yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #66273
[Bug 1707319] Re: Security group doesn't apply to existing port
Well, I'm maybe going back a little. AFAICT, security groups are
Neutron-related, correct? So, when you create the port, you have to
specify the groups it could be applying, right?
In that case, it's your responsibility to define security groups at the
port creation, not when you ask to create the VM.
See https://docs.openstack.org/security-guide/networking/services-
security-best-practices.html for the security groups best practices, it
clearly states that Nova should only provide a proxy API for Neutron-
based SGs.
I'm closing the bug as invalid as I don't think Nova should update
security groups for pre-existing ports. That said, I think it would be a
nice user experience to get a HTTP400 when you pass both flags at the
nova boot request (an existing port ID and security group IDs) as that
situation can confuse people (and me first)
** Changed in: nova
Status: In Progress => Invalid
** Changed in: nova
Importance: Critical => Undecided
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1707319
Title:
Security group doesn't apply to existing port
Status in OpenStack Compute (nova):
Invalid
Bug description:
Description
===========
Create an instance with an existing port and a security group. The security group is ignored. The port's security group is not updated. Steps to reproduce:
Steps to reproduce
==================
$ source /opt/stack/devstack/openrc demo demo
$ openstack port create --network private vm-port
$ PORT_ID=$(openstack port show vm-port | awk '/ id /{print $4}')
$ openstack security group create vm-sg
$ SG_ID=$(openstack security group show vm-sg | awk '/ id /{print $4}')
$ openstack server create --flavor m1.tiny --nic port-id=$PORT_ID --security-group $SG_ID --image cirros-0.3.5-x86_64-disk vm
$ openstack server show vm -c security_groups
+-----------------+----------------+
| Field | Value |
+-----------------+----------------+
| security_groups | name='default' |
+-----------------+----------------+
Expected result
===============
I expect Nova to update the port's security group. For example, the security group should be updated as name='vm-sg' instead of name='default'.
Actual result
=============
The specified security group is ignored. The port's security group is not updated (stay as 'default')
Environment
===========
$ git log -1
commit 2fbac08c0686e92aaee65f24bf2958db6a451046
Author: Stephen Finucane <sfinucan@xxxxxxxxxx>
Date: Mon Jun 26 11:14:55 2017 +0100
Add missing microversion documentation
Part of blueprint placement-project-user
Change-Id: I9d77649e7e02f0ace5546e42e04122162ec5661f
hypervisor: Libvirt + KVM
Networking type: Neutron
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1707319/+subscriptions
References