[Yahoo-eng-team] [Bug 1489200] [NEW] Upon VM deletes, SG iptables not cleaned up, garbage piles up

[Ramu Ramamurthy]

Public bug reported:


Summary:  40 VMs are created and then deleted on the same host. At the end of 
this, I find that iptables rules for some ports are not cleaned up, and remain 
as garbage. This garbage keeps piling up, as more VMs are created and deleted. 

Topology:
                     Neutron Network using OVS & neutron security groups.

Test Case:
                    
                     1) create 1 network, 1 subnetwork
                     2) boot 40 VMs on one hypervisor  and 40 VMs on another 
hypervisor using the default Security Group
                     3) Run some traffic tests between VMs
                     4) delete all VMs

Result:
                   Find that iptables rules are not cleaned up for the ports of 
the VMs

Root Cause:
                 In the neutron-ovs-agent polling loop, there is an exception 
during the processing of port events.
                As a result of this exception, the neutron-ovs-agent resyncs 
with plugin. This takes a while, At the same
               time, VM ports are getting deleted. In this scenario, the 
neutron-ovs-agent "misses" some deleted ports, and
              does not cleanup SG filters for those "missed" ports

Reproducability:

                  Happens almost every time. With more number of VMs, it
is more likely

Logs:

                 Attached are a set of neutron-ovs-agent logs, and the
garbage iptables rules that remain.

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1489200

Title:
  Upon VM deletes, SG iptables not cleaned up, garbage piles up

Status in neutron:
  New

Bug description:
  
  Summary:  40 VMs are created and then deleted on the same host. At the end of 
this, I find that iptables rules for some ports are not cleaned up, and remain 
as garbage. This garbage keeps piling up, as more VMs are created and deleted. 

  Topology:
                       Neutron Network using OVS & neutron security groups.

  Test Case:
                      
                       1) create 1 network, 1 subnetwork
                       2) boot 40 VMs on one hypervisor  and 40 VMs on another 
hypervisor using the default Security Group
                       3) Run some traffic tests between VMs
                       4) delete all VMs

  Result:
                     Find that iptables rules are not cleaned up for the ports 
of the VMs

  Root Cause:
                   In the neutron-ovs-agent polling loop, there is an exception 
during the processing of port events.
                  As a result of this exception, the neutron-ovs-agent resyncs 
with plugin. This takes a while, At the same
                 time, VM ports are getting deleted. In this scenario, the 
neutron-ovs-agent "misses" some deleted ports, and
                does not cleanup SG filters for those "missed" ports

  Reproducability:

                    Happens almost every time. With more number of VMs,
  it is more likely

  Logs:

                   Attached are a set of neutron-ovs-agent logs, and the
  garbage iptables rules that remain.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1489200/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp