Open Stack

On 3/30/2016 5:50 PM, Armando M. wrote:
>
>
> On 30 March 2016 at 13:40, Sean Dague <sean at dague.net
> <mailto:sean at dague.net>> wrote:
>
>     On 03/29/2016 09:55 PM, Matt Riedemann wrote:
>     <snip>
>     >
>     > Yup, HenryG walked me through the cases on IRC today.
>     >
>     > The more I think about option (b) above, the less I like that idea given
>     > how much work goes into the allocate_for_instance code in nova where
>     > it's already building the list of possible networks that will be used
>     > for creating/updating ports, we'd essentially have to duplicate that
>     > logic in a separate method to get an idea of what security groups would
>     > be applied.
>     >
>     > I'd prefer to be lazy and go with option (a) and just say nova doesn't
>     > return security-groups in the REST API when creating a server and
>     > neutron is the network API. That would require a microversion probably,
>     > but it would still be easy to do. I'm not sure if that's the best user
>     > experience though.
>     >
>
>     Is there a sane resource on the neutron side we could link to? Today
>     security_groups are returned with a name from nova, which made sense
>     when it was an internal structure, but makes way less sense now.
>
>     "security_groups": [
>             {
>                      "href": "....",
>              }
>     ]
>
>     Where the link is to a neutron resource (and we could do a local link
>     for the few nova net folks) might be more appropriate.
>
>
> Not that I could think of, though the extra level of indirection to
> solve this issue is kind of a neat idea.
>
>
>              -Sean
>
>     --
>     Sean Dague
>     http://dague.net
>
>     __________________________________________________________________________
>     OpenStack Development Mailing List (not for usage questions)
>     Unsubscribe:
>     OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>     <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
>     http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>

Yeah, not really, see what we have to do to get the list of security 
groups for a given list of instances [1].

That builds a list of ports from the list of instances, then from the 
list of ports it builds a list of security groups mapped to each port, 
and then does some cleanup after that to make it look like nova-network 
security groups for the compute API response (as a side note, it seems 
like this is an area where we could do some performance optimizations by 
not pulling back all of the port / security group details, only get the 
fields we need).

Would we need to link to a neutron API? Could we just provide a link 
back to 'servers/<server uuid>/os-security-groups'?

[1] 
https://github.com/openstack/nova/blob/f8a01ccdffc13403df77148867ef3821100b5edb/nova/network/security_group/neutron_driver.py#L373

-- 

Thanks,

Matt Riedemann