looks like the default 'ingress' rule of quantum security group is using parameter ‘--remote_group_id’ and point to it self, the description of this is ‘Selecting a security group as the source will allow any other instance in that security group access to any other instance via this rule.‘.
In this case, each port in every created instance which is assigned same security group will be scanned and refreshed new 'firewall rule' set when new port created along with the creation of VM.
So in one scenario, in a large scale of cloud, there are hundred of VMs are assigned same security rule, then the nightmare happended. Each time to create a new VM, hundred of ports of rest created VMs will be scanned and updated with hundred of iptable-rules (most of rules is allowing access from the IP of existed ports ), the whole process will take very long time to complete. Further more, the network of new created VM will not be able to connect until the previous process completed, because OVS agent set 'tag' and 'flow' for the new created port after the existed ports been updated.
Further investigation:
looks like the default 'ingress' rule of quantum security group is using parameter ‘--remote_group_id’ and point to it self, the description of this is ‘Selecting a security group as the source will allow any other instance in that security group access to any other instance via this rule.‘.
In this case, each port in every created instance which is assigned same security group will be scanned and refreshed new 'firewall rule' set when new port created along with the creation of VM.
So in one scenario, in a large scale of cloud, there are hundred of VMs are assigned same security rule, then the nightmare happended. Each time to create a new VM, hundred of ports of rest created VMs will be scanned and updated with hundred of iptable-rules (most of rules is allowing access from the IP of existed ports ), the whole process will take very long time to complete. Further more, the network of new created VM will not be able to connect until the previous process completed, because OVS agent set 'tag' and 'flow' for the new created port after the existed ports been updated.
Security Group:
------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- -----+ ------- ------- --+---- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- + 7f6b-4fa0- 882d-c88ace6164 66 | group_rules | {"remote_group_id": "64b7a259- 7f6b-4fa0- 882d-c88ace6164 66", "direction": "ingress", "remote_ip_prefix": null, "protocol": null, "tenant_id": "25366638f5a049 a280a120147f144 e98", "port_range_max": null, "security_ group_id" : "64b7a259- 7f6b-4fa0- 882d-c88ace6164 66", "port_range_min": null, "ethertype": "IPv6", "id": "098aa157- 7b59-453a- b647-3d330b17e7 49"} | a280a120147f144 e98", "port_range_max": null, "security_ group_id" : "64b7a259- 7f6b-4fa0- 882d-c88ace6164 66", "port_range_min": null, "ethertype": "IPv6", "id": "6b0f61bd- a8e0-467e- 8a17-202b04f1ba 37"} | a280a120147f144 e98", "port_range_max": null, "security_ group_id" : "64b7a259- 7f6b-4fa0- 882d-c88ace6164 66", "port_range_min": null, "ethertype": "IPv4", "id": "c2600520- 86ee-43b0- 9cb5-670fa0e807 33"} | 7f6b-4fa0- 882d-c88ace6164 66", "direction": "ingress", "remote_ip_prefix": null, "protocol": null, "tenant_id": "25366638f5a049 a280a120147f144 e98", "port_range_max": null, "security_ group_id" : "64b7a259- 7f6b-4fa0- 882d-c88ace6164 66", "port_range_min": null, "ethertype": "IPv4", "id": "e8503fcc- 4748-4664- ba65-32dd6d2301 67"} | 280a120147f144e 98 | ------- ------- --+---- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- +
| Field | Value |
+------
| description | default |
| id | 64b7a259-
| name | default |
| security_
| | {"remote_group_id": null, "direction": "egress", "remote_ip_prefix": null, "protocol": null, "tenant_id": "25366638f5a049
