port-security can't be disabled if security groups are not enabled

In the config(enable_security_group = False), neutron doesn't expect users controls security-group by Neutron API. Can you remove security-group by Nova API and disable port-security?

That's a problem. We need to disable port security on few ports. Neutron rejects requests to disable port security complaining there is an security group in the port (it is invisible in neutron port-show but visible in database). We tried to disable security group and got error.

It is now a rather silly way to disable port security:

enable security groups in neutron-server.
disable security group in port
disable security groups in neutron-server.
disable port-security.

It sounds like you found an incompatible combination of services that did not rejected: port_security extension and security groups go hand in hand. You can't really have one without the other (and nor it makes sense).

Personally I feel that option enable_security_group has outlived its life, as port_security = False has the same objective, but it's API driver, rather than config-driven.

We should consider deprecating the config option in favor of having the admin disabling port security on a network if he/she does not want packet filtering.

This means we may want to have port_security something that is *not* tunable, but always available in any deployment.

It's perfectly valid case to have installation without security groups but with port security. Port security protects environment from forged traffic from guests, and security groups protects guests from incoming traffic.

For most cases default behavior is fine, but when we want to disable port security for some ports because (regardless of been disabled) there is a default security group on the port we can't remove (because security groups are disabled).

From today's drivers meeting, this is probably something that needs more discussion especially if it may involve potential upgrade issues.

Since the option still exists and its not deprecated, I think it's good to treat this as a regular bug to allow port security to be disabled when the security groups aren't.

Fix proposed to branch: master
Review: https://review.openstack.org/466158

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/466427

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/466428

Change abandoned by Armando Migliaccio (<email address hidden>) on branch: stable/newton
Review: https://review.openstack.org/466428

Reviewed: https://review.openstack.org/466158
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=b4687b235fd95d041f419fecda6bc93202699148
Submitter: Jenkins
Branch: master

commit b4687b235fd95d041f419fecda6bc93202699148
Author: Armando Migliaccio <email address hidden>
Date: Thu May 18 19:52:47 2017 -0700

    Allow port security updates even without security-groups enabled

    Port security is useful to enforce anti-spoofing rules, and
    those can operate even in the absence of security groups.

    This patch alters the existing code path to allow port_update
    operations even when the admin disables security_groups from
    the deployment.

    Closes-bug: 1658682

    Change-Id: If1d9a662e362639798ad93ff06d820852b0f0c99

Reviewed: https://review.openstack.org/466428
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=7cfa85865822f7930e4617c80710f5eb59f5a7a3
Submitter: Jenkins
Branch: stable/newton

commit 7cfa85865822f7930e4617c80710f5eb59f5a7a3
Author: Armando Migliaccio <email address hidden>
Date: Thu May 18 19:52:47 2017 -0700

    Allow port security updates even without security-groups enabled

    Port security is useful to enforce anti-spoofing rules, and
    those can operate even in the absence of security groups.

    This patch alters the existing code path to allow port_update
    operations even when the admin disables security_groups from
    the deployment.

    Closes-bug: 1658682

    (cherry picked from commit e49edd7ec32e302df7db44194076a55fd2b5d309)
    Change-Id: If1d9a662e362639798ad93ff06d820852b0f0c99

Reviewed: https://review.openstack.org/466427
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=dc8ef03d218aae56e4b348d0a2061a781c95c076
Submitter: Jenkins
Branch: stable/ocata

commit dc8ef03d218aae56e4b348d0a2061a781c95c076
Author: Armando Migliaccio <email address hidden>
Date: Thu May 18 19:52:47 2017 -0700

    Allow port security updates even without security-groups enabled

    Port security is useful to enforce anti-spoofing rules, and
    those can operate even in the absence of security groups.

    This patch alters the existing code path to allow port_update
    operations even when the admin disables security_groups from
    the deployment.

    Closes-bug: 1658682

    (cherry picked from commit e49edd7ec32e302df7db44194076a55fd2b5d309)
    Change-Id: If1d9a662e362639798ad93ff06d820852b0f0c99

This issue was fixed in the openstack/neutron 9.4.0 release.

This issue was fixed in the openstack/neutron 10.0.2 release.

This issue was fixed in the openstack/neutron 11.0.0.0b2 development milestone.