What's the point in limiting the number of security groups per tenant In OpenStack?

Franck Dernoncourt asked:

By default, a tenant (1) can only create 10 security groups (2). Is there any reason to keep this number so low?

(1) http://docs.openstack.org/grizzly/openstack-compute/admin/content//users-and-projects.html:

Legacy terminology: earlier versions of OpenStack used the term
“project” instead of “tenant”.

(2) http://docs.openstack.org/user-guide-admin/content/cli_set_quotas.html:

$ nova quota-defaults
+-----------------------------+-------+
| Quota                       | Limit |
+-----------------------------+-------+
| instances                   | 10    |
| cores                       | 20    |
| ram                         | 51200 |
| floating_ips                | 10    |
| fixed_ips                   | -1    |
| metadata_items              | 128   |
| injected_files              | 5     |
| injected_file_content_bytes | 10240 |
| injected_file_path_bytes    | 255   |
| key_pairs                   | 100   |
| security_groups             | 10    |
| security_group_rules        | 20    |
+-----------------------------+-------+

My answer:


The most obvious effect is to keep firewall rules to a manageable level, which does not have a significant impact on performance. At a certain point, you may end up with too many firewall rules and not enough CPU to process them quickly enough. The default limits may seem low, but they’re sufficient for most people, who will never create more than a few security groups with perhaps half a dozen rules each.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.