[Bug 1552971] Re: [SRU] InstanceList.get_by_security_group_id can run very slow

Tue Mar 28 14:48:13 UTC 2017

The verification of the Stable Release Update for nova has completed
successfully and the package has now been released to -updates. In the
event that you encounter a regression using the package from -updates
please report a new bug using ubuntu-bug and tag the bug report
regression-update so we can easily find any regressions.

** Changed in: cloud-archive
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1552971

Title:
  [SRU] InstanceList.get_by_security_group_id can run very slow

Status in Ubuntu Cloud Archive:
  Invalid
Status in Ubuntu Cloud Archive liberty series:
  Fix Released
Status in OpenStack Compute (nova):
  Fix Released
Status in OpenStack Compute (nova) mitaka series:
  Fix Committed

Bug description:
  [Impact]

   Backporting to Liberty Ubuntu Cloud Archive from Mitaka. The backport is
   fairly simple and clean with the exception of extra two unit tests that
   had to be ammended in order to work. The Liberty codebase still has the
   ec2 api code that is deprecated in Kilo and subsequently removed in Mitaka
   and there is a unit test for that api that was failing.

  [Test Case]

   * Deploy Openstack Liberty with this patch

   * Populate some security groups and create/delete some instances, checking
     that the security groups are functioning properly.

   * Run full Tempest test suite (rev 13.0.0) against deployed cloud.

  [Regression Potential]

   This patch has not received any testing with the ec2 api in future releases
   due the fact that that api is removed in M. Tempest did not find any errors
   when testing against L though so I not envisaging any regressions.

  ----------------------------------------------------------------------------

  The nova.objects.instance.InstanceList class's
  get_by_security_group_id function calls the db.security_group_get
  function, which uses the _security_group_get_query() function to
  generate a query object. That query, by default, joins with the
  secgroup-rules table, and currently the db.security_group_get function
  offers no option to avoid joining with the rules. As a result:

  If a group-source secgroup-rule exists on a security group with a
  large number of instances and a large number of rules, the db query
  result will be very large and take multiple seconds to complete, tying
  up conductor and making the system unresponsive.

  Since the InstanceList.get_by_security_group_id call only aims to
  build a list of instances, there is no need in this case to join with
  the rules, and so the db.security_group_get call should optionally
  avoid joining with the rules table.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1552971/+subscriptions