yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1729741] Re: os-security-groups api call creates api call explosion to neutron

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1729741@xxxxxxxxxxxxxxxxxx>
Date: Fri, 10 Nov 2017 04:07:40 -0000
Reply-to: Bug 1729741 <1729741@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/517648
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=dc658dbdcf2325cf6f27d9ae61d85b835f8410f8
Submitter: Zuul
Branch:    master

commit dc658dbdcf2325cf6f27d9ae61d85b835f8410f8
Author: Matt Riedemann <mriedem.os@xxxxxxxxx>
Date:   Fri Nov 3 12:26:03 2017 -0400

    Avoid redundant security group queries in GET /servers/{id}/os-security-groups
    
    The GET /servers/{server_id}/os-security-groups API code can
    perform poorly if the instance has several security groups and
    each security group has several rules. This is because when processing
    the output, we loop over the groups, and loop over the rules per group,
    and then for each rule, if it has a group_id specified, we query
    the security group details (from Neutron in most cases).
    
    If more than one rule points at the same group_id, we're doing a redundant
    group lookup and sending more traffic to the security group API (aka Neutron)
    than needed.
    
    This change optimizes that single API to load the rule group details
    up front so that we only do at most one lookup per group_id.
    
    This could be extended to GET /os-security-groups but that API is
    deprecated so any optimization there is lower priority.
    
    Change-Id: Ia451429f61b15526fade6838386e562c17591d36
    Closes-Bug: #1729741


** Changed in: nova
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1729741

Title:
  os-security-groups api call creates api call explosion to neutron

Status in OpenStack Compute (nova):
  Fix Released
Status in OpenStack Compute (nova) pike series:
  Confirmed

Bug description:
  1) create a security group
  2) create a bunch of security group rules which reference a security group instead of a CIDR e.g.
  openstack security group rule create --remote-group xxxxx-1123-xxxx-xxx-xxxxx

  
  When querying nova api /os-security-groups there will be an API call to neutron for each rule that has a remote group attached.

  In the logs you will seee GET /v2.0/security-groups/xxxxx-1123-xxxx-xxx-xxxxx
  Creating rules with a CIDR do not have this issue.

  As you can imagine this will quickly get very slow.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1729741/+subscriptions

References

[Bug 1729741] [NEW] os-security-groups api call creates api call explosion to neutron
From: Robert van Leeuwen, 2017-11-03