Bug #1228384 “Security Group extension reads all Neutron ports f...” : Bugs : OpenStack Compute (nova)

Phil Day (philip-day) on 2013-09-20

Changed in nova:
assignee:	nobody → Phil Day (philip-day)

Phil Day (philip-day) on 2013-09-20

description:

updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-09-20: Fix proposed to nova (master)

#1

Fix proposed to branch: master
Review: https://review.openstack.org/47651

Changed in nova:
status:	New → In Progress

Joe Gordon (jogo) on 2013-10-07

tags:

added: havana-rc-potential

Revision history for this message

Joe Gordon (jogo) wrote on 2013-10-08:

#2

Adding tempest to this because, we should update

https://github.com/openstack/tempest/blob/master/tempest/scenario/test_large_ops.py

which we gate on to test this scenario.

Huang Zhiteng (zhiteng-huang) on 2013-10-09

tags:

added: grizzly-backport-potential

Thierry Carrez (ttx) on 2013-10-14

tags:

added: havana-backport-potential
removed: havana-rc-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-11-25: Fix merged to nova (master)

#3

Reviewed: https://review.openstack.org/47651
Committed: http://github.com/openstack/nova/commit/18c3ac4a8935b9997dbb55181d5dbb5232ef2c27
Submitter: Jenkins
Branch: master

commit 18c3ac4a8935b9997dbb55181d5dbb5232ef2c27
Author: Phil Day <email address hidden>
Date: Fri Sep 20 22:41:14 2013 +0000

Fix performance of Server List with Neutron for Admins

    https://review.openstack.org/#/c/30048/ optimized the
    SecurityGroupsOutputController for the case where the server
    list only contains one server, but in all other cases the current
    code calls the Neutron driver in a way that makes it retrieve
    all ports and security groups visible to the tenant.

    For users with a Neutron admin role this retrieves all ports
    and all SecGroups in the system, which on a large system is a
    major performance issue and often leads to client timeouts.
    Normally these users have further qualified their query to a
    specific tenant or host, or are maybe just trying to get their
    own list of servers.

    If instead we pass the pre-filtered list of servers to Neutron
    it can query for ports associated with just the device IDs of
    the servers. We then use that list of ports to build a
    specific list of security groups IDs to query for.

This approach means that we can remove the initial
optimization for a single server case.

Closes-Bug: 1228384

Change-Id: I6f72533056e4f336f7578cc883fd1a125c2048a9

Changed in nova:
status:	In Progress → Fix Committed

Russell Bryant (russellb) on 2013-12-03

Changed in nova:
milestone:	none → icehouse-1

Thierry Carrez (ttx) on 2013-12-04

Changed in nova:
status:	Fix Committed → Fix Released

Sean Dague (sdague) on 2013-12-12

Changed in tempest:
importance:	Undecided → Medium
status:	New → Confirmed

Phil Day (philip-day) on 2013-12-13

Changed in nova:
importance:	Undecided → High

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-12-13: Fix proposed to nova (stable/havana)

#4

Fix proposed to branch: stable/havana
Review: https://review.openstack.org/61924

Alan Pevec (apevec) on 2014-01-29

tags:

removed: havana-backport-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-01-30: Fix merged to nova (stable/havana)

#5

Reviewed: https://review.openstack.org/61924
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=19fdaa225abd007a13cd38c742e27c5ee620186c
Submitter: Jenkins
Branch: stable/havana

commit 19fdaa225abd007a13cd38c742e27c5ee620186c
Author: Phil Day <email address hidden>
Date: Fri Sep 20 22:41:14 2013 +0000

Fix performance of Server List with Neutron for Admins

    https://review.openstack.org/#/c/30048/ optimized the
    SecurityGroupsOutputController for the case where the server
    list only contains one server, but in all other cases the current
    code calls the Neutron driver in a way that makes it retrieve
    all ports and security groups visible to the tenant.

    For users with a Neutron admin role this retrieves all ports
    and all SecGroups in the system, which on a large system is a
    major performance issue and often leads to client timeouts.
    Normally these users have further qualified their query to a
    specific tenant or host, or are maybe just trying to get their
    own list of servers.

    If instead we pass the pre-filtered list of servers to Neutron
    it can query for ports associated with just the device IDs of
    the servers. We then use that list of ports to build a
    specific list of security groups IDs to query for.

This approach means that we can remove the initial
optimization for a single server case.

Closes-Bug: 1228384

(cherry picked from commit 18c3ac4a8935b9997dbb55181d5dbb5232ef2c27)

Conflicts:
nova/tests/api/openstack/compute/contrib/test_neutron_security_groups.py

Change-Id: I6f72533056e4f336f7578cc883fd1a125c2048a9

Yaguang Tang (heut2008) on 2014-02-10

tags:

removed: grizzly-backport-potential

Thierry Carrez (ttx) on 2014-04-17

Changed in nova:
milestone:	icehouse-1 → 2014.1

Revision history for this message

Luz Cazares (luz-cazares) wrote on 2016-08-09:

#6

Invalidating Tempest bug since scenario "tempest/scenario/test_large_ops.py" was removed from tempest (related to performance instead of scenario). See: https://github.com/openstack/tempest/commit/1976da83a5bdb35a61d1659bb5ece1b5d248bacd

Changed in tempest:
status:	Confirmed → Invalid

OpenStack Compute (nova)

Security Group extension reads all Neutron ports for anything other that a single server

Bug Description

Duplicates of this bug

Other bug subscribers

Remote bug watches

	Status	Importance	Assigned to	Milestone
OpenStack Compute (nova)	Fix Released	High	Phil Day	OpenStack Compute (nova) 2014.1 "icehouse"
Havana	Fix Released	High	Yaguang Tang	OpenStack Compute (nova) 2013.2.2
tempest	Invalid	Medium	Unassigned