On a related note, I am trying the following combinations: (where the port is allocated from that network and SG is short for '--security-group SG' )
(a) network.portsecurity=T, nova-boot-port.portsecurity=T/SG, nova-attach-port.portsecurity=F: ok
(b) network.portsecurity=T, nova-boot-port.portsecurity=F, nova-attach-port.portsecurity=T/SG: ok
(c) network.portsecurity=F, nova-boot-port.portsecurity=F (requires 306470, 310920), nova-attach-port.portsecurity=T/SG: ok
(d) network.portsecurity=F, nova-boot-port.portsecurity=T/SG: *fails* with SecurityGroupCannotBeApplied exception.
(e) network.portsecurity=F, nova-boot-net.id=network.portsecurity=F: ok
(f) network.portsecurity=F, nova-boot-net.id=network.portsecurity=F/SG: as expected fails with SecurityGroupCannotBeApplied
(g) network.portsecurity=T, nova-boot-port.portsecurity=F/SG: ok, SG was ignored for the port
This is from the function _create_ports_for_instance() at network/neutronv2/api.py:680-700:
if port_security_enabled: <snip> else: if security_group_ids: raise exception.SecurityGroupCannotBeApplied()
I am wondering if the interface-attach of a port in (c) worked fine, then why should not the bootup using (d)?
the nova-boot in (c) is similar as (e) and behaving as such.
the nova-boot in (d) is *not* similar as (f) but behaving as such.
I suppose the check should be done only if the port is not provided in the API.
if port_security_enabled: <snip> else:
- if security_group_ids:
+ if security_group_ids and not request.port_id: raise exception.SecurityGroupCannotBeApplied()
This change specifically allows (d) to succeed without impacting (f) or anything else.
On a related note, I am trying the following combinations: (where the port is allocated from that network and SG is short for '--security-group SG' )
(a) network. portsecurity= T, nova-boot- port.portsecuri ty=T/SG, nova-attach- port.portsecuri ty=F: ok
(b) network. portsecurity= T, nova-boot- port.portsecuri ty=F, nova-attach- port.portsecuri ty=T/SG: ok
(c) network. portsecurity= F, nova-boot- port.portsecuri ty=F (requires 306470, 310920), nova-attach- port.portsecuri ty=T/SG: ok
(d) network. portsecurity= F, nova-boot- port.portsecuri ty=T/SG: *fails* with SecurityGroupCa nnotBeApplied exception.
(e) network. portsecurity= F, nova-boot- net.id= network. portsecurity= F: ok
(f) network. portsecurity= F, nova-boot- net.id= network. portsecurity= F/SG: as expected fails with SecurityGroupCa nnotBeApplied
(g) network. portsecurity= T, nova-boot- port.portsecuri ty=F/SG: ok, SG was ignored for the port
This is from the function _create_ ports_for_ instance( ) at network/ neutronv2/ api.py: 680-700: enabled:
< snip>
else:
if security_group_ids:
raise exception. SecurityGroupCa nnotBeApplied( )
if port_security_
I am wondering if the interface-attach of a port in (c) worked fine, then why should not the bootup using (d)?
the nova-boot in (c) is similar as (e) and behaving as such.
the nova-boot in (d) is *not* similar as (f) but behaving as such.
I suppose the check should be done only if the port is not provided in the API. enabled:
< snip>
else:
raise exception. SecurityGroupCa nnotBeApplied( )
if port_security_
- if security_group_ids:
+ if security_group_ids and not request.port_id:
This change specifically allows (d) to succeed without impacting (f) or anything else.
Comments? Acceptable?