Well, last iteration of thoughts: since Nova proxies security groups
calls to Neutron, that means that when you boot the instance, Nova will
need to make HTTP calls to Neutron to get values of the existing
security groups and ask to update the port.
Since security groups are port-based in Neutron, but Nova unfortunately
see those tied to instances, that means that if you would create two
ports with two distinct security groups and you would like to boot a VM
by specifying a security group and passing those two ports, it would
update all the ports to make them apply the same groups.
I see the usecase but I honestly don't think it's a real problem, just a
feature request, hence me tagging that bug report as Wishlist.
** Changed in: nova
Status: Invalid => Confirmed
** Changed in: nova
Importance: Undecided => Wishlist
** Changed in: nova
Status: Confirmed => Opinion
** Tags added: neutron security-groups
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1707319
Title:
Security group doesn't apply to existing port
Status in OpenStack Compute (nova):
Opinion
Bug description:
Description
===========
Create an instance with an existing port and a security group. The security
group is ignored. The port's security group is not updated. Steps to reproduce:
Steps to reproduce
==================
$ source /opt/stack/devstack/openrc demo demo
$ openstack port create --network private vm-port
$ PORT_ID=$(openstack port show vm-port | awk '/ id /{print $4}')
$ openstack security group create vm-sg
$ SG_ID=$(openstack security group show vm-sg | awk '/ id /{print $4}')
$ openstack server create --flavor m1.tiny --nic port-id=$PORT_ID
--security-group $SG_ID --image cirros-0.3.5-x86_64-disk vm
$ openstack server show vm -c security_groups
+-----------------+----------------+
| Field | Value |
+-----------------+----------------+
| security_groups | name='default' |
+-----------------+----------------+
Expected result
===============
I expect Nova to update the port's security group. For example, the security
group should be updated as name='vm-sg' instead of name='default'.
Actual result
=============
The specified security group is ignored. The port's security group is not
updated (stay as 'default')
Environment
===========
$ git log -1
commit 2fbac08c0686e92aaee65f24bf2958db6a451046
Author: Stephen Finucane <sfinu...@redhat.com>
Date: Mon Jun 26 11:14:55 2017 +0100
Add missing microversion documentation
Part of blueprint placement-project-user
Change-Id: I9d77649e7e02f0ace5546e42e04122162ec5661f
hypervisor: Libvirt + KVM
Networking type: Neutron
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1707319/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
