yahoo-eng-team team mailing list archive

[Sylvain Bauza <sbauza@xxxxxxx>]

Well, last iteration of thoughts: since Nova proxies security groups
calls to Neutron, that means that when you boot the instance, Nova will
need to make HTTP calls to Neutron to get values of the existing
security groups and ask to update the port.

Since security groups are port-based in Neutron, but Nova unfortunately
see those tied to instances, that means that if you would create two
ports with two distinct security groups and you would like to boot a VM
by specifying a security group and passing those two ports, it would
update all the ports to make them apply the same groups.

I see the usecase but I honestly don't think it's a real problem, just a
feature request, hence me tagging that bug report as Wishlist.

** Changed in: nova
       Status: Invalid => Confirmed

** Changed in: nova
   Importance: Undecided => Wishlist

** Changed in: nova
       Status: Confirmed => Opinion

** Tags added: neutron security-groups

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1707319

Title:
  Security group doesn't apply to existing port

Status in OpenStack Compute (nova):
  Opinion

Bug description:
  Description
  ===========
  Create an instance with an existing port and a security group. The security group is ignored. The port's security group is not updated. Steps to reproduce:

  Steps to reproduce
  ==================
  $ source /opt/stack/devstack/openrc demo demo
  $ openstack port create --network private vm-port
  $ PORT_ID=$(openstack port show vm-port | awk '/ id /{print $4}')
  $ openstack security group create vm-sg
  $ SG_ID=$(openstack security group show vm-sg | awk '/ id /{print $4}')
  $ openstack server create --flavor m1.tiny --nic port-id=$PORT_ID --security-group $SG_ID --image cirros-0.3.5-x86_64-disk vm
  $ openstack server show vm -c security_groups
  +-----------------+----------------+
  | Field           | Value          |
  +-----------------+----------------+
  | security_groups | name='default' |
  +-----------------+----------------+

  Expected result
  ===============
  I expect Nova to update the port's security group. For example, the security group should be updated as name='vm-sg' instead of name='default'.

  Actual result
  =============
  The specified security group is ignored. The port's security group is not updated (stay as 'default')

  Environment
  ===========
  $ git log -1
  commit 2fbac08c0686e92aaee65f24bf2958db6a451046
  Author: Stephen Finucane <sfinucan@xxxxxxxxxx>
  Date:   Mon Jun 26 11:14:55 2017 +0100

      Add missing microversion documentation

      Part of blueprint placement-project-user

      Change-Id: I9d77649e7e02f0ace5546e42e04122162ec5661f

  hypervisor: Libvirt + KVM

  Networking type: Neutron

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1707319/+subscriptions