yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1552971] Re: [SRU] InstanceList.get_by_security_group_id can run very slow

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Sean Dague <sean@xxxxxxxxx>
Date: Fri, 16 Jun 2017 17:34:57 -0000
Reply-to: Bug 1552971 <1552971@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: nova/mitaka
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1552971

Title:
  [SRU] InstanceList.get_by_security_group_id can run very slow

Status in Ubuntu Cloud Archive:
  Invalid
Status in Ubuntu Cloud Archive liberty series:
  Fix Released
Status in OpenStack Compute (nova):
  Fix Released
Status in OpenStack Compute (nova) mitaka series:
  Fix Released

Bug description:
  [Impact]

   Backporting to Liberty Ubuntu Cloud Archive from Mitaka. The backport is
   fairly simple and clean with the exception of extra two unit tests that
   had to be ammended in order to work. The Liberty codebase still has the
   ec2 api code that is deprecated in Kilo and subsequently removed in Mitaka
   and there is a unit test for that api that was failing.

  [Test Case]

   * Deploy Openstack Liberty with this patch

   * Populate some security groups and create/delete some instances, checking
     that the security groups are functioning properly.

   * Run full Tempest test suite (rev 13.0.0) against deployed cloud.

  [Regression Potential]

   This patch has not received any testing with the ec2 api in future releases
   due the fact that that api is removed in M. Tempest did not find any errors
   when testing against L though so I not envisaging any regressions.
   
  ----------------------------------------------------------------------------

  The nova.objects.instance.InstanceList class's
  get_by_security_group_id function calls the db.security_group_get
  function, which uses the _security_group_get_query() function to
  generate a query object. That query, by default, joins with the
  secgroup-rules table, and currently the db.security_group_get function
  offers no option to avoid joining with the rules. As a result:

  If a group-source secgroup-rule exists on a security group with a
  large number of instances and a large number of rules, the db query
  result will be very large and take multiple seconds to complete, tying
  up conductor and making the system unresponsive.

  Since the InstanceList.get_by_security_group_id call only aims to
  build a list of instances, there is no need in this case to join with
  the rules, and so the db.security_group_get call should optionally
  avoid joining with the rules table.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1552971/+subscriptions

References

[Bug 1552971] [NEW] InstanceList.get_by_security_group_id can run very slow
From: Paul Griffin, 2016-03-04