yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1552971] [NEW] InstanceList.get_by_security_group_id can run very slow

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Paul Griffin <paul.griffin@xxxxxxxxxxx>
Date: Thu, 03 Mar 2016 23:57:43 -0000
Reply-to: Bug 1552971 <1552971@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

The nova.objects.instance.InstanceList class's get_by_security_group_id
function calls the db.security_group_get function, which uses the
_security_group_get_query() function to generate a query object. That
query, by default, joins with the secgroup-rules table, and currently
the db.security_group_get function offers no option to avoid joining
with the rules. As a result:

If a security group exists with a large number of instances and a large
number of rules, the db query result will be very large and take
multiple seconds to complete, tying up conductor and making the system
unresponsive.

Since the InstanceList.get_by_security_group_id call only aims to build
a list of instances, there is no need in this case to join with the
rules, and so the db.security_group_get call should optionally avoid
joining with the rules table.

** Affects: nova
     Importance: Undecided
     Assignee: Paul Griffin (paul-griffin)
         Status: New

** Changed in: nova
     Assignee: (unassigned) => Paul Griffin (paul-griffin)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1552971

Title:
  InstanceList.get_by_security_group_id can run very slow

Status in OpenStack Compute (nova):
  New

Bug description:
  The nova.objects.instance.InstanceList class's
  get_by_security_group_id function calls the db.security_group_get
  function, which uses the _security_group_get_query() function to
  generate a query object. That query, by default, joins with the
  secgroup-rules table, and currently the db.security_group_get function
  offers no option to avoid joining with the rules. As a result:

  If a security group exists with a large number of instances and a
  large number of rules, the db query result will be very large and take
  multiple seconds to complete, tying up conductor and making the system
  unresponsive.

  Since the InstanceList.get_by_security_group_id call only aims to
  build a list of instances, there is no need in this case to join with
  the rules, and so the db.security_group_get call should optionally
  avoid joining with the rules table.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1552971/+subscriptions

Follow ups

[Bug 1552971] Re: [SRU] InstanceList.get_by_security_group_id can run very slow
From: Sean Dague, 2017-06-16
[Bug 1552971] Re: [SRU] InstanceList.get_by_security_group_id can run very slow
From: James Page, 2017-03-28
[Bug 1552971] Re: [SRU] InstanceList.get_by_security_group_id can run very slow
From: James Page, 2017-03-28
[Bug 1552971] Re: InstanceList.get_by_security_group_id can run very slow
From: Chuck Short, 2017-03-09
[Bug 1552971] Re: InstanceList.get_by_security_group_id can run very slow
From: Edward Hope-Morley, 2017-03-09
[Bug 1552971] Re: InstanceList.get_by_security_group_id can run very slow
From: OpenStack Infra, 2016-08-13
[Bug 1552971] Re: InstanceList.get_by_security_group_id can run very slow
From: Matt Riedemann, 2016-08-10