]> review.fuel-infra Code Review - openstack-build/neutron-build.git/commitdiff
Code Review / openstack-build / neutron-build.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: 3ce9473)
OVS agent: flush firewall rules for all deleted ports at once
authorOleg Bondarev <obondarev@mirantis.com>
Thu, 3 Sep 2015 12:13:25 +0000 (15:13 +0300)
committerOleg Bondarev <obondarev@mirantis.com>
Fri, 4 Sep 2015 11:50:45 +0000 (14:50 +0300)
In some cases, under high load OVS agent has to delete a big amount of
ports during rpc_loop. remove_devices_filter() does iptables-save/restore
for IPv4 and IPv6 which is 4 system calls. It is very expensive and
inefficient to call it for each port individually.

Closes-Bug: #1491922
Change-Id: I4cfb2dfcef5088436c7aaae22c8f66e1ea052311

neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py patch | blob | history

diff --git a/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py b/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py
index dc707e85a4da942db961b56e2cb681e07841069a..a4cf41109186d49dca7d0f8f2abea1e8621b533c 100644 (file)
--- a/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py
+++ b/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py
@@ -432,21 +432,24 @@ class OVSNeutronAgent(sg_rpc.SecurityGroupAgentRpcCallbackMixin,
         # they are already gone
         if 'removed' in port_info:
             self.deleted_ports -= port_info['removed']
+        deleted_ports = list(self.deleted_ports)
         while self.deleted_ports:
             port_id = self.deleted_ports.pop()
-            # Flush firewall rules and move to dead VLAN so deleted ports no
-            # longer have access to the network
-            self.sg_agent.remove_devices_filter([port_id])
             port = self.int_br.get_vif_port_by_id(port_id)
             self._clean_network_ports(port_id)
             self.ext_manager.delete_port(self.context,
                                          {"vif_port": port,
                                           "port_id": port_id})
+            # move to dead VLAN so deleted ports no
+            # longer have access to the network
             if port:
                 # don't log errors since there is a chance someone will be
                 # removing the port from the bridge at the same time
                 self.port_dead(port, log_errors=False)
             self.port_unbound(port_id)
+        # Flush firewall rules after ports are put on dead VLAN to be
+        # more secure
+        self.sg_agent.remove_devices_filter(deleted_ports)
 
     def tunnel_update(self, context, **kwargs):
         LOG.debug("tunnel_update received")