Vyos_command module slow with many commands

Priit · June 14, 2024, 9:12am

We’re using vyos_command module to deploy the whole firewall configuration each time we make a change to the configuration.
Basically we send the following with the module:

delete firewall
set firewall ...
set firewall ...
(at least 120 lines of set firewall ...)
commit
save

This causes about 45 seconds of processing, which is quite a long time.

I tried the same process manually in an ssh session and it took roughly 30 seconds, which is also quite long.

I then tried doing the same with merge using the vyos json configuration format:

delete firewall
commit
save

merge the-same-firewall-configuration-in-json-format.json
commit
save

just from the merge to saving finished it also took 17seconds, which is quite long, but definitely better.

Any ideas why the set commands (especially when using the vyos_command) are taking so long to apply and maybe ideas how to improve it?

I also noticed that CPU of the vyos is quite heavily utilized during all of these actions.

Viacheslav · June 14, 2024, 10:07am

This guy said that his module loads 1000 lines of config in 1 sec https://www.reddit.com/r/vyos/comments/152aurr/comment/jsj40ke/
But without examples of how to use it.

Apachez · June 14, 2024, 6:05pm

I might be missing something here but that guys code is published at:

gist.github.com

https://gist.github.com/chenxiaolong/fe949b37fa1e025533da02dfb1dbdfa4

example.yaml

---
- hosts: vyos
  vars:
    # This would ideally go in the host vars.
    vyos_config:
      # ...
      # The structure is identical to what `show configuration json pretty` in
      # operational mode produces. For the vast majority of VyOS commands, the
      # command <-> JSON translation is 1:1. For example, the command:
      #

This file has been truncated. show original

vyos_full_config.py

#!/usr/bin/python

# This program is free software: you can redistribute it and/or modify it under
# the terms of the GNU General Public License version 3 as published by the
# Free Software Foundation.
#
# This program is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
# details.

This file has been truncated. show original

What his module seems to do is to aggregate all commands into a single script created locally on the VyOS box and then execute it.

However I doubt this would make like 1000 static routes to be able to get injected into VyOS due to the time static routes and firewall rules takes to get commited through vyos-configd (even when runned as a local script).

But he will avoid the overhead of sending one command at a time through ansible.

Could also be that once his script thats created locally runs it returns control to the client asynchronous which makes it from the client point of view look like you just sent 1000 routes/firewall entries and have them commited in 1 second while in fact it will take another 10 minutes before this locally created script will complete at the VyOS box.

talmakion · June 15, 2024, 2:29am

Just an idea, which you might’ve already considered - if you’re not doing bulk logic changes, you might be able to get away with a smaller playbook/tag-set that just updates groups or other appropriate logic components when they’re all you’re updating.

Additionally, depending on use case, vyos_config could be a lot faster than vyos_command. It performs an initial comparison and filters conf-mode commands that are already in place. The actual configure stage inside vyos_config also looks like it doesn’t wait for results on each entry, but queues up the effective set and checks results after the commit, avoiding the vyos_command execute->get result loop for each individual step.