security group extension should be disabled when Noop Firewall driver is used

Akihiro, I don't follow what you're saying. Are you saying that when Nova has the NoopFirewallDriver things don't work?

IMO, his suggestion is to disable security group api handling if security-group is noop in quantum.
so currently, even if we set noop in quantum, users create security groups and assign it ports, this looks confusing.

No need in G-3.

This is quantum side issue. The default value of iptables firewall driver is NoopFirewall driver, so there is a case where quantum security group extension is enabled but security gropus actually does nothing.
My suggestion is to make quantum secgroup extension is disabled and remove it from ext-list (which can be checked from CLI) for such case.

got it, i thought you were talking about the nova flag. its not clear why
quantum has a NOOP option at all :)

On Wed, Feb 20, 2013 at 10:09 AM, Akihiro Motoki <<email address hidden>
> wrote:

> ** Description changed:
>
> - When Noop Firewall driver is used, Quantum security group actually does
> - nothing. It would be better to disable security group extension for such
> - case to avoid confusion. By doing it, we can determine whether quantum
> - security group is enabled by checking the extension list.
> + When Quantum Noop Firewall driver is used as firewall_driver (this
> + option is defined in quantum.agent.securitygroups_rpc.py), Quantum
> + security group actually does nothing even if Quantum security group
> + extension is enabled. It would be better to disable security group
> + extension for such case to avoid confusion. By doing it, we can
> + determine whether quantum security group is enabled by checking the
> + extension list.
>
> It can be done by removing 'security-group' from
> supported_extension_aliases when firewall driver is
> quantum.agent.firewall.NoopFirewallDriver.
>
> --
> You received this bug notification because you are a member of Netstack
> Core Developers, which is subscribed to quantum.
> https://bugs.launchpad.net/bugs/1124117
>
> Title:
> security group extension should be disabled when Noop Firewall driver
> is used
>
> Status in OpenStack Quantum (virtual network service):
> Incomplete
>
> Bug description:
> When Quantum Noop Firewall driver is used as firewall_driver (this
> option is defined in quantum.agent.securitygroups_rpc.py), Quantum
> security group actually does nothing even if Quantum security group
> extension is enabled. It would be better to disable security group
> extension for such case to avoid confusion. By doing it, we can
> determine whether quantum security group is enabled by checking the
> extension list.
>
> It can be done by removing 'security-group' from
> supported_extension_aliases when firewall driver is
> quantum.agent.firewall.NoopFirewallDriver.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/quantum/+bug/1124117/+subscriptions
>

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Dan Wendlandt
Nicira, Inc: www.nicira.com
twitter: danwendlandt
~~~~~~~~~~~~~~~~~~~~~~~~~~~

Reviewed: https://review.openstack.org/23160
Committed: http://github.com/openstack/quantum/commit/2d8e56ba64e328c71ef541da9c327d5bf23ced44
Submitter: Jenkins
Branch: master

commit 2d8e56ba64e328c71ef541da9c327d5bf23ced44
Author: Akihiro MOTOKI <email address hidden>
Date: Wed Feb 13 22:42:29 2013 +0900

    Disable secgroup extension when Noop Firewall driver is used

    When Noop Firewall driver is used, Quantum security group actually does
    nothing in OVS and Linux Bridge plugin. It would be better to disable
    security group extension for such case to avoid confusion.
    By this we can determine whether quantum security group is enabled
    by checking the extension list.
    This commit changes OVS/LB/NEC/Ryu plugins with agent firewall_driver
    based security group implementation.

    Fixes bug #1124117

    Change-Id: I2182289c1e27987b686f1adb7d6e2ad4e154caa2