<div dir="ltr">Hi,<div><br></div><div>This sounds like it may be a bug. My guess is that when we switched to project ID a hook was not updated to create the default security group when a project ID is passed instead of a tenant ID (this logic [1] in particular).</div><div><br></div><div>Can you please file a bug on launchpad and reference this email thread and we should be able to get it fixed pretty quickly.</div><div><br></div><div>1. <a href="https://github.com/openstack/neutron/blob/71d9aab87e37b5162ef09b8cbe3b72709fc88a8b/neutron/db/securitygroups_db.py#L146-L153">https://github.com/openstack/neutron/blob/71d9aab87e37b5162ef09b8cbe3b72709fc88a8b/neutron/db/securitygroups_db.py#L146-L153</a></div><div><br></div><div>Cheers,</div><div>Kevin Benton</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jun 27, 2017 at 3:30 AM, Riccardo Murri <span dir="ltr"><<a href="mailto:riccardo.murri@uzh.ch" target="_blank">riccardo.murri@uzh.ch</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello,<br>
<br>
I'm trying to add some rules to the "default" security group of a<br>
newly-created project, using the Neutron API 2.0.<br>
<br>
However, it seems that the "default" security group is automatically<br>
created but it is not returned by Neutron client's<br>
`list_security_groups()` API call.  My code works just fine if I use any<br>
security group name other than "default".<br>
<br>
This is an example interaction, which shows that there is no security<br>
group returned for the project::<br>
<br>
    >>> <a href="http://project.id" rel="noreferrer" target="_blank">project.id</a><br>
    u'<wbr>b26ed1aa29e64c3abeade0a47867ee<wbr>e3'<br>
    >>> response = self.neutron.list_security_<wbr>groups()  # self.neutron is a neutron_client.v2.Client instance<br>
    >>> secgroups = response['security_groups']<br>
    >>> all_sg_ids = [(sg['id'], sg['tenant_id']) for sg in secgroups]<br>
    >>> all_sg_ids<br>
    [(u'01de4e38-55ea-4b82-8583-<wbr>274b1bded41a', u'<wbr>0ff1f3d07fbd4d41892cdf85d7a7d1<wbr>a9'), ... ]<br>
    >>> len(all_sg_ids)<br>
    17<br>
    >>> project_sg_ids = [(sg['id'], sg['tenant_id']) for sg in secgroups if sg['tenant_id'] == <a href="http://project.id" rel="noreferrer" target="_blank">project.id</a>]<br>
    >>> project_sg_ids<br>
    []<br>
<br>
Shouldn't the "default" security group be listed there?<br>
<br>
In more details, this is the code I'm using (which, again, works as<br>
expected if I use any security group name other than "default")::<br>
<br>
    class Projects(object):<br>
        def __init__(self):<br>
            self.session = get_session()<br>
            self.keystone = keystone_client.Client(<wbr>session=self.session)<br>
            self.neutron = neutron_client.Client(session=<wbr>self.session)<br>
            self.nova = nova_client('2', session=self.session)<br>
            # ...<br>
<br>
        # ...<br>
<br>
        def create(self, form):<br>
            domain = self.keystone.domains.get(<wbr>config.os_project_domain_id)<br>
            project = self.keystone.projects.create(<br>
                form.name.data,<br>
                domain,<br>
                description=form.description.<wbr>data,<br>
                enabled=False,  # will enable after configuring it<br>
                # ...<br>
            )<br>
            try:<br>
                response = self.neutron.create_security_<wbr>group({<br>
                    'security_group': {<br>
                        'tenant_id': <a href="http://project.id" rel="noreferrer" target="_blank">project.id</a>,<br>
                        'name': 'default',  # works if I change to e.g. 'TEST'<br>
                        'description': "Default security group",<br>
                    }<br>
                })<br>
            except Conflict:<br>
                # security group already exists, fetch it<br>
                # `find_security_group_by_name()<wbr>` is a small filter<br>
                # for `list_security_groups()` results<br>
                default_sg = find_security_group_by_name(<wbr>self.neutron, <a href="http://project.id" rel="noreferrer" target="_blank">project.id</a>, 'default')<br>
            # ... do something with the sec group ...<br>
<br>
What am I doing wrong?<br>
<br>
Thanks,<br>
Riccardo<br>
<br>
--<br>
Riccardo Murri<br>
<a href="http://www.s3it.uzh.ch/about/team/#Riccardo.Murri" rel="noreferrer" target="_blank">http://www.s3it.uzh.ch/about/<wbr>team/#Riccardo.Murri</a><br>
<br>
S3IT: Services and Support for Science IT<br>
University of Zurich<br>
Winterthurerstrasse 190, CH-8057 Zürich (Switzerland)<br>
<br>
Tel: <a href="tel:%2B41%2044%20635%204208" value="+41446354208">+41 44 635 4208</a><br>
Fax: <a href="tel:%2B41%2044%20635%206888" value="+41446356888">+41 44 635 6888</a><br>
<br>
______________________________<wbr>_________________<br>
Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" rel="noreferrer" target="_blank">http://lists.openstack.org/<wbr>cgi-bin/mailman/listinfo/<wbr>openstack</a><br>
Post to     : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" rel="noreferrer" target="_blank">http://lists.openstack.org/<wbr>cgi-bin/mailman/listinfo/<wbr>openstack</a><br>
</blockquote></div><br></div>