An existing port's port security cannot be disabled after activation of the port-security feature in OSP 7

Solution In Progress - Updated -


In OSP 7, after activation of the port-security feature on the controllers, an existing port's port security cannot be disabled. The reason is that the MySQL ovs_neutron table portsecuritybindings is not populated with new entries on an update operation, only on a port create. A manual insertion in this table fixes this issue easily.

How to reproduce:

Set on all controllers:

[root@overcloud-controller-0 ~]# grep port_sec /etc/neutron/plugins/ml2/ml2_conf.ini 
extension_drivers = port_security

Restart neutron server

pcs resource restart neutron-server-clone

(in fact, restarting all resources with pcs resource restart rabbitmq-clone was tried as well)

Update an existing port

[stack@undercloud-7 ~]$ neutron port-update bcaedbdc-0b2d-48f8-8f5b-3c93b234b030 --port_security_enabled=false
Updated port: bcaedbdc-0b2d-48f8-8f5b-3c93b234b030

Verify this port

[stack@undercloud-7 ~]$ neutron port-show bcaedbdc-0b2d-48f8-8f5b-3c93b234b030  | grep secu
| port_security_enabled | True                                                                               |
| security_groups       | 456ab73e-118b-46bc-9450-faca924159f5

Verify in the database that the binding for this port was not created

MariaDB [ovs_neutron]> select * from portsecuritybindings where port_id = 'bcaedbdc-0b2d-48f8-8f5b-3c93b234b030' \G
Empty set (0.00 sec)


Red Hat Enterprise Linux OpenStack Platform 7.0

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In