Reduce the number of db/rpc calls to get instance rules

When getting instance rules in virt/firewall.py a for loop is used to
issue db queries for rules belonging to each individual security group
in a list of security groups that itself is fetched using a separate
query.

This can be made much more efficient by querying all rules in a single
db query joined by instance.

Change-Id: I325f9c71fecde8297842fd608ac3cfd51ea9db71
Closes-Bug: #1528041

nova/db/api.py

@@ -1329,6 +1329,11 @@ def security_group_rule_get_by_security_group(context, security_group_id,
         context, security_group_id, columns_to_join=columns_to_join)
 
 
+def security_group_rule_get_by_instance(context, instance_uuid):
+    """Get all rules for a given instance."""
+    return IMPL.security_group_rule_get_by_instance(context, instance_uuid)
+
+
 def security_group_rule_destroy(context, security_group_rule_id):
     """Deletes a security group rule."""
     return IMPL.security_group_rule_destroy(context, security_group_rule_id)

nova/db/sqlalchemy/api.py

@@ -4356,6 +4356,15 @@ def security_group_rule_get_by_security_group(context, security_group_id,
     return query.all()
 
 
+@require_context
+def security_group_rule_get_by_instance(context, instance_uuid):
+    return (_security_group_rule_get_query(context).
+            join('parent_group', 'instances').
+            filter_by(uuid=instance_uuid).
+            options(joinedload('grantee_group')).
+            all())
+
+
 @require_context
 def security_group_rule_create(context, values):
     return _security_group_rule_create(context, values)