cache-neutron-security-groups

Registered by Aaron Rosen on 2014-03-24

Nova-api should be able to work if neutron is down. Currently this is not
the case as we are going to neutron in order to obtain the security_groups on
an instance. In this blueprint we'll cache these security groups in nova
instead to avoid going to neutron.

Problem description
===================

Currently, whenever performing any GET options on nova for example nova list
nova-api calls out to neutron in order to get a list of security groups
attached to the instance. In addition, this is also done for most other
api operations due to how nova's extension framework is implemented. For
example, the nova interface-detach command will also cause nova-api to
query neutron for the security groups attached to the instance. The problem,
with this design is if neutron is down nova-api no longer works (as it fails
trying to talk to neutron) in addition we are quering neutron a lot more
then we need to be.

Proposed change
===============

In order to solve this issue I propose that we cache the security_groups
attached to each VIF in the instance_info_caches table and return the
security groups from there rather than from neutron.

see: https://review.openstack.org/82598 for nova-spec review.

Blueprint information

Status:
Not started
Approver:
None
Priority:
Undefined
Drafter:
Aaron Rosen
Direction:
Needs approval
Assignee:
Aaron Rosen
Definition:
New
Series goal:
None
Implementation:
Unknown
Milestone target:
None

Related branches

Sprints

Whiteboard

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.