yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1851430] Re: Slow metadata API performance with security groups that have a lot of rules

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1851430@xxxxxxxxxxxxxxxxxx>
Date: Thu, 14 Nov 2019 21:58:10 -0000
Reply-to: Bug 1851430 <1851430@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/656084
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=eaf16fdde59a14fb38df669b21a911a0c2d2576f
Submitter: Zuul
Branch:    master

commit eaf16fdde59a14fb38df669b21a911a0c2d2576f
Author: Doug Wiegley <dwiegley@xxxxxxxxxxxxxx>
Date:   Tue Nov 5 17:29:11 2019 -0500

    Improve metadata server performance with large security groups
    
    Don't include the rules in the SG fetch in the metadata server, since
    we don't need them there, and with >1000 rules, it starts to get
    really slow, especially in Pike and later.
    
    Closes-Bug: #1851430
    
    Co-Authored-By: Doug Wiegley <dougwig@xxxxxxxxxxx>
    Co-Authored-By: Matt Riedemann <mriedem.os@xxxxxxxxx>
    
    Change-Id: I7de14456d04370c842b4c35597dca3a628a826a2


** Changed in: nova
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1851430

Title:
  Slow metadata API performance with security groups that have a lot of
  rules

Status in OpenStack Compute (nova):
  Fix Released
Status in OpenStack Compute (nova) pike series:
  Confirmed
Status in OpenStack Compute (nova) queens series:
  Confirmed
Status in OpenStack Compute (nova) rocky series:
  Confirmed
Status in OpenStack Compute (nova) stein series:
  Confirmed
Status in OpenStack Compute (nova) train series:
  Confirmed

Bug description:
  This was reported here without a bug:

  https://review.opendev.org/#/c/656084/

  The EC2 metadata API response includes a 'security-groups' key that is
  a list of security group names attached to the instance.

  The problem is for each security group attached to the instance, if
  the group has a lot of rules on it, it can be expensive to query
  (join) that information from neutron, especially if we don't care
  about the rules.

  By default, listing security groups includes the rules in the
  response:

  https://docs.openstack.org/api-ref/network/v2/index.html?expanded
  =list-security-groups-detail#list-security-groups

  For the purpose of the EC2 metadata API, we should just query security
  groups for their names.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1851430/+subscriptions

References

[Bug 1851430] [NEW] slow metadata performance with security groups that have a lot of rules
From: Matt Riedemann, 2019-11-05