Port gets port security disabled if using --no-security-groups

Bug #1815424 reported by Adit Sarfaty on 2019-02-11
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Undecided
Unassigned

Bug Description

When a port is created on a network with port security disabled, by default it should have port-security disabled too.
But if using --no-security-group in the creation, than the port is created without security groups, but with port-security enabled.

openstack network show no-ps
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | UP |
| availability_zone_hints | |
| availability_zones | defaultv3 |
| created_at | 2019-02-11T07:58:34Z |
| description | |
| dns_domain | |
| id | 58404ae1-650d-40c0-9ba9-9558f34fe81a |
| ipv4_address_scope | None |
| ipv6_address_scope | None |
| is_default | None |
| is_vlan_transparent | None |
| location | None |
| mtu | None |
| name | no-ps |
| port_security_enabled | False |
| project_id | 8d4f3035db954f32b320475c1213657c |
| provider:network_type | None |
| provider:physical_network | None |
| provider:segmentation_id | None |
| qos_policy_id | None |
| revision_number | 3 |
| router:external | Internal |
| segments | None |
| shared | False |
| status | ACTIVE |
| subnets | 605cabbe-4064-4e66-8d3d-a5320abdfe2d |
| tags | |
| updated_at | 2019-02-11T07:58:39Z |
+---------------------------+--------------------------------------+

openstack port create --network no-ps --no-security-group no-sg
+-------------------------+-----------------------------------------------------------------------------------------------------------+
| Field | Value |
+-------------------------+-----------------------------------------------------------------------------------------------------------+
| admin_state_up | UP |
| allowed_address_pairs | |
| binding_host_id | None |
| binding_profile | |
| binding_vif_details | nsx-logical-switch-id='ca492f0f-34c3-4b9a-947c-1c53d651140f', ovs_hybrid_plug='False', port_filter='True' |
| binding_vif_type | ovs |
| binding_vnic_type | normal |
| created_at | 2019-02-11T08:55:50Z |
| data_plane_status | None |
| description | |
| device_id | |
| device_owner | |
| dns_assignment | fqdn='host-66-0-0-16.openstacklocal.', hostname='host-66-0-0-16', ip_address='66.0.0.16' |
| dns_domain | None |
| dns_name | |
| extra_dhcp_opts | |
| fixed_ips | ip_address='66.0.0.16', subnet_id='605cabbe-4064-4e66-8d3d-a5320abdfe2d' |
| id | 006a0952-469a-4de2-ac08-855155320582 |
| location | None |
| mac_address | fa:16:3e:be:fa:c2 |
| name | no-sg |
| network_id | 58404ae1-650d-40c0-9ba9-9558f34fe81a |
| port_security_enabled | True |
| project_id | 8d4f3035db954f32b320475c1213657c |
| propagate_uplink_status | None |
| qos_policy_id | None |
| resource_request | None |
| revision_number | 3 |
| security_group_ids | |
| status | ACTIVE |
| tags | |
| trunk_details | None |
| updated_at | 2019-02-11T08:55:50Z |
+-------------------------+-----------------------------------------------------------------------------------------------------------+

The problem is in _determine_port_security_and_has_ip when the code is checking validators.is_attr_set(port.get('security_groups')) instead of checking if it is not empty

Akihiro Motoki (amotoki) wrote :

I cannot reproduce this with the latest neutron master branch (I used commit 1a52affd1aa277c57032b64436006c42d18b3427).

The result is http://paste.openstack.org/show/744904/.
I first created a network with port_security_enabled=False.
Then, I created two ports. The one is created a port just specifying a network whose port_security is disabled.
The second one created a port with specifying a network and no security groups (as explained in the commit message).

Considering this, I mark this as Incomplete.

Changed in neutron:
status: New → Incomplete
Adit Sarfaty (asarfaty) wrote :

Hi Akihiro,
You are right because the neutron code does not use _determine_port_security_and_has_ip directly, but any plugin which uses this method, which is defined in neutron, will get the bad result, since it will return port-security enabled in case of empty security group list.
This issue still needs to be fixed in the neutron project.

Launchpad Janitor (janitor) wrote :

[Expired for neutron because there has been no activity for 60 days.]

Changed in neutron:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers