Well, I'm maybe going back a little. AFAICT, security groups are Neutron-related, correct? So, when you create the port, you have to specify the groups it could be applying, right?
In that case, it's your responsibility to define security groups at the port creation, not when you ask to create the VM. See https://docs.openstack.org/security-guide/networking/services- security-best-practices.html for the security groups best practices, it clearly states that Nova should only provide a proxy API for Neutron- based SGs. I'm closing the bug as invalid as I don't think Nova should update security groups for pre-existing ports. That said, I think it would be a nice user experience to get a HTTP400 when you pass both flags at the nova boot request (an existing port ID and security group IDs) as that situation can confuse people (and me first) ** Changed in: nova Status: In Progress => Invalid ** Changed in: nova Importance: Critical => Undecided -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1707319 Title: Security group doesn't apply to existing port Status in OpenStack Compute (nova): Invalid Bug description: Description =========== Create an instance with an existing port and a security group. The security group is ignored. The port's security group is not updated. Steps to reproduce: Steps to reproduce ================== $ source /opt/stack/devstack/openrc demo demo $ openstack port create --network private vm-port $ PORT_ID=$(openstack port show vm-port | awk '/ id /{print $4}') $ openstack security group create vm-sg $ SG_ID=$(openstack security group show vm-sg | awk '/ id /{print $4}') $ openstack server create --flavor m1.tiny --nic port-id=$PORT_ID --security-group $SG_ID --image cirros-0.3.5-x86_64-disk vm $ openstack server show vm -c security_groups +-----------------+----------------+ | Field | Value | +-----------------+----------------+ | security_groups | name='default' | +-----------------+----------------+ Expected result =============== I expect Nova to update the port's security group. For example, the security group should be updated as name='vm-sg' instead of name='default'. Actual result ============= The specified security group is ignored. The port's security group is not updated (stay as 'default') Environment =========== $ git log -1 commit 2fbac08c0686e92aaee65f24bf2958db6a451046 Author: Stephen Finucane <[email protected]> Date: Mon Jun 26 11:14:55 2017 +0100 Add missing microversion documentation Part of blueprint placement-project-user Change-Id: I9d77649e7e02f0ace5546e42e04122162ec5661f hypervisor: Libvirt + KVM Networking type: Neutron To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1707319/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
