Slow metadata API performance with security groups that have a lot of rules
Bug #1851430 reported by
Matt Riedemann
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
Medium
|
Doug Wiegley | ||
Pike |
Fix Released
|
Low
|
Lee Yarwood | ||
Queens |
Fix Released
|
Low
|
Matt Riedemann | ||
Rocky |
Fix Committed
|
Medium
|
Matt Riedemann | ||
Stein |
Fix Committed
|
Medium
|
Matt Riedemann | ||
Train |
Fix Committed
|
Medium
|
Matt Riedemann |
Bug Description
This was reported here without a bug:
https:/
The EC2 metadata API response includes a 'security-groups' key that is a list of security group names attached to the instance.
The problem is for each security group attached to the instance, if the group has a lot of rules on it, it can be expensive to query (join) that information from neutron, especially if we don't care about the rules.
By default, listing security groups includes the rules in the response:
For the purpose of the EC2 metadata API, we should just query security groups for their names.
Changed in nova: | |
importance: | Undecided → Medium |
status: | New → Confirmed |
Changed in nova: | |
assignee: | nobody → Doug Wiegley (dougwig) |
Changed in nova: | |
assignee: | Doug Wiegley (dougwig) → Matt Riedemann (mriedem) |
status: | Confirmed → In Progress |
Changed in nova: | |
assignee: | Matt Riedemann (mriedem) → Doug Wiegley (dougwig) |
summary: |
- slow metadata performance with security groups that have a lot of rules + Slow metadata API performance with security groups that have a lot of + rules |
To post a comment you must log in.
Reviewed: https:/ /review. opendev. org/656084 /git.openstack. org/cgit/ openstack/ nova/commit/ ?id=eaf16fdde59 a14fb38df669b21 a911a0c2d2576f
Committed: https:/
Submitter: Zuul
Branch: master
commit eaf16fdde59a14f b38df669b21a911 a0c2d2576f
Author: Doug Wiegley <email address hidden>
Date: Tue Nov 5 17:29:11 2019 -0500
Improve metadata server performance with large security groups
Don't include the rules in the SG fetch in the metadata server, since
we don't need them there, and with >1000 rules, it starts to get
really slow, especially in Pike and later.
Closes-Bug: #1851430
Co-Authored-By: Doug Wiegley <email address hidden>
Co-Authored-By: Matt Riedemann <email address hidden>
Change-Id: I7de14456d04370 c842b4c35597dca 3a628a826a2