Comment 1 for bug 1594242

I like the idea.

I assume it won't be a big problem when upgrading (eg, no security group, then added security group, especially for cleaning which could take a long time to finish.)

I am not crazy about the proposed configuration options. I see that our existing conf options under [neutron] group are 'provisioning_network_uuid' and 'cleaning_network_uuid'. I initially thought about using the same config for both the network uuid and the security group, eg the value could be '<network-uuid>:<security-group-uuid>' but maybe that would be too confusing.

To me, the proposed 'provisioning_network_sg_uuid' hides the important part, the security group. Is 'sg' a well known abbreviation for 'security group'? How about 'provision_net_security_group' or 'security-group-for-provisioning'? 'provision-security-group'? [I don't think 'uuid' needs to be in the config name.]