yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1707319] Re: Security group doesn't apply to existing port

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Sylvain Bauza <sbauza@xxxxxxx>
Date: Mon, 31 Jul 2017 14:22:48 -0000
Reply-to: Bug 1707319 <1707319@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Well, I'm maybe going back a little. AFAICT, security groups are
Neutron-related, correct? So, when you create the port, you have to
specify the groups it could be applying, right?

In that case, it's your responsibility to define security groups at the
port creation, not when you ask to create the VM.

See https://docs.openstack.org/security-guide/networking/services-
security-best-practices.html for the security groups best practices, it
clearly states that Nova should only provide a proxy API for Neutron-
based SGs.

I'm closing the bug as invalid as I don't think Nova should update
security groups for pre-existing ports. That said, I think it would be a
nice user experience to get a HTTP400 when you pass both flags at the
nova boot request (an existing port ID and security group IDs) as that
situation can confuse people (and me first)

** Changed in: nova
       Status: In Progress => Invalid

** Changed in: nova
   Importance: Critical => Undecided

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1707319

Title:
  Security group doesn't apply to existing port

Status in OpenStack Compute (nova):
  Invalid

Bug description:
  Description
  ===========
  Create an instance with an existing port and a security group. The security group is ignored. The port's security group is not updated. Steps to reproduce:

  Steps to reproduce
  ==================
  $ source /opt/stack/devstack/openrc demo demo
  $ openstack port create --network private vm-port
  $ PORT_ID=$(openstack port show vm-port | awk '/ id /{print $4}')
  $ openstack security group create vm-sg
  $ SG_ID=$(openstack security group show vm-sg | awk '/ id /{print $4}')
  $ openstack server create --flavor m1.tiny --nic port-id=$PORT_ID --security-group $SG_ID --image cirros-0.3.5-x86_64-disk vm
  $ openstack server show vm -c security_groups
  +-----------------+----------------+
  | Field           | Value          |
  +-----------------+----------------+
  | security_groups | name='default' |
  +-----------------+----------------+

  Expected result
  ===============
  I expect Nova to update the port's security group. For example, the security group should be updated as name='vm-sg' instead of name='default'.

  Actual result
  =============
  The specified security group is ignored. The port's security group is not updated (stay as 'default')

  Environment
  ===========
  $ git log -1
  commit 2fbac08c0686e92aaee65f24bf2958db6a451046
  Author: Stephen Finucane <sfinucan@xxxxxxxxxx>
  Date:   Mon Jun 26 11:14:55 2017 +0100

      Add missing microversion documentation

      Part of blueprint placement-project-user

      Change-Id: I9d77649e7e02f0ace5546e42e04122162ec5661f

  hypervisor: Libvirt + KVM

  Networking type: Neutron

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1707319/+subscriptions

References

[Bug 1707319] [NEW] Security group doesn't apply to existing port
From: hongbin, 2017-07-28