<div dir="ltr"><div style>Agree!</div>+1</div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Sep 18, 2014 at 1:47 PM, Lingxian Kong <span dir="ltr"><<a href="mailto:anlin.kong@gmail.com" target="_blank">anlin.kong@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi, shihanzhang:<br>
<br>
Thanks for bringing this up, again.<br>
<br>
As I said before, this blueprint will solve the problems that the<br>
'hard-coded' rules related to the default security group we are<br>
suffering from, which I do think will give Fawad an anser. So, I<br>
really hope that we can particapate all together to make this happen<br>
in Kilo.<br>
<div class="HOEnZb"><div class="h5"><br>
2014-09-17 10:11 GMT+08:00 shihanzhang <<a href="mailto:ayshihanzhang@126.com">ayshihanzhang@126.com</a>>:<br>
> As I know there is no a way to disable default security groups, but I think<br>
> this BP can solve this problem:<br>
> <a href="https://blueprints.launchpad.net/neutron/+spec/default-rules-for-default-security-group" target="_blank">https://blueprints.launchpad.net/neutron/+spec/default-rules-for-default-security-group</a><br>
><br>
><br>
> 在 2014-09-17 07:44:42,"Aaron Rosen" <<a href="mailto:aaronorosen@gmail.com">aaronorosen@gmail.com</a>> 写道:<br>
><br>
> Hi,<br>
><br>
> Inline:<br>
><br>
> On Tue, Sep 16, 2014 at 1:00 AM, Fawad Khaliq <<a href="mailto:fawad@plumgrid.com">fawad@plumgrid.com</a>> wrote:<br>
>><br>
>> Folks,<br>
>><br>
>> I have had discussions with some folks individually about this but I would<br>
>> like bring this to a broader audience.<br>
>><br>
>> I have been playing with security groups and I see the notion of 'default'<br>
>> security group seems to create some nuisance/issues.<br>
>><br>
>> There are list of things I have noticed so far:<br>
>><br>
>> Tenant for OpenStack services (normally named service/services) also ends<br>
>> up having default security group.<br>
>> Port create operation ends up ensuring default security groups for all the<br>
>> tenants as this completely seems out of the context of the tenant the port<br>
>> operation takes place. (bug?)<br>
>> Race conditions where if system is stressed and Neutron tries to ensure<br>
>> the first default security group and in parallel another call comes, Neutron<br>
>> ends up trying to create multiple default security groups as the checks for<br>
>> duplicate groups are invalidated as soon as the call make past a certain<br>
>> point in code.<br>
><br>
> Right this is a bug. We should catch this foreign key constraint exception<br>
> here and pass as the default security group was already created. We do<br>
> something similar here when ports are created as there is a similar race for<br>
> ip_allocation.<br>
>><br>
>><br>
>> API performance where orchestration chooses to spawn 1000 tenants and we<br>
>> see unnecessary overhead<br>
>><br>
>> For plugins that use RESTful proxy backends require the backend systems to<br>
>> be up at the time neutron starts. [Minor, but affects some packaging<br>
>> solutions]<br>
><br>
><br>
> This is probably always a requirement for neutron to work so I don't think<br>
> it's related.<br>
>><br>
>><br>
>> To summarize, is there a way to disable default security groups? Expected<br>
>> answer is no; can we introduce a way to disable it? If that does not make<br>
>> sense, should we go ahead and fix the issues around it?<br>
><br>
><br>
> I think we should fix these bugs you pointed out.<br>
>><br>
>><br>
>> I am sure some of you must have seen some of these issues and solved them<br>
>> already. Please do share how do tackle these issues?<br>
>><br>
>> Thanks,<br>
>> Fawad Khaliq<br>
>><br>
>><br>
>> _______________________________________________<br>
>> OpenStack-dev mailing list<br>
>> <a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
>><br>
><br>
><br>
><br>
><br>
> _______________________________________________<br>
> OpenStack-dev mailing list<br>
> <a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
><br>
<br>
<br>
<br>
</div></div><span class="HOEnZb"><font color="#888888">--<br>
Regards!<br>
-----------------------------------<br>
Lingxian Kong<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><font color="#999999">Best wishes!<br>Baohua<br></font>
</div>