I compared Zesty (bad) with Artful (good) and found that they issue more
or less the same commands to ebtables/iptables - just seem faster on the
newer release.
There is also no related change in src/util/virfirewall.c since then
that would make sense.
I found this on the Artful init:
debug : virFirewallValidateBackend:163 : Firewalld is registered ? -2
debug : virFirewallValidateBackend:171 : firewalld service not running, trying
direct backend
debug : virFirewallValidateBackend:197 : found iptables/ip6tables/ebtables,
using direct backend
debug : virCommandRunAsync:2459 : About to run /sbin/iptables -w -L -n
info : virFirewallCheckUpdateLock:127 : using locking for /sbin/iptables
debug : virCommandRunAsync:2459 : About to run /sbin/ip6tables -w -L -n
info : virFirewallCheckUpdateLock:127 : using locking for /sbin/ip6tables
debug : virCommandRunAsync:2459 : About to run /sbin/ebtables --concurrent -L
info : virFirewallCheckUpdateLock:127 : using locking for /sbin/ebtables
But that is the same on the slower zesty
Could it be that the tools got faster via some other change?
The only argument against that is that the build from git of the same version
as zesty seemed fast. Although that could have been due to different levels of
isolation as the service build from git e.g. does not apply all apparmor
profiles and such.
ebtables is almost the same version in all those releases, but there is one
change only in artful that sounds at least interesting.
* Use real locking in ebtables (LP: #1645324)
- Prior use of locking by file exclusive access is inadequate
because if ebtables crashes or is killed it will leave a
stale lock file behind which then blocks new ebtables from
running.
As a trivial test I converted the libvirt log to a test script.
The exact commands depend a lot on the current state (obviously), so I had two
scripts.
But both where fast on both systems.
It almost seems like the "subcommand spawning" was slower in the older libvirt.
It is 100-300ms per command which on ~35 commands gets close to the ~10 seconds
we see.
On Artful that is more 2-8ms per call.
Need to analyze in that direction a bit more, but not today :-/
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1727366
Title:
virsh start/destroy is too slow after adding firewall rule
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1727366/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
