Comment 23 for bug 1175464

On a related note, I am trying the following combinations: (where the port is allocated from that network and SG is short for '--security-group SG' )

(a) network.portsecurity=T, nova-boot-port.portsecurity=T/SG, nova-attach-port.portsecurity=F: ok

(b) network.portsecurity=T, nova-boot-port.portsecurity=F, nova-attach-port.portsecurity=T/SG: ok

(c) network.portsecurity=F, nova-boot-port.portsecurity=F (requires 306470, 310920), nova-attach-port.portsecurity=T/SG: ok

(d) network.portsecurity=F, nova-boot-port.portsecurity=T/SG: *fails* with SecurityGroupCannotBeApplied exception.

(e) network.portsecurity=F, nova-boot-net.id=network.portsecurity=F: ok

(f) network.portsecurity=F, nova-boot-net.id=network.portsecurity=F/SG: as expected fails with SecurityGroupCannotBeApplied

(g) network.portsecurity=T, nova-boot-port.portsecurity=F/SG: ok, SG was ignored for the port

This is from the function _create_ports_for_instance() at network/neutronv2/api.py:680-700:
                if port_security_enabled:
                    <snip>
                else:
                    if security_group_ids:
                        raise exception.SecurityGroupCannotBeApplied()

I am wondering if the interface-attach of a port in (c) worked fine, then why should not the bootup using (d)?

the nova-boot in (c) is similar as (e) and behaving as such.
the nova-boot in (d) is *not* similar as (f) but behaving as such.

I suppose the check should be done only if the port is not provided in the API.
                if port_security_enabled:
                    <snip>
                else:
- if security_group_ids:
+ if security_group_ids and not request.port_id:
                        raise exception.SecurityGroupCannotBeApplied()

This change specifically allows (d) to succeed without impacting (f) or anything else.

Comments? Acceptable?