| | {"remote_group_id": null, "direction": "egress", "remote_ip_prefix": null, "protocol": null, "tenant_id": "25366638f5a049
| | {"remote_group_id": "64b7a259-
| tenant_id | 25366638f5a049a
+------
ingress iptable rules of one port openvswi- ibeba4279- 4 -m state --state INVALID -j DROP openvswi- ibeba4279- 4 -m state --state RELATED,ESTABLISHED -j RETURN openvswi- ibeba4279- 4 -s 192.168.111.46/32 -j RETURN openvswi- ibeba4279- 4 -s 192.168.111.34/32 -j RETURN openvswi- ibeba4279- 4 -s 192.168.111.33/32 -j RETURN openvswi- ibeba4279- 4 -s 192.168.111.43/32 -j RETURN openvswi- ibeba4279- 4 -s 192.168.111.52/32 -j RETURN openvswi- ibeba4279- 4 -s 192.168.111.37/32 -j RETURN openvswi- ibeba4279- 4 -s 192.168.111.39/32 -j RETURN openvswi- ibeba4279- 4 -s 192.168.111.2/32 -j RETURN openvswi- ibeba4279- 4 -s 192.168.111.29/32 -j RETURN openvswi- ibeba4279- 4 -s 192.168.111.48/32 -j RETURN openvswi- ibeba4279- 4 -s 192.168.111.25/32 -j RETURN openvswi- ibeba4279- 4 -s 192.168.111.22/32 -j RETURN openvswi- ibeba4279- 4 -s 192.168.111.44/32 -j RETURN openvswi- ibeba4279- 4 -s 192.168.111.30/32 -j RETURN openvswi- ibeba4279- 4 -s 192.168.111.23/32 -j RETURN openvswi- ibeba4279- 4 -s 192.168.111.24/32 -j RETURN openvswi- ibeba4279- 4 -s 192.168.111.16/32 -j RETURN openvswi- ibeba4279- 4 -s 192.168.111.17/32 -j RETURN openvswi- ibeba4279- 4 -s 192.168.111.27/32 -j RETURN openvswi- ibeba4279- 4 -s 192.168.111.5/32 -j RETURN openvswi- ibeba4279- 4 -s 192.168.111.49/32 -j RETURN openvswi- ibeba4279- 4 -s 192.168.111.45/32 -j RETURN openvswi- ibeba4279- 4 -s 192.168.111.36/32 -j RETURN openvswi- ibeba4279- 4 -s 192.168.111.6/32 -j RETURN openvswi- ibeba4279- 4 -s 192.168.111.50/32 -j RETURN openvswi- ibeba4279- 4 -s 192.168.111.47/32 -j RETURN openvswi- ibeba4279- 4 -s 192.168.111.31/32 -j RETURN openvswi- ibeba4279- 4 -s 192.168.111.28/32 -j RETURN openvswi- ibeba4279- 4 -s 192.168.111.41/32 -j RETURN openvswi- ibeba4279- 4 -s 192.168.111.35/32 -j RETURN openvswi- ibeba4279- 4 -s 192.168.111.32/32 -j RETURN openvswi- ibeba4279- 4 -s 192.168.111.21/32 -j RETURN openvswi- ibeba4279- 4 -s 192.168.111.20/32 -j RETURN openvswi- ibeba4279- 4 -s 192.168.111.51/32 -j RETURN openvswi- ibeba4279- 4 -s 192.168.111.38/32 -j RETURN openvswi- ibeba4279- 4 -s 192.168.111.18/32 -j RETURN openvswi- ibeba4279- 4 -s 192.168.111.15/32 -j RETURN openvswi- ibeba4279- 4 -s 192.168.111.19/32 -j RETURN openvswi- ibeba4279- 4 -s 192.168.111.4/32 -j RETURN openvswi- ibeba4279- 4 -s 192.168.111.40/32 -j RETURN openvswi- ibeba4279- 4 -s 192.168.111.42/32 -j RETURN openvswi- ibeba4279- 4 -s 112.168.0.2/32 -p udp -m udp --sport 67 --dport 68 -j RETURN openvswi- ibeba4279- 4 -s 122.168.0.2/32 -p udp -m udp --sport 67 --dport 68 -j RETURN openvswi- ibeba4279- 4 -s 192.168.111.3/32 -p udp -m udp --sport 67 --dport 68 -j RETURN openvswi- ibeba4279- 4 -s 112.168.0.3/32 -p udp -m udp --sport 67 --dport 68 -j RETURN openvswi- ibeba4279- 4 -s 122.168.0.3/32 -p udp -m udp --sport 67 --dport 68 -j RETURN openvswi- ibeba4279- 4 -s 192.168.111.53/32 -p udp -m udp --sport 67 --dport 68 -j RETURN openvswi- ibeba4279- 4 -j quantum- openvswi- sg-fallback
-A quantum-
-A quantum-
-A quantum-
-A quantum-
-A quantum-
-A quantum-
-A quantum-
-A quantum-
-A quantum-
-A quantum-
-A quantum-
-A quantum-
-A quantum-
-A quantum-
-A quantum-
-A quantum-
-A quantum-
-A quantum-
-A quantum-
-A quantum-
-A quantum-
-A quantum-
-A quantum-
-A quantum-
-A quantum-
-A quantum-
-A quantum-
-A quantum-
-A quantum-
-A quantum-
-A quantum-
-A quantum-
-A quantum-
-A quantum-
-A quantum-
-A quantum-
-A quantum-
-A quantum-
-A quantum-
-A quantum-
-A quantum-
-A quantum-
-A quantum-
-A quantum-
-A quantum-
-A quantum-
-A quantum-
-A quantum-
-A quantum-
-A quantum-