Create scs-XXXX-v1-default-rules-for-security-groups.md

[josephineSei]

closes https://github.com/SovereignCloudStack/standards/issues/521

[josephineSei]

While trying some of the parameters of the create command for default security groups I found the following:

stack@devstack:~/devstack$ openstack default security group rule create --egress --ethertype IPv4 --for-custom-sg
+-------------------------+--------------------------------------+
| Field                   | Value                                |
+-------------------------+--------------------------------------+
| description             |                                      |
| direction               | egress                               |
| ether_type              | IPv4                                 |
| id                      | 4e296fa3-4c7e-4883-9275-b6ff5374adda |
| port_range_max          | None                                 |
| port_range_min          | None                                 |
| protocol                | None                                 |
| remote_address_group_id | None                                 |
| remote_group_id         | None                                 |
| remote_ip_prefix        | 0.0.0.0/0                            |
| used_in_default_sg      | False                                |
| used_in_non_default_sg  | True                                 |
+-------------------------+--------------------------------------+
stack@devstack:~/devstack$ openstack default security group rule create --ingress --ethertype IPv4 --for-default-sg
+-------------------------+--------------------------------------+
| Field                   | Value                                |
+-------------------------+--------------------------------------+
| description             |                                      |
| direction               | ingress                              |
| ether_type              | IPv4                                 |
| id                      | 75707673-60d9-482c-8ebd-ada851e25718 |
| port_range_max          | None                                 |
| port_range_min          | None                                 |
| protocol                | None                                 |
| remote_address_group_id | None                                 |
| remote_group_id         | None                                 |
| remote_ip_prefix        | 0.0.0.0/0                            |
| used_in_default_sg      | True                                 |
| used_in_non_default_sg  | True                                 |
+-------------------------+--------------------------------------+

I thought when only providing the --for-default-sg parameter without the --for-custom-sg the rule will only be applied to the default sg. But it does not seem to be the case. The debug output of the last command shows the API call:

....
REQ: curl -g -i -X POST http://192.168.23.238:9696/networking/v2.0/default-security-group-rules -H "Content-Type: application/json" -H "User-Agent: openstacksdk/2.1.0 keystoneauth1/5.5.0 python-requests/2.31.0 CPython/3.10.12" -H "X-Auth-Token: {SHA256}d59244f2b7304d41d023a86b2c4b52040a170aaf21fe7a792ec5ec448c8a56b6" -d '{"default_security_group_rule": {"remote_ip_prefix": "0.0.0.0/0", "used_in_default_sg": true, "ethertype": "IPv4", "protocol": null, "direction": "ingress", "used_in_non_default_sg": true}}'
Starting new HTTP connection (1): 192.168.23.238:9696
http://192.168.23.238:9696 "POST /networking/v2.0/default-security-group-rules HTTP/1.1" 201 360
RESP: [201] Connection: keep-alive Content-Length: 360 Content-Type: application/json Date: Tue, 19 Mar 2024 12:18:47 GMT X-Openstack-Request-Id: req-b2cd99e7-b20a-4e08-89a2-f5c13b2704ea
RESP BODY: {"default_security_group_rule": {"id": "f5bbf703-4a1c-4fa8-b37b-e5df2159516a", "ethertype": "IPv4", "direction": "ingress", "protocol": null, "port_range_min": null, "port_range_max": null, "remote_ip_prefix": "0.0.0.0/0", "remote_address_group_id": null, "remote_group_id": null, "description": "", "used_in_default_sg": true, "used_in_non_default_sg": true}}
....

This is a Client-specific behavior, as the default for the --for-custom-sg parameter is true: https://github.com/openstack/python-openstackclient/blob/2f9a523765ca99c9ef9a6968e430bab102f3208d/openstackclient/network/v2/default_security_group_rule.py#L145

[josephineSei]

I talked to upstream and found a bug report for this and a patch, which already fixes this behavior. Bug report: https://bugs.launchpad.net/python-openstackclient/+bug/2054629 Patch: https://review.opendev.org/c/openstack/python-openstackclient/+/909815

My chat with the Neutron guys made come cores approve this patch and it will be merged :D

[josephineSei]

The standard's filename should be changed to fill in the document number before merging.

We will do this as soon as we can merge it. But right now, when there is still discussion, we might use a number that then is already taken by another standard.

[josephineSei]

@markus-hentsch , @horazont could you please review and @markus-hentsch test this standard? Thank you

[josephineSei]

Re-raising this: @markus-hentsch and @horazont I adjusted the tests and the Wording. Could you please review this again?