tacker

Expose port-security knob for all network ports (connection points)

Bug #1547284 reported by Sridhar Ramaswamy on 2016-02-19

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	tacker	Fix Released	Medium	Sripriya	tacker mitaka-rc

Bug Description

Tacker currently automatically sets "port_security_enabled" flag to False for some ports,

- ports that are marked as "management"
- ports with static IP address assigned

For other simple ports specifications the port_security_enabled flag is unspecified and hence defaults to True. Beyond the fact that this is inconsistent which needs to be fixed, we to expose an attribute for Tacker VNFD to explicit model it in the TOSCA template.

Something like,

DataCP:
    type: tosca.nodes.nfv.CP
    properties:
      anti_spoof_protection: [true | false]

Note from Sripriya:

looks like port-security-enabled can be set at network level as well,

http://docs.openstack.org/developer/heat/template_guide/openstack.html#OS::Neutron::Net-hot

.. which changes the default value of all ports created in that neutron network. So a similar flag can be introduced in VirtualLink as well,

InternalVL:
  type: tosca.nodes.nfv.VL
  properties:
      cidr: 10.10.1.0/24
      gateway: 10.10.1.1
      anti_spoof_protection: [true | false]

See original description

Tags:

Revision history for this message

Bob Haddleton (bob-haddleton) wrote on 2016-02-19:

If the property name matches the Heat property name exactly, it will be mapped through to the OS::Neutron::Port object by heat-translator with no additional translation required. If the property name does not match the Heat property name, it will need to be modified by Tacker either before or after the HOT template is created by heat-translator.

So it might be easier to just make the property name "port_security_enabled", though it does raise the larger issue of tying the TOSCA node definition too closely to Heat. On the other hand, using different names for properties just because they are different than what Heat uses doesn't make a lot of sense either. I'm not making the argument either way, just wanted to lay out the two scenarios.

Revision history for this message

Sridhar Ramaswamy (srics-r) wrote on 2016-02-27:

Thanks for the explanation. As you might have realized, TOSCA takes an intent based approach to naming these properties. So keeping it 'port_security_enabled' is not an option.

Current proposed syntax is,

DataCP:
    type: tosca.nodes.nfv.CP
    properties:
        anti_spoof_protection: [True | False]

Changed in tacker:
importance:	Undecided → Medium
milestone:	none → mitaka-rc

Sridhar Ramaswamy (srics-r) on 2016-03-01

description:

updated

Revision history for this message

Sridhar Ramaswamy (srics-r) wrote on 2016-03-05:

Bob - assigning this to you based on the last weekly meeting discussion on absorbing this along with TOSCA parser work.

Changed in tacker:
assignee:	nobody → Bob Haddleton (bob-haddleton)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-04-15: Fix proposed to tacker (master)

Fix proposed to branch: master
Review: https://review.openstack.org/306271

Changed in tacker:
assignee:	Bob Haddleton (bob-haddleton) → Sripriya (sseetha)
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-04-19: Fix merged to tacker (master)

Reviewed: https://review.openstack.org/306271
Committed: https://git.openstack.org/cgit/openstack/tacker/commit/?id=801896e976a8432baea69ac1e3def08a135ca09c
Submitter: Jenkins
Branch: master

commit 801896e976a8432baea69ac1e3def08a135ca09c
Author: Sripriya <email address hidden>
Date: Fri Apr 15 00:15:18 2016 -0700

Support port_security_enabled for Heat Kilo ver

This fix supports port_security_enabled attr for Heat Kilo version.
Also adds the new attr to tosca templates.

    Change-Id: I6c1e93e00dce0a6a7aa6d2a1f09970d3564524be
    Closes-Bug: #1566003
    Closes-Bug: #1547284

Changed in tacker:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-04-20: Fix proposed to tacker (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/308587

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-04-21: Fix merged to tacker (stable/mitaka)

Reviewed: https://review.openstack.org/308587
Committed: https://git.openstack.org/cgit/openstack/tacker/commit/?id=bea76d90a9c19e5dbdc792897bc504ce25a4f7e8
Submitter: Jenkins
Branch: stable/mitaka

commit bea76d90a9c19e5dbdc792897bc504ce25a4f7e8
Author: Sripriya <email address hidden>
Date: Fri Apr 15 00:15:18 2016 -0700

Support port_security_enabled for Heat Kilo ver

This fix supports port_security_enabled attr for Heat Kilo version.
Also adds the new attr to tosca templates.

    Change-Id: I6c1e93e00dce0a6a7aa6d2a1f09970d3564524be
    Closes-Bug: #1566003
    Closes-Bug: #1547284
    (cherry picked from commit 801896e976a8432baea69ac1e3def08a135ca09c)

tags:

added: in-stable-mitaka

Revision history for this message

Doug Hellmann (doug-hellmann) wrote on 2016-06-08: Fix included in openstack/tacker 0.3.1

This issue was fixed in the openstack/tacker 0.3.1 release.

Revision history for this message

Doug Hellmann (doug-hellmann) wrote on 2016-08-24: Fix included in openstack/tacker 0.4.0

This issue was fixed in the openstack/tacker 0.4.0 release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-11-10: Fix included in openstack/tacker 0.3.1

#10

This issue was fixed in the openstack/tacker 0.3.1 release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.