port-security can't be disabled if security groups are not enabled
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
High
|
Armando Migliaccio |
Bug Description
If ml2 have settings
[DEFAULT]
extension_drivers = port_security
[securitygroup]
enable_
and one is trying to disable port-security on a given port, he/she will fail:
neutron port-update fad58638-
Port has security group associated. Cannot disable port security or ip address until security group is removed
Neutron server returns request_ids: ['req-12cd8a70-
At the same time there is no way to use
neutron port-update fad58638-
:
Unrecognized attribute(s) 'security_groups'
Neutron server returns request_ids: ['req-1d2227c6-
This cause drastic inconvenience for administrators who run openstack with disabled security groups: to disable port security one ought to disable security group on the same port, and forced to to enable security group on server just to disable security group on the port.
Version: 8.3 (mitaka).
description: | updated |
tags: | added: sg-fw |
Changed in neutron: | |
status: | Confirmed → Triaged |
Changed in neutron: | |
assignee: | nobody → Armando Migliaccio (armando-migliaccio) |
In the config( enable_ security_ group = False), neutron doesn't expect users controls security-group by Neutron API. Can you remove security-group by Nova API and disable port-security?