Re: [RFC] Faster libvirtd restart with nwfilter rules, one more time

nshirokovskiy Sun, 05 Apr 2020 23:31:25 -0700
ping

On 20.03.2020 12:25, nshirokovskiy wrote:
> Hi, all.                                                                      
>   
>                                                                               
>   
> Some time ago I posted RFC [1] concerning an issue of unresponsive            
>   
> libvird during restart if there is large number of VMs that have network      
>   
> filters on their interfaces. It was identified that in most cases we          
>   
> don't need actually to reinstall network filter rules on daemon restart.      
>   
> Thus I proposed patches [2] that check whether we need to reapply rules       
>   
> or not.                                                                       
>   
>                                                                               
>   
> The first version has a drawback that daemon won't reapply rules if           
>   
> someone mangled them between daemon stop and start (and this can be done      
>   
> just by restarting firewalld). The second one is just ugly :)                 
>   
>                                                                               
>   
> Around that time Florian Westphal in a letter off the mailing list            
>   
> suggested to use {iptables|ebtables}-restore to apply rules in one            
>   
> binary call. These binaries has --noflush option so that we won't reset       
>   
> current state of tables.  We also need one more -L call for                   
>   
> iptables/ebtables to query current filter state to be able to construct       
>   
> input for restore binaries.                                                   
>   
>                                                                               
>   
> I wonder can we use this approach? I see currently only one issue - we        
>   
> won't use firealld to spawn rules. But why we need to spawn rules             
>   
> through firewalld if it present? We use passthrough mode anyway. I tried      
>   
> to dig history for hints but didn't found anything. Patch [3] introduced      
>   
> spawning rules thru firewalld-cmd.                                            
>   
>                                                                               
>   
> Nikolay                                                                       
>   
>                                                                               
>   
> [1] [RFC] Faster libvirtd restart with nwfilter rules                         
>   
> https://www.redhat.com/archives/libvir-list/2018-September/msg01206.html      
>   
>                                                                               
>   
> [2] nwfilter: don't reinstantiate filters if they are not changed             
>   
> v1: https://www.redhat.com/archives/libvir-list/2018-October/msg00904.html    
>   
> v2: https://www.redhat.com/archives/libvir-list/2018-October/msg01317.html    
>   
>                                                                               
>   
> [3] network: use firewalld instead of iptables, when available                
>   
> v0: https://www.redhat.com/archives/libvir-list/2012-April/msg01236.html      
>   
> v1: https://www.redhat.com/archives/libvir-list/2012-August/msg00447.html     
>   
> ...                                                                           
>   
> v4: https://www.redhat.com/archives/libvir-list/2012-August/msg01097.html  
> 
>
Re: [RFC] Faster libvirtd restart with nwfilter rules, one more time

Reply via email to
