neutron

  1. Bug #1194438
  2. Comment #1

Comment 1 for bug 1194438

Revision history for this message
Raid (raid-chan) wrote :

Further investigation:

looks like the default 'ingress' rule of quantum security group is using parameter ‘--remote_group_id’ and point to it self, the description of this is ‘Selecting a security group as the source will allow any other instance in that security group access to any other instance via this rule.‘.

In this case, each port in every created instance which is assigned same security group will be scanned and refreshed new 'firewall rule' set when new port created along with the creation of VM.

So in one scenario, in a large scale of cloud, there are hundred of VMs are assigned same security rule, then the nightmare happended. Each time to create a new VM, hundred of ports of rest created VMs will be scanned and updated with hundred of iptable-rules (most of rules is allowing access from the IP of existed ports ), the whole process will take very long time to complete. Further more, the network of new created VM will not be able to connect until the previous process completed, because OVS agent set 'tag' and 'flow' for the new created port after the existed ports been updated.

Security Group:

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
 +----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| description | default |
| id | 64b7a259-7f6b-4fa0-882d-c88ace616466 |
| name | default |
| security_group_rules | {"remote_group_id": "64b7a259-7f6b-4fa0-882d-c88ace616466", "direction": "ingress", "remote_ip_prefix": null, "protocol": null, "tenant_id": "25366638f5a049a280a120147f144e98", "port_range_max": null, "security_group_id": "64b7a259-7f6b-4fa0-882d-c88ace616466", "port_range_min": null, "ethertype": "IPv6", "id": "098aa157-7b59-453a-b647-3d330b17e749"} |
| | {"remote_group_id": null, "direction": "egress", "remote_ip_prefix": null, "protocol": null, "tenant_id": "25366638f5a049a280a120147f144e98", "port_range_max": null, "security_group_id": "64b7a259-7f6b-4fa0-882d-c88ace616466", "port_range_min": null, "ethertype": "IPv6", "id": "6b0f61bd-a8e0-467e-8a17-202b04f1ba37"} |
| | {"remote_group_id": null, "direction": "egress", "remote_ip_prefix": null, "protocol": null, "tenant_id": "25366638f5a049a280a120147f144e98", "port_range_max": null, "security_group_id": "64b7a259-7f6b-4fa0-882d-c88ace616466", "port_range_min": null, "ethertype": "IPv4", "id": "c2600520-86ee-43b0-9cb5-670fa0e80733"} |
| | {"remote_group_id": "64b7a259-7f6b-4fa0-882d-c88ace616466", "direction": "ingress", "remote_ip_prefix": null, "protocol": null, "tenant_id": "25366638f5a049a280a120147f144e98", "port_range_max": null, "security_group_id": "64b7a259-7f6b-4fa0-882d-c88ace616466", "port_range_min": null, "ethertype": "IPv4", "id": "e8503fcc-4748-4664-ba65-32dd6d230167"} |
| tenant_id | 25366638f5a049a280a120147f144e98 |
 +----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

