OpenStack Compute (nova)

Security group refresh is not specific

Bug #1029495 reported by David McNally
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Undecided
David McNally
OpenStack Compute (nova) 2012.2 "folsom"

Bug Description

The trigger_members_refresh method in compute.api.py specifies a group id in the call to refresh_security_group_members. This is just the last group id seen and ignores the fact that a refresh may impact members of multiple groups.

Possible fallout from this is covered by the fact that the do_refresh_security_group_rules method in virt.firewall.py takes a specific group id but doesn't target just members of that group for refresh, rather it refreshes the rules for all instances on the host. This can lead to a lot of time wasted in needless refreshes of security group rules.

I would propose changing the logic of trigger_members_refresh so that instead of specifying a group to refresh it sends a specific refresh request per instance impacted, then alter the logic in do_refresh_security_group_rules to refresh a single instance resulting in refresh of only those rules that need it and removing the possibility of refreshing an instance multiple times if it is a member of more than one affected group.

David McNally (dave-mcnally)
Changed in nova:
assignee: nobody → David McNally (dave-mcnally)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/10658

Changed in nova:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/10658
Committed: http://github.com/openstack/nova/commit/2afbbab23a9d845cde511baa1e574fdcf5ab5171
Submitter: Jenkins
Branch: master

commit 2afbbab23a9d845cde511baa1e574fdcf5ab5171
Author: David McNally <email address hidden>
Date: Wed Aug 1 15:51:29 2012 +0100

    Making security group refresh more specific

    Fixes bug 1029495

    The trigger_members_refresh method in compute.api.py specifies
    a group id in the call to refresh_security_group_members. This
    is just the last group id seen and ignores the fact that a
    refresh may impact members of multiple groups.

    This is masked by the fact that on the host the group id is
    ignored and all instances have their security rules refreshed
    regardless of if they are part of the changed group or not.

    This change modifies the logic surrounding refreshes so we send
    a refresh request for each instance which is affected by a
    security group change, this ensures we aren't spending time
    refreshing unaffected instances and also removes the possibility
    of refreshing an instance multiple times if it is a member of
    more than one group.

    Also changed to be instance-centric is the refresh carried out
    when a rule is added/removed to a security group.

    Change-Id: Iec98e9aed818fdc4ecc88c8dcdd4ee5fa9386e00

Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in nova:
milestone: none → folsom-3
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in nova:
milestone: folsom-3 → 2012.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.