Listing instances that use a security group
Hi all, Is there a cli command to list all the VM's that have a specific security group attached, I need to delete some groups as a tidy up but I only get a warning that it's in use by an instance (of which there's 200) so I'd rather not go through them 1 by 1 in Horizon or show each one on the cli separately. An sql query would be acceptable also but nova db, select * from security_groups; select * from instances; & select * from security_group_instance_association; doesn't give me the required results that I can refine to search deeper. Thanks in advance for any info. Regards,Derek
so security groups are a netuon concept with some legacy support in nova. the way i woudl apporoch this is to list all ports via the neutrion api/cli that have the security group assocaited with it then extract the device-id form the port which is the nova server uuid looking at https://docs.openstack.org/api-ref/network/v2/index.html?expanded=list-ports... security group does not appear to be one of the request parmaters of the port list api however security_groups supported by osc so not sure if the api doc is out of date so you shoudl be able to do this openstack port list --security-group <sec group uuid> you shoudl technialy be able to use -c device_id to get the list of vms uuid form that set of ports but im not sure that the openstack clinet will corrrectly inlcude the device_id filed in the api request in that case """openstack port list --security-group <sec group uuid> -c device_id -f value | sort | uniq""" should print a list of server of unique server uuids using that secuirty group if the openstack client is correctly askign for the device_id filed to be retured as aprt of the request. its is part fo the port list api responce by default. so you might need to usee --debug to get the api request url and then use curl to call the api direclty if the clinet does not supprot this properly On Tue, 2022-07-05 at 14:38 +0000, Derek O keeffe wrote:
Hi all, Is there a cli command to list all the VM's that have a specific security group attached, I need to delete some groups as a tidy up but I only get a warning that it's in use by an instance (of which there's 200) so I'd rather not go through them 1 by 1 in Horizon or show each one on the cli separately. An sql query would be acceptable also but nova db, select * from security_groups; select * from instances; & select * from security_group_instance_association; doesn't give me the required results that I can refine to search deeper. Thanks in advance for any info. Regards,Derek
Hi Sean, Thanks for that. I will try tomorrow and let you know how it went. Regards, Derek
On 5 Jul 2022, at 16:42, Sean Mooney <smooney@redhat.com> wrote:
so security groups are a netuon concept with some legacy support in nova.
the way i woudl apporoch this is to list all ports via the neutrion api/cli that have the security group assocaited with it then extract the device-id form the port which is the nova server uuid
looking at https://docs.openstack.org/api-ref/network/v2/index.html?expanded=list-ports...
security group does not appear to be one of the request parmaters of the port list api however security_groups supported by osc so not sure if the api doc is out of date
so you shoudl be able to do this
openstack port list --security-group <sec group uuid>
you shoudl technialy be able to use -c device_id to get the list of vms uuid form that set of ports but im not sure that the openstack clinet will corrrectly inlcude the device_id filed in the api request in that case
"""openstack port list --security-group <sec group uuid> -c device_id -f value | sort | uniq"""
should print a list of server of unique server uuids using that secuirty group if the openstack client is correctly askign for the device_id filed to be retured as aprt of the request. its is part fo the port list api responce by default.
so you might need to usee --debug to get the api request url and then use curl to call the api direclty if the clinet does not supprot this properly
On Tue, 2022-07-05 at 14:38 +0000, Derek O keeffe wrote: Hi all, Is there a cli command to list all the VM's that have a specific security group attached, I need to delete some groups as a tidy up but I only get a warning that it's in use by an instance (of which there's 200) so I'd rather not go through them 1 by 1 in Horizon or show each one on the cli separately. An sql query would be acceptable also but nova db, select * from security_groups; select * from instances; & select * from security_group_instance_association; doesn't give me the required results that I can refine to search deeper. Thanks in advance for any info. Regards,Derek
participants (2)
-
Derek O keeffe
-
Sean Mooney