An existing port's port security cannot be disabled after activation of the port-security feature in OSP 7
Issue
In OSP 7, after activation of the port-security feature on the controllers, an existing port's port security cannot be disabled. The reason is that the MySQL ovs_neutron table portsecuritybindings is not populated with new entries on an update operation, only on a port create. A manual insertion in this table fixes this issue easily.
How to reproduce:
Set on all controllers:
[root@overcloud-controller-0 ~]# grep port_sec /etc/neutron/plugins/ml2/ml2_conf.ini
extension_drivers = port_security
Restart neutron server
pcs resource restart neutron-server-clone
(in fact, restarting all resources with pcs resource restart rabbitmq-clone was tried as well)
Update an existing port
[stack@undercloud-7 ~]$ neutron port-update bcaedbdc-0b2d-48f8-8f5b-3c93b234b030 --port_security_enabled=false
Updated port: bcaedbdc-0b2d-48f8-8f5b-3c93b234b030
Verify this port
[stack@undercloud-7 ~]$ neutron port-show bcaedbdc-0b2d-48f8-8f5b-3c93b234b030 | grep secu
| port_security_enabled | True |
| security_groups | 456ab73e-118b-46bc-9450-faca924159f5
Verify in the database that the binding for this port was not created
MariaDB [ovs_neutron]> select * from portsecuritybindings where port_id = 'bcaedbdc-0b2d-48f8-8f5b-3c93b234b030' \G
Empty set (0.00 sec)
Environment
Red Hat Enterprise Linux OpenStack Platform 7.0
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