ingress iptable rules of one port
-A quantum-openvswi-ibeba4279-4 -m state --state INVALID -j DROP
-A quantum-openvswi-ibeba4279-4 -m state --state RELATED,ESTABLISHED -j RETURN
-A quantum-openvswi-ibeba4279-4 -s 192.168.111.46/32 -j RETURN
-A quantum-openvswi-ibeba4279-4 -s 192.168.111.34/32 -j RETURN
-A quantum-openvswi-ibeba4279-4 -s 192.168.111.33/32 -j RETURN
-A quantum-openvswi-ibeba4279-4 -s 192.168.111.43/32 -j RETURN
-A quantum-openvswi-ibeba4279-4 -s 192.168.111.52/32 -j RETURN
-A quantum-openvswi-ibeba4279-4 -s 192.168.111.37/32 -j RETURN
-A quantum-openvswi-ibeba4279-4 -s 192.168.111.39/32 -j RETURN
-A quantum-openvswi-ibeba4279-4 -s 192.168.111.2/32 -j RETURN
-A quantum-openvswi-ibeba4279-4 -s 192.168.111.29/32 -j RETURN
-A quantum-openvswi-ibeba4279-4 -s 192.168.111.48/32 -j RETURN
-A quantum-openvswi-ibeba4279-4 -s 192.168.111.25/32 -j RETURN
-A quantum-openvswi-ibeba4279-4 -s 192.168.111.22/32 -j RETURN
-A quantum-openvswi-ibeba4279-4 -s 192.168.111.44/32 -j RETURN
-A quantum-openvswi-ibeba4279-4 -s 192.168.111.30/32 -j RETURN
-A quantum-openvswi-ibeba4279-4 -s 192.168.111.23/32 -j RETURN
-A quantum-openvswi-ibeba4279-4 -s 192.168.111.24/32 -j RETURN
-A quantum-openvswi-ibeba4279-4 -s 192.168.111.16/32 -j RETURN
-A quantum-openvswi-ibeba4279-4 -s 192.168.111.17/32 -j RETURN
-A quantum-openvswi-ibeba4279-4 -s 192.168.111.27/32 -j RETURN
-A quantum-openvswi-ibeba4279-4 -s 192.168.111.5/32 -j RETURN
-A quantum-openvswi-ibeba4279-4 -s 192.168.111.49/32 -j RETURN
-A quantum-openvswi-ibeba4279-4 -s 192.168.111.45/32 -j RETURN
-A quantum-openvswi-ibeba4279-4 -s 192.168.111.36/32 -j RETURN
-A quantum-openvswi-ibeba4279-4 -s 192.168.111.6/32 -j RETURN
-A quantum-openvswi-ibeba4279-4 -s 192.168.111.50/32 -j RETURN
-A quantum-openvswi-ibeba4279-4 -s 192.168.111.47/32 -j RETURN
-A quantum-openvswi-ibeba4279-4 -s 192.168.111.31/32 -j RETURN
-A quantum-openvswi-ibeba4279-4 -s 192.168.111.28/32 -j RETURN
-A quantum-openvswi-ibeba4279-4 -s 192.168.111.41/32 -j RETURN
-A quantum-openvswi-ibeba4279-4 -s 192.168.111.35/32 -j RETURN
-A quantum-openvswi-ibeba4279-4 -s 192.168.111.32/32 -j RETURN
-A quantum-openvswi-ibeba4279-4 -s 192.168.111.21/32 -j RETURN
-A quantum-openvswi-ibeba4279-4 -s 192.168.111.20/32 -j RETURN
-A quantum-openvswi-ibeba4279-4 -s 192.168.111.51/32 -j RETURN
-A quantum-openvswi-ibeba4279-4 -s 192.168.111.38/32 -j RETURN
-A quantum-openvswi-ibeba4279-4 -s 192.168.111.18/32 -j RETURN
-A quantum-openvswi-ibeba4279-4 -s 192.168.111.15/32 -j RETURN
-A quantum-openvswi-ibeba4279-4 -s 192.168.111.19/32 -j RETURN
-A quantum-openvswi-ibeba4279-4 -s 192.168.111.4/32 -j RETURN
-A quantum-openvswi-ibeba4279-4 -s 192.168.111.40/32 -j RETURN
-A quantum-openvswi-ibeba4279-4 -s 192.168.111.42/32 -j RETURN
-A quantum-openvswi-ibeba4279-4 -s 112.168.0.2/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A quantum-openvswi-ibeba4279-4 -s 122.168.0.2/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A quantum-openvswi-ibeba4279-4 -s 192.168.111.3/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A quantum-openvswi-ibeba4279-4 -s 112.168.0.3/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A quantum-openvswi-ibeba4279-4 -s 122.168.0.3/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A quantum-openvswi-ibeba4279-4 -s 192.168.111.53/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A quantum-openvswi-ibeba4279-4 -j quantum-openvswi-sg-fallback