yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1185049] Re: get_instances_security_groups_bindings in quatum sec group driver causes quantum client to timeout when there are a lot of ports

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Aaron Rosen <arosen@xxxxxxxxxx>
Date: Thu, 27 Jun 2013 21:51:09 -0000
Reply-to: Bug 1185049 <1185049@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

*** This bug is a duplicate of bug 1182730 ***
    https://bugs.launchpad.net/bugs/1182730

** This bug has been marked a duplicate of bug 1182730
   Optimize SecurityGroupsOutputController

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1185049

Title:
  get_instances_security_groups_bindings in quatum sec group driver
  causes quantum client to timeout when there are a lot of ports

Status in OpenStack Compute (Nova):
  New

Bug description:
  The security group API extension extends the server show command to
  add security group information via the _extend_servers() method.

      def _extend_servers(self, req, servers):
          # TODO(arosen) this function should be refactored to reduce duplicate
          # code and use get_instance_security_groups instead of get_db_instance.
          key = "security_groups"
          context = _authorize_context(req)
          if not openstack_driver.is_quantum_security_groups():
              for server in servers:
                  instance = req.get_db_instance(server['id'])
                  groups = instance.get(key)
                  if groups:
                      server[key] = [{"name": group["name"]} for group in groups]
          else:
              # If method is a POST we get the security groups intended for an
              # instance from the request. The reason for this is if using
              # quantum security groups the requested security groups for the
              # instance are not in the db and have not been sent to quantum yet.
              if req.method != 'POST':
                  sg_instance_bindings = (
                      self.security_group_api
                      .get_instances_security_groups_bindings(context))
                  for server in servers:
                      groups = sg_instance_bindings.get(server['id'])
                      if groups:
                          server[key] = groups
     
  In the case of Quantum the call to get_instances_security_groups_bindings() will try to get details of all ports visible to the tenant: 

      def get_instances_security_groups_bindings(self, context):
          """Returns a dict(instance_id, [security_groups]) to allow obtaining
          all of the instances and their security groups in one shot."""
          quantum = quantumv2.get_client(context)
          ports = quantum.list_ports().get('ports')
          security_groups = quantum.list_security_groups().get('security_groups')

  
  Where the tenant has admin rights, or even on a tenant with a large number of ports the unfiltered call to get list_ports() can result in such a large query that the client times out waiting for a response.

  Since this code is often made just in the context of a single
  instance, and the python client often makes a call to get instance
  details as part of other operations, it seems that the optimization of
  getting all ports and then mapping them to security groups needs to be
  re-considered.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1185049/+subscriptions