An existing port's port security cannot be disabled after activation of the port-security feature in OSP 7

Solution In Progress - Updated -

Issue

In OSP 7, after activation of the port-security feature on the controllers, an existing port's port security cannot be disabled. The reason is that the MySQL ovs_neutron table portsecuritybindings is not populated with new entries on an update operation, only on a port create. A manual insertion in this table fixes this issue easily.

How to reproduce:

Set on all controllers:

[root@overcloud-controller-0 ~]# grep port_sec /etc/neutron/plugins/ml2/ml2_conf.ini 
extension_drivers = port_security

Restart neutron server

pcs resource restart neutron-server-clone

(in fact, restarting all resources with pcs resource restart rabbitmq-clone was tried as well)

Update an existing port

[stack@undercloud-7 ~]$ neutron port-update bcaedbdc-0b2d-48f8-8f5b-3c93b234b030 --port_security_enabled=false
Updated port: bcaedbdc-0b2d-48f8-8f5b-3c93b234b030

Verify this port

[stack@undercloud-7 ~]$ neutron port-show bcaedbdc-0b2d-48f8-8f5b-3c93b234b030  | grep secu
| port_security_enabled | True                                                                               |
| security_groups       | 456ab73e-118b-46bc-9450-faca924159f5

Verify in the database that the binding for this port was not created

MariaDB [ovs_neutron]> select * from portsecuritybindings where port_id = 'bcaedbdc-0b2d-48f8-8f5b-3c93b234b030' \G
Empty set (0.00 sec)

Environment

Red Hat Enterprise Linux OpenStack Platform 7.0

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.