Open Stack

On Fri, Sep 26, 2014 at 3:30 AM, Day, Phil <philip.day at hp.com> wrote:

>  I think the expectation is that if a user is already interaction with
> Neutron to create ports then they should do the security group assignment
> in Neutron as well.
>

Agree. However what do you think a user expects when he/she boots a vm (no
matter providing port_id or just net_id)
and specifies security_groups? I think the expectation should be that
instance will become a member of the specified groups.
Ignoring security_groups parameter in case port is provided (as it is now)
seems completely unfair to me.

>
>
> The trouble I see with supporting this way of assigning security groups is
> what should the correct behavior be if the user passes more than one port
> into the Nova boot command ?   In the case where Nova is creating the ports
> it kind of feels (just)  Ok to assign the security groups to all the
> ports.  In the case where the ports have already been created then it
> doesn’t feel right to me that Nova modifies them.
>

An option may be to append existing ports' security groups with ones that a
user specifies during instance boot.
This way we will preserve both user expectations - first when the port is
created and second when the instance is spawned.
Thoughts?

>
>
>
>
>
>
>
>
>
>
>
>
> *From:* Oleg Bondarev [mailto:obondarev at mirantis.com]
> *Sent:* 25 September 2014 08:19
> *To:* OpenStack Development Mailing List (not for usage questions)
> *Subject:* Re: [openstack-dev] [NOVA] security group fails to attach to
> an instance if port-id is specified during boot.
>
>
>
> Hi Parikshit,
>
>
>
> Looks like a bug. Currently if port is specified its security groups are
> not updated, it shpould be fixed.
>
> I've reported https://bugs.launchpad.net/nova/+bug/1373774 to track this.
>
> Thanks for reporting!
>
>
>
> Thanks,
>
> Oleg
>
>
>
> On Thu, Sep 25, 2014 at 10:15 AM, Parikshit Manur <
> parikshit.manur at citrix.com> wrote:
>
>  Hi All,
>
>                 Creation of server with command  ‘nova boot  --image
> <image> --flavor m1.medium --nic port-id=<port-id> --security-groups
>  <sec_grp> <name>’ fails to attach the security group to the
> port/instance. The response payload has the security group added but only
> default security group is attached to the instance.  Separate action has to
> be performed on the instance to add sec_grp, and it is successful.
> Supplying the same with ‘--nic net-id=<net-id>’ works as expected.
>
>
>
> Is this the expected behaviour / are there any other options which needs
> to be specified to add the security group when port-id needs to be attached
> during boot.
>
>
>
> Thanks,
>
> Parikshit Manur
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140926/84df005c/attachment.html>