neutron - default security group per tenant

asked 2015-04-28 14:39:33 -0600

bkopilov gravatar image

updated 2015-04-28 14:46:17 -0600

SGPJ gravatar image

Hi , I am running openstack with rhel 7.1 and rhos version 6 (juno). the cloud supports neutron (vxlan) After install we have default security-group for admin tenant , 4 rules two for v4 and two for v6.

[root@volume-lvm-os-7 ~(keystone_demo)]# neutron security-group-rule-show eeb39e81-62ea-43aa-b583-0e29916a268a

Example: (please note protcol is empty and remote_ip)

+-------------------+--------------------------------------+
| Field             | Value                                |
+-------------------+--------------------------------------+
| direction         | ingress                              |
| ethertype         | IPv4                                 |
| id                | eeb39e81-62ea-43aa-b583-0e29916a268a |
| port_range_max    |                                      |
| port_range_min    |                                      |
| protocol          |                                      |
| remote_group_id   | 07420f78-c93b-4e1b-86d8-38ba31291959 |
| remote_ip_prefix  |                                      |
| security_group_id | 07420f78-c93b-4e1b-86d8-38ba31291959 |
| tenant_id         | 3d40ca08dad7461fa86e359138463147     |
+-------------------+--------------------------------------+

When we create a new tenant , it inherits these rules but we could not ping or ssh to instance . When i am adding the rule manually to the tenant - it works .

My question : Is there any way to change the default policy group for all tenants ? i need that the new tenant will inherit more rules. I did try to do it with policy group for admin , adding rules but the new tenant does not inherit these rules ....

Please assist,

Thanks, Benny

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
0

answered 2015-04-29 15:30:47 -0600

jdexter gravatar image

Benny, I believe the ability to set a default security group may be plan for kilo. As of right now an administrator or user would need to change the default rules for each new tenant created. As an administrator I suggested scripting the behavior so that when you create a new tenant, edit the defualt SG.

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2015-04-28 14:39:33 -0600

Seen: 794 times

Last updated: Apr 29 '15