<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Sep 26, 2014 at 3:30 AM, Day, Phil <span dir="ltr"><<a href="mailto:philip.day@hp.com" target="_blank">philip.day@hp.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">I think the expectation is that if a user is already interaction with Neutron to create ports then they should do the security group assignment in Neutron as
well. </span></p></div></div></blockquote><div><br></div><div>Agree. However what do you think a user expects when he/she boots a vm (no matter providing port_id or just net_id) </div><div>and specifies security_groups? I think the expectation should be that instance will become a member of the specified groups.</div><div>Ignoring security_groups parameter in case port is provided (as it is now) seems completely unfair to me.</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="purple"><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> <u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">The trouble I see with supporting this way of assigning security groups is what should the correct behavior be if the user passes more than one port into the
Nova boot command ? In the case where Nova is creating the ports it kind of feels (just) Ok to assign the security groups to all the ports. In the case where the ports have already been created then it doesn’t feel right to me that Nova modifies them.</span></p></div></div></blockquote><div><br></div><div>An option may be to append existing ports' security groups with ones that a user specifies during instance boot. </div><div>This way we will preserve both user expectations - first when the port is created and second when the instance is spawned.<br></div><div>Thoughts?</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="purple"><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> Oleg Bondarev [mailto:<a href="mailto:obondarev@mirantis.com" target="_blank">obondarev@mirantis.com</a>]
<br>
<b>Sent:</b> 25 September 2014 08:19<br>
<b>To:</b> OpenStack Development Mailing List (not for usage questions)<br>
<b>Subject:</b> Re: [openstack-dev] [NOVA] security group fails to attach to an instance if port-id is specified during boot.<u></u><u></u></span></p>
</div>
</div><div><div class="h5">
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">Hi Parikshit,<u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Looks like a bug. Currently if port is specified its security groups are not updated, it shpould be fixed.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">I've reported <a href="https://bugs.launchpad.net/nova/+bug/1373774" target="_blank">https://bugs.launchpad.net/nova/+bug/1373774</a> to track this.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">Thanks for reporting!<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Thanks,<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">Oleg<u></u><u></u></p>
</div>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">On Thu, Sep 25, 2014 at 10:15 AM, Parikshit Manur <<a href="mailto:parikshit.manur@citrix.com" target="_blank">parikshit.manur@citrix.com</a>> wrote:<u></u><u></u></p>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<p class="MsoNormal"><span lang="EN-AU">Hi All,<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-AU"> Creation of server with command ‘</span><span lang="EN-AU" style="font-size:10.5pt;font-family:"Courier New";color:black">nova boot --image
<image> --flavor m1.medium --nic port-id=<port-id> --security-groups <sec_grp> <name>’
</span><span lang="EN-AU">fails to attach the security group to the port/instance. The response payload has the security group added but only default security group is attached to the instance. Separate action has to be performed on the instance to add sec_grp,
and it is successful. Supplying the same with ‘</span><span lang="EN-AU" style="font-size:10.5pt;font-family:"Courier New";color:black">--nic net-id=<net-id>’
</span><span lang="EN-AU">works as expected.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-AU"> <u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-AU">Is this the expected behaviour / are there any other options which needs to be specified to add the security group when port-id needs to be attached during boot.
<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-AU"> <u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-AU">Thanks,<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-AU">Parikshit Manur</span><span lang="EN-AU" style="font-size:10.5pt;font-family:"Courier New";color:black">
</span><span lang="EN-AU"><u></u><u></u></span></p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><u></u><u></u></p>
</blockquote>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div></div></div>
</div>
</div>
<br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div></div>