Previously, when booting instances, the nova API automatically added a default security group if nothing was specified, which should not be done on a network with option 'port_security_enabled=False'
Consequently, the boot process would fail for users booting an instance that was attached to a network with port security disabled.
With this update, nova no longer adds a default security group to a port created for an instance on a network with port_security_enabled=False
As a result, the boot process works as expected, and the port attached to the instance does not have a default security group attached.
NOTE: a known bug in the dashboard still indicates that a default security group is attached to the instance, but this only occurs during the first attempt at booting the instance.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://rhn.redhat.com/errata/RHEA-2016-1597.html
Verified as follows, ************ VERSION ************ [root@serverA ~(keystone_admin)]# yum list installed | grep openstack-nova openstack-nova-api.noarch 1:13.0.0-4.el7ost @rhelosp-9.0-puddle openstack-nova-cert.noarch 1:13.0.0-4.el7ost @rhelosp-9.0-puddle openstack-nova-common.noarch 1:13.0.0-4.el7ost @rhelosp-9.0-puddle openstack-nova-compute.noarch 1:13.0.0-4.el7ost @rhelosp-9.0-puddle openstack-nova-conductor.noarch 1:13.0.0-4.el7ost @rhelosp-9.0-puddle openstack-nova-console.noarch 1:13.0.0-4.el7ost @rhelosp-9.0-puddle openstack-nova-novncproxy.noarch 1:13.0.0-4.el7ost @rhelosp-9.0-puddle openstack-nova-scheduler.noarch 1:13.0.0-4.el7ost @rhelosp-9.0-puddle [root@serverA ~(keystone_admin)]# ********* LOGS ********* [root@serverA ~(keystone_admin)]# neutron net-create test-port-security-disable --port_security_enabled=False Created a new network: +---------------------------+--------------------------------------+ | Field | Value | +---------------------------+--------------------------------------+ | admin_state_up | True | | availability_zone_hints | | | availability_zones | | | created_at | 2016-05-18T19:04:00 | | description | | | id | 01ed1df6-10e2-4d09-bb6d-3312e8532189 | | ipv4_address_scope | | | ipv6_address_scope | | | mtu | 1450 | | name | test-port-security-disable | | port_security_enabled | False | | provider:network_type | vxlan | | provider:physical_network | | | provider:segmentation_id | 37 | | router:external | False | | shared | False | | status | ACTIVE | | subnets | | | tags | | | tenant_id | f26351a310404d62bc33af8ee8ce39b7 | | updated_at | 2016-05-18T19:04:00 | +---------------------------+--------------------------------------+ [root@serverA ~(keystone_admin)]# neutron subnet-create test-port-security-disable 172.28.0.0/24 Created a new subnet: +-------------------+------------------------------------------------+ | Field | Value | +-------------------+------------------------------------------------+ | allocation_pools | {"start": "172.28.0.2", "end": "172.28.0.254"} | | cidr | 172.28.0.0/24 | | created_at | 2016-05-18T19:04:13 | | description | | | dns_nameservers | | | enable_dhcp | True | | gateway_ip | 172.28.0.1 | | host_routes | | | id | 2af4eec5-ea95-4162-8b3a-174271ef3d3e | | ip_version | 4 | | ipv6_address_mode | | | ipv6_ra_mode | | | name | | | network_id | 01ed1df6-10e2-4d09-bb6d-3312e8532189 | | subnetpool_id | | | tenant_id | f26351a310404d62bc33af8ee8ce39b7 | | updated_at | 2016-05-18T19:04:13 | +-------------------+------------------------------------------------+ [root@serverA ~(keystone_admin)]# nova boot --flavor m1.small --image cirros --nic net-id=01ed1df6-10e2-4d09-bb6d-3312e8532189 vm-port-security-disabled +--------------------------------------+-----------------------------------------------+ | Property | Value | +--------------------------------------+-----------------------------------------------+ | OS-DCF:diskConfig | MANUAL | | OS-EXT-AZ:availability_zone | | | OS-EXT-SRV-ATTR:host | - | | OS-EXT-SRV-ATTR:hypervisor_hostname | - | | OS-EXT-SRV-ATTR:instance_name | instance-00000001 | | OS-EXT-STS:power_state | 0 | | OS-EXT-STS:task_state | scheduling | | OS-EXT-STS:vm_state | building | | OS-SRV-USG:launched_at | - | | OS-SRV-USG:terminated_at | - | | accessIPv4 | | | accessIPv6 | | | adminPass | Sa6uho9m7SAF | | config_drive | | | created | 2016-05-18T19:05:46Z | | flavor | m1.small (2) | | hostId | | | id | 8ff06103-2d76-44df-b967-0dbefc54c76a | | image | cirros (5a2803b6-eb55-4f31-b0df-52410f8e5074) | | key_name | - | | metadata | {} | | name | vm-port-security-disabled | | os-extended-volumes:volumes_attached | [] | | progress | 0 | | security_groups | default | | status | BUILD | | tenant_id | f26351a310404d62bc33af8ee8ce39b7 | | updated | 2016-05-18T19:05:46Z | | user_id | 4efa7a9b2626458fa8c58af588b572e7 | +--------------------------------------+-----------------------------------------------+ [root@serverA ~(keystone_admin)]# [root@serverA ~(keystone_admin)]# nova list +--------------------------------------+---------------------------+--------+------------+-------------+---------------------------------------+ | ID | Name | Status | Task State | Power State | Networks | +--------------------------------------+---------------------------+--------+------------+-------------+---------------------------------------+ | 8ff06103-2d76-44df-b967-0dbefc54c76a | vm-port-security-disabled | ACTIVE | - | Running | test-port-security-disable=172.28.0.3 | +--------------------------------------+---------------------------+--------+------------+-------------+---------------------------------------+ [root@serverA ~(keystone_admin)]#