[openstack-dev] [neutron] - Changing the Neutron default security group rules

Gregory Haynes greg at greghaynes.net
Wed Mar 2 19:36:17 UTC 2016

Clearly, some operators and users disagree with the opinion that 'by
default security groups should closed off' given that we have several
large public providers who have changed these defaults (despite there
being no documented way to do so), and we have users in this thread
expressing that opinion. Given that, I am not sure there is any value
behind us expressing we have different opinions on what defaults should
be (let alone enforcing them by not allowing them to be configured)
unless there are some technical reasons beyond 'this is not what my
policy is, what my customers wants', etc. I also understand the goal of
trying to make clouds more similar for better interoperability (and I
think that is extremely important), but the reality is we have created
a situation where clouds are already not identical here in an even
worse, undocumented way because we are enforcing a certain set of
opinions here.

To me this is an extremely clear indication that at a minimum the
defaults should be configurable since discussion around them seems to
devolve into different opinions on security policies, and there is no
way we should be in the business of dictating that.

Cheers, Greg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160302/7d15ec16/attachment-0001.html>

More information about the OpenStack-dev mailing list