On 08/13/2014 09:08 PM, Daniel P. Berrange wrote: > I'm practically certain that this is due to Fedora 20 using the > 'firewalld' daemon by default. The way libvirt talks to firewalld is > very inefficient (x18 slower than non-firewalld code path) and so > could easily explain the difference vs Ubuntu.
This is the case, many thanks for the analysis. There was some feeling that devstack should just disable firewalld and move on. Others felt that this was not a good idea. I think the following two changes are the best way forward: 1) afazekas's puppet change [1] to remove firewalld on jenkins slaves. As he points out, openstack documentation says that images "in general" images should disable firewalls and use os security groups [2], so this is consistent. also, of 3 images (hp, upstream and rax) only 1 (rax) has firewalld on. So it's not the common-case. 2) stop devstack if firewalld is found installed on f20 [3]. This uses a minimal code while avoiding both a silent "shields down" and anybody hitting this problem and having to debug it themselves all-over-again. The user can decide what's appropriate for them, and When F21 is around we can forget about this whole thing. infra-people; [1] will reduce the f20 run-time by about half, which can only help with moving changes along. -i [1] https://review.openstack.org/#/c/113884/ [2] http://docs.openstack.org/image-guide/content/ch_openstack_images.html [3] https://review.openstack.org/#/c/113856/ _______________________________________________ OpenStack-Infra mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra
