[RFC] Faster libvirtd restart with nwfilter rules, one more time

nshirokovskiy nshirokovskiy at virtuozzo.com
Mon Apr 6 06:30:41 UTC 2020 

ping

On 20.03.2020 12:25, nshirokovskiy wrote:
> Hi, all.                                                                        
>                                                                                 
> Some time ago I posted RFC [1] concerning an issue of unresponsive              
> libvird during restart if there is large number of VMs that have network        
> filters on their interfaces. It was identified that in most cases we            
> don't need actually to reinstall network filter rules on daemon restart.        
> Thus I proposed patches [2] that check whether we need to reapply rules         
> or not.                                                                         
>                                                                                 
> The first version has a drawback that daemon won't reapply rules if             
> someone mangled them between daemon stop and start (and this can be done        
> just by restarting firewalld). The second one is just ugly :)                   
>                                                                                 
> Around that time Florian Westphal in a letter off the mailing list              
> suggested to use {iptables|ebtables}-restore to apply rules in one              
> binary call. These binaries has --noflush option so that we won't reset         
> current state of tables.  We also need one more -L call for                     
> iptables/ebtables to query current filter state to be able to construct         
> input for restore binaries.                                                     
>                                                                                 
> I wonder can we use this approach? I see currently only one issue - we          
> won't use firealld to spawn rules. But why we need to spawn rules               
> through firewalld if it present? We use passthrough mode anyway. I tried        
> to dig history for hints but didn't found anything. Patch [3] introduced        
> spawning rules thru firewalld-cmd.                                              
>                                                                                 
> Nikolay                                                                         
>                                                                                 
> [1] [RFC] Faster libvirtd restart with nwfilter rules                           
> https://www.redhat.com/archives/libvir-list/2018-September/msg01206.html        
>                                                                                 
> [2] nwfilter: don't reinstantiate filters if they are not changed               
> v1: https://www.redhat.com/archives/libvir-list/2018-October/msg00904.html      
> v2: https://www.redhat.com/archives/libvir-list/2018-October/msg01317.html      
>                                                                                 
> [3] network: use firewalld instead of iptables, when available                  
> v0: https://www.redhat.com/archives/libvir-list/2012-April/msg01236.html        
> v1: https://www.redhat.com/archives/libvir-list/2012-August/msg00447.html       
> ...                                                                             
> v4: https://www.redhat.com/archives/libvir-list/2012-August/msg01097.html  
> 
>

More information about the libvir-list mailing list