yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1851430] [NEW] slow metadata performance with security groups that have a lot of rules

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Matt Riedemann <mriedem.os@xxxxxxxxx>
Date: Tue, 05 Nov 2019 20:34:47 -0000
Reply-to: Bug 1851430 <1851430@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

This was reported here without a bug:

https://review.opendev.org/#/c/656084/

The EC2 metadata API response includes a 'security-groups' key that is a
list of security group names attached to the instance.

The problem is for each security group attached to the instance, if the
group has a lot of rules on it, it can be expensive to query (join) that
information from neutron, especially if we don't care about the rules.

By default, listing security groups includes the rules in the response:

https://docs.openstack.org/api-ref/network/v2/index.html?expanded=list-
security-groups-detail#list-security-groups

For the purpose of the EC2 metadata API, we should just query security
groups for their names.

** Affects: nova
     Importance: Medium
         Status: Confirmed


** Tags: api metadata neutron performance

** Changed in: nova
   Importance: Undecided => Medium

** Changed in: nova
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1851430

Title:
  slow metadata performance with security groups that have a lot of
  rules

Status in OpenStack Compute (nova):
  Confirmed

Bug description:
  This was reported here without a bug:

  https://review.opendev.org/#/c/656084/

  The EC2 metadata API response includes a 'security-groups' key that is
  a list of security group names attached to the instance.

  The problem is for each security group attached to the instance, if
  the group has a lot of rules on it, it can be expensive to query
  (join) that information from neutron, especially if we don't care
  about the rules.

  By default, listing security groups includes the rules in the
  response:

  https://docs.openstack.org/api-ref/network/v2/index.html?expanded
  =list-security-groups-detail#list-security-groups

  For the purpose of the EC2 metadata API, we should just query security
  groups for their names.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1851430/+subscriptions

Follow ups

[Bug 1851430] Fix included in openstack/nova queens-eol
From: OpenStack Infra, 2022-11-11
[Bug 1851430] Fix included in openstack/nova pike-eol
From: OpenStack Infra, 2022-08-01
[Bug 1851430] Re: Slow metadata API performance with security groups that have a lot of rules
From: OpenStack Infra, 2019-11-14
[Bug 1851430] Re: slow metadata performance with security groups that have a lot of rules
From: Matt Riedemann, 2019-11-05