(IpsetManagerTestCase):
+ """Run all the above tests, but with maxelem/hashsize values configured
+ """
+ def setUp(self):
+ super(IpsetManagerTestCase, self).setUp(maxelem=131072, hashsize=2048)
Code Review / openstack-build / neutron-build.git / commitdiff