From e09b128f416a809cd7734aba8ab52220ea01b2e2 Mon Sep 17 00:00:00 2001 From: Henning Eggers Date: Wed, 25 May 2022 11:17:43 +0200 Subject: [PATCH] Defer flow deletion in openvswitch firewall Reduces the deletion time of conjunction flows on hypervisors where virtual machines reside which are part of a security group that has remote security groups as target which contain thousands of ports. Without deferred deletion the agent will call ovs-ofctl several hundred times in succession, during this time the agent will block any new vm creation or neutron port modifications on this hypervisor. This patch has been tested using a single network with a single vm with a security group that points to a remote security group with 2000 ports. During testing without the patch, the iteration time for deletion was at around 500 seconds. After adding the patch to the l2 agent on the test environment the same deletion time went down to 4 seconds. Closes-Bug: #1975674 Change-Id: I46b1fe94b2e358f7f4b2cd4943a74ebaf84f51b8 --- neutron/agent/linux/openvswitch_firewall/firewall.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/neutron/agent/linux/openvswitch_firewall/firewall.py b/neutron/agent/linux/openvswitch_firewall/firewall.py index e5ada18a2ae..627b1c5d65b 100644 --- a/neutron/agent/linux/openvswitch_firewall/firewall.py +++ b/neutron/agent/linux/openvswitch_firewall/firewall.py @@ -1637,4 +1637,4 @@ class OVSFirewallDriver(firewall.FirewallDriver): # will not match with the ip flow's cookie so OVS won't actually # delete the flow flow['cookie'] = ovs_lib.COOKIE_ANY - self._delete_flows(deferred=False, **flow) + self._delete_flows(**flow)