[openstack-dev] [python-novaclient] Better wording for secgroup-*-default-rules? help text

melanie witt melwittt at gmail.com
Wed Mar 11 03:08:13 UTC 2015

On Mar 10, 2015, at 19:28, Chris St. Pierre <chris.a.st.pierre at gmail.com> wrote:

> Ah, look at that! In some other projects, flake8 complains about a docstring whose first line doesn't end in a period, so I didn't think it'd be possible. If you don't think that's excessively verbose, there'll be a patch in shortly. Thanks!

Oh, right -- I wasn't thinking about that. Probably it's not a restriction in novaclient because documentation is generated from the docstrings.

> That's precisely the confusion -- the security group name 'default' is, of course, a security group. But "the default security group," as referenced by the help text for these commands, is actually a sort of meta-security-group object that is only used to populate the 'default' security group in new tenants. It is not, in and of itself, an actual security group. That is, adding a new rule with 'nova secgroup-add-default-rules' has absolutely no effect on what network traffic is allowed between guests; it only affects new tenants created afterwards.

Got it. I learned a lot about the "default security group" in nova-network because of your email and bug. It's actually generated if it doesn't exist for a tenant when a server is created. If it's found, it's reused and thus won't pick up any default rules that had been added since it was created. And then you could get into particulars like deleting the 'default' group, then you would get all freshest default rules next time you create a server, even if your tenant isn't new. Really not easy to understand.

melanie (melwitt)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150310/0fc520ff/attachment.pgp>

More information about the OpenStack-dev mailing list