Open Stack

On 07/06/2017 10:39 AM, Matt Riedemann wrote:
> On 7/6/2017 6:39 AM, Gary Kotton wrote:
>> Hi,
>>
>> When you attach an interface there are a number of options:
>>
>> 1. Pass a existing port
>>
>> 2. Pass a network
>>
>> In the second case a new port will be created and by default that will 
>> have the default security group.
>>
>> You could try the first option by attaching the security group to the 
>> port
>>
>> Thanks
>>
>> Gary
>>
>> *From: *Zhenyu Zheng <zhengzhenyulixi at gmail.com>
>> *Reply-To: *OpenStack List <openstack-dev at lists.openstack.org>
>> *Date: *Thursday, July 6, 2017 at 12:45 PM
>> *To: *OpenStack List <openstack-dev at lists.openstack.org>
>> *Subject: *[openstack-dev] [Nova][Neutron] Allow passing security 
>> groups when attaching interfaces?
>>
>> Hi,
>>
>> Our product has meet this kind of problem, when we boot instances, we 
>> are allowed to pass security groups, and if we provided network id, 
>> ports with the sg we passed will be created and when we show 
>> instances, we can see security groups field of instance is the sg we 
>> provided. But when we attach again some new interfaces(using 
>> network_id), the newly added interfaces will be in the default 
>> security group.
>>
>> We are wondering, will it be better to allow passing security groups 
>> when attaching interfaces? or it is considered to be a proxy-api which 
>> we do not like?
> 
> I don't think we want this, it's more proxy orchestration that would 
> have to live in Nova. As Gary pointed out, if you want a non-default 
> security group, create the port in neutron ahead of time, associate the 
> non-default security group(s) and then attach that port to the server 
> instance in nova.

This +100.

Best,
-jay