On 3/30/2016 5:50 PM, Armando M. wrote:
On 30 March 2016 at 13:40, Sean Dague <[email protected] <mailto:[email protected]>> wrote: On 03/29/2016 09:55 PM, Matt Riedemann wrote: <snip> > > Yup, HenryG walked me through the cases on IRC today. > > The more I think about option (b) above, the less I like that idea given > how much work goes into the allocate_for_instance code in nova where > it's already building the list of possible networks that will be used > for creating/updating ports, we'd essentially have to duplicate that > logic in a separate method to get an idea of what security groups would > be applied. > > I'd prefer to be lazy and go with option (a) and just say nova doesn't > return security-groups in the REST API when creating a server and > neutron is the network API. That would require a microversion probably, > but it would still be easy to do. I'm not sure if that's the best user > experience though. > Is there a sane resource on the neutron side we could link to? Today security_groups are returned with a name from nova, which made sense when it was an internal structure, but makes way less sense now. "security_groups": [ { "href": "....", } ] Where the link is to a neutron resource (and we could do a local link for the few nova net folks) might be more appropriate. Not that I could think of, though the extra level of indirection to solve this issue is kind of a neat idea. -Sean -- Sean Dague http://dague.net __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe <http://[email protected]?subject:unsubscribe> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Yeah, not really, see what we have to do to get the list of security groups for a given list of instances [1].
That builds a list of ports from the list of instances, then from the list of ports it builds a list of security groups mapped to each port, and then does some cleanup after that to make it look like nova-network security groups for the compute API response (as a side note, it seems like this is an area where we could do some performance optimizations by not pulling back all of the port / security group details, only get the fields we need).
Would we need to link to a neutron API? Could we just provide a link back to 'servers/<server uuid>/os-security-groups'?
[1] https://github.com/openstack/nova/blob/f8a01ccdffc13403df77148867ef3821100b5edb/nova/network/security_group/neutron_driver.py#L373
-- Thanks, Matt Riedemann __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
