neutron

Port gets port security disabled if using --no-security-groups

Bug #1815424 reported by Adit Sarfaty on 2019-02-11

6

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Expired	Undecided	Unassigned

Bug Description

When a port is created on a network with port security disabled, by default it should have port-security disabled too.
But if using --no-security-group in the creation, than the port is created without security groups, but with port-security enabled.

openstack network show no-ps
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | UP |
| availability_zone_hints | |
| availability_zones | defaultv3 |
| created_at | 2019-02-11T07:58:34Z |
| description | |
| dns_domain | |
| id | 58404ae1-650d-40c0-9ba9-9558f34fe81a |
| ipv4_address_scope | None |
| ipv6_address_scope | None |
| is_default | None |
| is_vlan_transparent | None |
| location | None |
| mtu | None |
| name | no-ps |
| port_security_enabled | False |
| project_id | 8d4f3035db954f32b320475c1213657c |
| provider:network_type | None |
| provider:physical_network | None |
| provider:segmentation_id | None |
| qos_policy_id | None |
| revision_number | 3 |
| router:external | Internal |
| segments | None |
| shared | False |
| status | ACTIVE |
| subnets | 605cabbe-4064-4e66-8d3d-a5320abdfe2d |
| tags | |
| updated_at | 2019-02-11T07:58:39Z |
+---------------------------+--------------------------------------+

openstack port create --network no-ps --no-security-group no-sg
+-------------------------+-----------------------------------------------------------------------------------------------------------+
| Field | Value |
+-------------------------+-----------------------------------------------------------------------------------------------------------+
| admin_state_up | UP |
| allowed_address_pairs | |
| binding_host_id | None |
| binding_profile | |
| binding_vif_details | nsx-logical-switch-id='ca492f0f-34c3-4b9a-947c-1c53d651140f', ovs_hybrid_plug='False', port_filter='True' |
| binding_vif_type | ovs |
| binding_vnic_type | normal |
| created_at | 2019-02-11T08:55:50Z |
| data_plane_status | None |
| description | |
| device_id | |
| device_owner | |
| dns_assignment | fqdn='host-66-0-0-16.openstacklocal.', hostname='host-66-0-0-16', ip_address='66.0.0.16' |
| dns_domain | None |
| dns_name | |
| extra_dhcp_opts | |
| fixed_ips | ip_address='66.0.0.16', subnet_id='605cabbe-4064-4e66-8d3d-a5320abdfe2d' |
| id | 006a0952-469a-4de2-ac08-855155320582 |
| location | None |
| mac_address | fa:16:3e:be:fa:c2 |
| name | no-sg |
| network_id | 58404ae1-650d-40c0-9ba9-9558f34fe81a |
| port_security_enabled | True |
| project_id | 8d4f3035db954f32b320475c1213657c |
| propagate_uplink_status | None |
| qos_policy_id | None |
| resource_request | None |
| revision_number | 3 |
| security_group_ids | |
| status | ACTIVE |
| tags | |
| trunk_details | None |
| updated_at | 2019-02-11T08:55:50Z |
+-------------------------+-----------------------------------------------------------------------------------------------------------+

The problem is in _determine_port_security_and_has_ip when the code is checking validators.is_attr_set(port.get('security_groups')) instead of checking if it is not empty

Revision history for this message

Akihiro Motoki (amotoki) wrote on 2019-02-12:

#1

I cannot reproduce this with the latest neutron master branch (I used commit 1a52affd1aa277c57032b64436006c42d18b3427).

The result is http://paste.openstack.org/show/744904/.
I first created a network with port_security_enabled=False.
Then, I created two ports. The one is created a port just specifying a network whose port_security is disabled.
The second one created a port with specifying a network and no security groups (as explained in the commit message).

Considering this, I mark this as Incomplete.

Changed in neutron:
status:	New → Incomplete

Revision history for this message

Adit Sarfaty (asarfaty) wrote on 2019-02-12:

#2

Hi Akihiro,
You are right because the neutron code does not use _determine_port_security_and_has_ip directly, but any plugin which uses this method, which is defined in neutron, will get the bad result, since it will return port-security enabled in case of empty security group list.
This issue still needs to be fixed in the neutron project.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2019-04-14:

#3

[Expired for neutron because there has been no activity for 60 days.]

Changed in neutron:
status:	Incomplete → Expired

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.