[openstack-dev] [Nova][Neutron] Allow passing security groups when attaching interfaces?
jaypipes at gmail.com
Thu Jul 6 14:50:26 UTC 2017
On 07/06/2017 10:39 AM, Matt Riedemann wrote:
> On 7/6/2017 6:39 AM, Gary Kotton wrote:
>> When you attach an interface there are a number of options:
>> 1. Pass a existing port
>> 2. Pass a network
>> In the second case a new port will be created and by default that will
>> have the default security group.
>> You could try the first option by attaching the security group to the
>> *From: *Zhenyu Zheng <zhengzhenyulixi at gmail.com>
>> *Reply-To: *OpenStack List <openstack-dev at lists.openstack.org>
>> *Date: *Thursday, July 6, 2017 at 12:45 PM
>> *To: *OpenStack List <openstack-dev at lists.openstack.org>
>> *Subject: *[openstack-dev] [Nova][Neutron] Allow passing security
>> groups when attaching interfaces?
>> Our product has meet this kind of problem, when we boot instances, we
>> are allowed to pass security groups, and if we provided network id,
>> ports with the sg we passed will be created and when we show
>> instances, we can see security groups field of instance is the sg we
>> provided. But when we attach again some new interfaces(using
>> network_id), the newly added interfaces will be in the default
>> security group.
>> We are wondering, will it be better to allow passing security groups
>> when attaching interfaces? or it is considered to be a proxy-api which
>> we do not like?
> I don't think we want this, it's more proxy orchestration that would
> have to live in Nova. As Gary pointed out, if you want a non-default
> security group, create the port in neutron ahead of time, associate the
> non-default security group(s) and then attach that port to the server
> instance in nova.
More information about the OpenStack-dev