ovs flows aren't cleaned up after switch to iptables firewall under high-load
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
New
|
Undecided
|
Unassigned |
Bug Description
Seen on: newton devstack, ubuntu 16.04, firewall_
To emulate high load I cleared all quotas, created a security-group A with ~4200 security group rules with remote_group_id pointing to security-group B and booted 2 vms (one with secgroup A and another with secgroup B). Due to https:/
After the environment was "heavy loaded" the switch to iptables firewall (and subsequent ovs-agent restart) didn't clean up the generated flows (23407 flows remained), although ovs-agent logs showed that the driver was changed http://
Also note that if you switch from openvswitch firewall driver to iptables firewall driver, then security groups won't work as existing instances won't have qbr but tap is plugged directly to br-int. Maybe we should document that migrations of firewalls are not supported yet.