[Docs] Add info about how to use shared SG with VMs

This patch adds info about workaround how to spawn VM using Security Groups shared through RBAC mechanism in Neutron. Proper fix for that issue will require changes in the Neutron API and in Nova so will not be possible to backport. Related-bug: #1942615 Change-Id: Iadb3fe0ca8fa9c14ec2912016bd3912e5dcee5ff
2021-09-08 15:41:29 +02:00 · 2021-09-08 15:41:29 +02:00 · a383afa10f
commit a383afa10f
parent d1a89af312
1 changed files with 20 additions and 0 deletions
--- a/doc/source/admin/config-rbac.rst
+++ b/doc/source/admin/config-rbac.rst
@ -284,6 +284,26 @@ This process can be repeated any number of times to share a security-group
 with an arbitrary number of projects.


+Creating an instance which uses a security group shared through RBAC, but only
+specifying the network ID when calling Nova will not work currently. In such
+cases Nova will check if the given security group exists in Neutron before it
+creates a port in the given network. The problem with that is that Nova asks
+only for the security groups filtered by the project_id thus it will not get
+the shared security group back from the Neutron API. See `bug 1942615
+<https://bugs.launchpad.net/neutron/+bug/1942615>`__ for details.
+To workaround the issue, the user needs to create a port in Neutron first, and
+then pass that port to Nova:
+
+.. code-block:: console
+
+   $ openstack port create --network net1 --security-group
+   5ba835b7-22b0-4be6-bdbe-e0722d1b5f24 shared-sg-port
+
+   $ openstack server create --image cirros-0.5.1-x86_64-disk --flavor m1.tiny
+   --port shared-sg-port vm-with-shared-sg
+
+
+
 Sharing an address scope with specific projects
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~